FCPA Compliance and Ethics Blog

April 16, 2015

Consumer Protection and Your Business

Filed under: Compliance,compliance programs,KYC — tfoxlaw @ 12:01 am

IMG_1145Ed. Note-today we have a guest post from Karen Schirmer, a Senior Advisor at Chartwell.

You’ve been hearing for a while now that the regulatory environment has been changing, and you follow the Consumer Financial Protection Bureau (“CFPB”) alerts to see if this new regulator will be looking at your type of business sometime in the near future. But you haven’t done anything new to prepare for greater consumer protection scrutiny because you’re too busy preparing for the upcoming state or bank examination. If this describes your organization, we understand that being proactive with limited funds and resources can be difficult. Nonetheless, consumer protection laws exist on the state and federal level, and states, banks, and other regulators are all taking a broader approach to their reviews. In this article, we will provide you with simple best business recommendations on how to get started with your consumer protection program.

Examine your collateral and marketing for consumer transparency

The most frequently cited violations of consumer protections have been unfair, deceptive, or abusive acts or practices (“UDAAP”) due to the lack of transparency of fees, unclear terms and conditions, and misleading statements deemed harmful to consumers. It is important that the consumer understands what the product or service is and the costs and terms of the products or services being purchased.   This includes all fees and fee limits, including inactivity, dormancy or service fees. Marketing, Packaging, Terms and Conditions, and overall Website language are places that have high risk of creating confusion for the consumer. These are good places to start your project review. Focus on the wording of your marketing and other collateral: is it in an active voice, using strong verbs and the simplest tense possible? Are explanations in everyday words, rather than excessive acronyms, abbreviations, or multiple negatives? Are several qualifiers used in explanations? If so, see if those explanations may be made more direct. Short, concise sentences are best. Look for consistency in terminology – if a transaction fee is the same as an activity fee, pick one term (this may be guided by regulation), define it, and use it throughout.

When evaluating either new or existing financial services products for consumer transparency, your standard of proof should be low, such as “likelihood” of being misled. A reasonable consumer’s overall or “net” impression counts, and omissions of key facts can lead a consumer to the wrong overall impression.

The format and proximity of material information is very important. Consumer disclosures and other key information, such as product function, terms and conditions, privacy and complaint notices should be in at least 8pt font (your product may need to follow a particular font requirement, per regulation) and whenever possible, clearly described on the first or second page, and linked in multiple places. It is prudent to identify any structural aspects of a product or terms and conditions that a consumer might not understand or would find surprising and add highlights or clarifications as appropriate.

Engage your privacy and data security teams 

With several high-profile data security breaches occurring in 2014, consumer confidence and trust in many financial products has eroded, and spending habits have changed accordingly.

The message is that companies offering financial products and services should look into strengthening their security infrastructure with data loss prevention, network security, encryption, and strong authentication and defensive measures. Other internal best practices include having a detailed data security policy that is communicated through training to employees and 3rd party stakeholders, and assigning controls and control owners to test security measures on a regular basis.

Privacy and transparency are interrelated. Companies must provide users with clear and complete information regarding any collection, use and disclosure of the collected data. Further, internal departments that have access to or may want to use the data must receive training on the limited uses for and protection of the data.

Enhance the consumer experience 

The consumer experience starts with the presentation of a product choice or choices, and the consumer is able to select options in an informed manner. Lack of understanding on the part of the consumer of the risks, costs or conditions of the product or service often leads to complaints.

Once the consumer has signed up for a product or service, it is important that the consumer may access his/her account information easily. The consumer should have ample free access to account information.

A consumer’s experience with a product is directly impacted by the quality of a company’s customer service function. The telephone number(s) for complaints of various types should displayed in multiple places (i.e. websites, receipts, postings, Terms and Conditions).

Effective and timely resolutions of complaints is critical in an environment where consumer protection gets strong attention from state Attorney General’s offices and Federal Agencies. Companies should have policies and procedures that include the following:

  1. A policy statement in support of consumer protection;
  2. An ongoing process of identifying consumer protection laws;
  3. A compliance management system to track the applicable requirements of the laws on a per business or per product basis;
  4. A written process specifically for complaints that raise compliance issues;
  5. A written process for using complaint data to fix practices and take corrective action; and
  6. A records-management process that includes the maintenance of complaint records, litigation, investigation, policies, procedures and reports of complaints resulting in operational changes. Responses and timeframes are tracked

Consumer protection is more than just providing disclosures. Your consumer protection review can be done in layers. Seek a commitment from senior management and/or Board of Directors, implement strategic projects such as the ones described above, add in training and on-going monitoring and you will be well on your way to having strong consumer protection compliance program.

Karen Schirmer has 12 years of experience directing Compliance teams, and drafting programs that identify requirements, risks, controls and methods of control validations. During her work as Compliance Director for Western Union, Inc. and Integrated Payments Systems Inc., she conducted independent reviews, and coordinated regulatory examinations.  As part of the First Data leadership team for 10 years, she drafted and directed the operations of the 2012-2013 Global Corporate Compliance Program.  For more information, please contact Karen at karenschirmer@chartwellcompliance.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, her affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.

April 15, 2015

Five Step Process for Transaction and Continuous Controls Monitoring

Five Step ProcessMost Chief Compliance Officers (CCOs) and compliance practitioners understand the need for transaction monitoring. Whether it be as a part of your overall monitoring of third parties, employees, or to test the overall effectiveness of internal controls and compliance, transaction monitoring is clearly a part of a best practices compliance program. Further, while most compliance practitioners are aware of the tools which can be applied to transaction monitoring, they may not be as aware of how to actually engage in the process. Put another way, how do you develop a methodology for building a transactional monitoring process that yields sustainable, repeatable results?

I recently put that question to one of the leaders in the field, Joe Oringel, co-founder and principal at Visual Risk IQ. He explained to me that their firm has dissected data analytics and transaction monitoring into a five-step process they call QuickStart, which facilitates applying the process iteratively across a two to four month time frame. These iterations allow for, and reinforce the methodology’s repeated and practical application and reapplication. The five steps are (1) Brainstorm, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.


Under this step, the transactional monitoring specialist, subject matter expert (SME), such as one on the Foreign Corrupt Practices Act (FCPA) or other anti-corruption law, and the compliance team members sit down and go through a multi-item list to better understand the objectives and set the process going forward. The brainstorming session will include planning the monitoring objectives and understanding the data sources available to the team. Understanding relationships between the monitoring objectives and data sources is essential to the monitoring process. During brainstorming, the company’s risk profile and its existing internal controls should be reviewed and discussed. Finally, there should be a selection of the transaction monitoring queries and a prioritization thereon. This initial meeting should include company representatives from a variety of disciplines including compliance, audit, IT, legal and finance departments, sales and business development may also need to be considered for this initial brainstorming session.

While the rest of the steps may seem self-evident in any transaction monitoring process, it is the brainstorming step which sets the Visual Risk IQ approach apart. This is because business knowledge is critical to sustaining and improving the transaction monitoring process. And because the process is iterative, periodic meetings to further understand the business pulse allow the most useful data to be monitored through the system. 

Acquire and Map Data

The second step is to obtain the data. There may be a need to discuss security considerations, whether or how to redact or mask sensitive data, and ensure files are viewable only by team members with a “need to know”. Balancing, which consists of comparing the number of records, checksums, and controls totals between the source file (as computed by the file export) and then re-calculated number of records, checksums, and control totals (as computed by a file import utility). Balancing is performed to make sure that no records are dropped or somehow altered, and that the files have integrity. Somewhat related is making sure that the version of the files used is the “right” one. For example if you are required to obtain year-end data year-end close could be weeks after the closing entries have been actually recorded, depending on the departments engaged in the year end processes.

Types of systems of record could include Enterprise Resource Planning (ERP) data from multiple transaction processing systems, including statistics on numbers and locations of vendors, brokers and agents. You may also want to consider watch lists from organizations such as the Office of Foreign Asset Control (OFAC), the Transparency International – Corruption Perceptions Index (TI-CPI), lists of Politically Exposed Persons (PEPs) or other public data source information. Some of the data sources include information from your vendor master file, general ledger journals, payment data from accounts payable, P-cards or your travel and entertainment system(s). You should also consider sales data and contract awards, as correlation between spending and sales as these may be significant. Finally, do not forget external data sources such as your third party transactional data. All data should initially be secured and then transmitted to the transaction monitoring tool. Of course you need to take care that your transaction monitoring tool understands and properly maps this data in the form that is submitted.

Write Queries

This is where the FCPA SME brings expertise and competence to assist in designing the specific queries to include in the transaction monitoring process. It could be that you wish to focus on the billing of your third parties; your employee spends on gifts, travel and entertainment or even petty cash outlays. From the initial results that you receive back you can then refine your queries and filter your criteria going forward. Some of the queries could include the following:

  • Business courtesies to foreign officials;
  • Payments to brokers or consultants;
  • Payments to service intermediaries;
  • Payments to vendors in high risk markets;
  • Round dollar disbursements;
  • Political contributions or charitable donations; and
  • Facilitation payments.

Analyze and Report

In this process step, you are now ready to begin substantive review and any needed research of potential exceptions and reporting results. Evaluating the number of potential exceptions and modifying queries to yield a meaningful yet manageable number of potential exceptions going forward is critical to long-term success. You should prioritize your initial results by size, age and source of potential exception. Next you should perform a root cause analysis of what you might have uncovered. Finally at this step you can prioritize the data for further review through a forensic review. An example might be if you look at duplicate payments or vendor to employee conflicts. Through such an analysis you determine if there were incomplete vendor records, whether duplicate payments were made and were such payments within your contracts terms and conditions.

Refine and Sustain

This is the all-important remediation step. You should use your root cause analysis and any audit information to recalibrate your compliance regime as required. At this step you should also apply the lessons you have learned for your next steps going forward. You should refine, through addition or deletion of your input files, thresholds for specific queries, or other query refinements. For example, if you have set your dollar limits so low that too many potential exceptions resulted for a thoughtful review, you might raise your dollar threshold for monitoring. Conversely if your selected amount was so low that it did not generate sufficient transactions, you could lower your parameter limits. Finally, you can use this step to determine the frequency of your ongoing monitoring.

Oringel concluded by emphasizing the iterative nature of this process. If you can establish your extraction and mapping rules, using common data models within your organization, you can use them to generate risk and performance checks going forward. Finally, through thoughtful use of transaction monitoring parameters, you can create metrics that you can internally benchmark your compliance regime against over time to show any regulators who might come knocking.

For further information on this process, contact Joe Oringel at Joe.Oringel@VisualRiskIQ.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 14, 2015

Lincoln Assassinated and HSBC’s Continued Self-Inflicted Woes

Filed under: Anti-Money Laundering,Compliance,compliance programs,HSBC — tfoxlaw @ 12:01 am

Lincoln AssassinationToday is the 150th anniversary of the first successful Presidential assassination attempt. It was on this day in 1865 that John Wilkes Booth shot President Abraham Lincoln at Ford’s Theater in Washington DC. Booth was not a lone gunman but led a group of Confederate sympathizers who attacked or planned to attack leading US government officials. Co-conspirator Lewis T. Powell burst into Secretary of State Seward’s home, repeatedly stabbing him and seriously wounding him and three others, while George A. Atzerodt, assigned to kill Vice President Johnson, lost his nerve and fled.

HSBC continues to stay in the news, unfortunately largely for the wrong reasons in the realm of anti-corruption, facilitating tax evasion and money laundering. In an article in the New York Times (NYT), entitled “HSBC Is Deemed Slow To Carry Out Changes”, reporters Jessica Silver-Greenberg and Ben Protess noted that earlier this month, federal prosecutors made a quarterly count filing as a part of their report on the bank’s Deferred Prosecution Agreement (DPA) “faulting the bank for weaknesses in spotting suspicious transactions and for enabling a corporate culture resistant to change.”

The filing itself was based upon the corporate monitor’s Michael Cherkasky’s “confidential 1000 page report submitted to prosecutors in January. That report, people briefed on the matter said, offered a more scathing assessment of the bank’s progress.” The monitor has been “evaluating HSBC’s global operations for cracks in its money-laundering controls. As such, he has reviewed the bank’s various business lines, including its sprawling operations in China.”

In the technology area, the filing noted the “bank’s technology systems, despite some improvement, still suffer from “fragmentation” and “lack of connectivity” the Justice Department filing said. With its creaky framework, the filing said, “the collection and analysis” of data could suffer.” This lack of technology to both check on customers or potential customers and then review the transactions they might engage in were a prime deficiency noted in the original 2012 enforcement action where “prosecutors found that HSBC facilitated money laundering on behalf of Mexican drug cartels, allowing at least $881 million in tainted money to course through its United States branches.”

But perhaps the more troubling finding in the prosecutors filing was around the culture at the bank. There was not specific criticism of the tone at the top of the bank or with senior management but with the employees’ attitudes towards meeting the obligations under the DPA. The filing said that “Change at the bank was met with resistance” providing at least one example; “When presented with negative findings from auditors, the filing said, managers at the bank’s United States unit for global banking and markets “inappropriately pushed back.” Ultimately, the resistance caused an internal audit report “to be more favorable to the business than it would have been otherwise.”

Interestingly HSBC itself pushed back against the government’s filing, at least in the press. The article noted that “In response to the filing, Stuart Levey, the bank’s chief legal officer said, “The Justice Department recognized in its letter that HSBC has made material progress toward meeting the most stringent compliance standards imposed to date upon a global financial institution.” Levey also said that “the bank was continuing to meet all its obligations under the deferred-prosecution-agreement and that its leaders “are making progress toward that objective and appreciate the monitor’s ongoing work.””

Monitor Cherkasky’s report and the Department of Justice (DOJ) filing bring up a couple of interesting points for speculation. The first is the continuing dialogue and debate on the effectiveness of DPAs and whether they actually do achieve their stated goals of changing corporate culture and behavior. The NYT article said that the DOJ filing, which came under the name of the President’s Attorney General-designee, as head of the US Prosecutor’s office, comes “at a time when prosecutors are grappling with repeat offenders on Wall Street”. Moreover, “the filing underscores the Justice Department’s efforts to stem the pattern of corporate recidivism.” Just how hard should the DOJ come down on HSBC? There are other more aggressive steps the DOJ could take, even at this point. These include “extending the five-year deferred-prosecution agreement or singling out culpable employees by name.” Indeed the article cited to a recent speech by the head of the DOJ’s criminal division, Deputy Assistant Attorney General Leslie Caldwell, where she said, “the government has “a range of tools” to deal with corporate recidivism, including extending the term of a deferred-prosecution agreement while prosecutors investigate accusations of new criminal conduct.”

How about tearing up the DPA and simply criminally prosecuting the bank on the facts it admitted to in the DPA? Caldwell also spoke to that possibility when she said in the same speech, “Make no mistake: The criminal division will not hesitate to tear up a D.P.A. or N.P.A and file criminal charges where such action is appropriate and proportional to the breach.” Since parties are required to agree to facts in any DPA or Non-Prosecution Agreement (NPA) it would seem that tearing up those settlement documents and then prosecuting those companies on the underlying facts would be a relatively straightforward matter.

The other party in this debate is the Attorney General-nominee herself. While at this point it is not clear if the GOP majority will ever let her nomination come up for a vote before the full Senate, what if the Senate Judiciary Committee decides to reopen the hearings on this issue and then shoehorn it into the larger ongoing academic and FCPA Inc. debate on DPAs (and NPAs and other settlement tools). What if the FCPA testified on the “Façade of FCPA Enforcement”? What if Ted Cruz came in to ask why the DOJ is even bothering to prosecute the British banking giant?

At the time of its settlement in 2012, the HSBC fine was the largest for any bank involving money laundering. The monitor’s report and DOJ court filing demonstrate that the settlement is still controversial and the conduct engaged in by the bank many years ago may well continue to resonate up to this day and well into the future.

But the negative news for HSBC did not end with the filing of the DOJ report. As reported in the Financial Times (FT), in an article entitled “French magistrates open formal criminal probe into HSBC”, Emma Dunkley wrote that the parent entity of the bank, HSBC Holdings, “has been placed under criminal investigation by French authorities and made to post €1bn bail over allegations that its Swiss private banking arm helped clients avoid taxes.” This is separate and apart from the investigations into the company’s Swiss banking unit, which has been indicted or is under investigation “over tax evasion allegations in several other countries, including the US, Belgium and Argentina.”

In another article in the NYT, entitled “HSBC Facing Criminal Investigation in French Tax Case, Chad Bray reported that the bank apologized after released documents “showed that its employees had reassured clients that the lender would not disclose details of their accounts to the tax authorities of their home countries and discussed options to avoid paying taxes on those assets. The bank has acknowledged previous “conduct and compliance failures” in its Swiss business and has said that it has overhauled its private banking business and reduced its client base in Switzerland by 70 percent since its peak.”

The woes of HSBC continue and indeed seem to be increasing. With the fallout from the monitor’s report and other ongoing investigations the bank may be in danger of having its DPA revoked. While HSBC is not the only poster child for Banks Behaving Badly it may find itself as the first bank to have its DPA torn up and either the entity or responsible individuals criminally prosecuted for recidivist behavior.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 8, 2015

The WPA and More Productive Compliance Meetings

WPA LogoOn this day 80 years ago, Congress created the Works Progress Administration (WPA), a central part of President Franklin D. Roosevelt’s New Deal. The WPA was established under the Emergency Relief Appropriation Act, as a means of creating government jobs for some of the nations many unemployed. Under the direction of Harry L. Hopkins, the WPA employed approximately 8 million people who worked on 1.4 million public projects before it was disbanded in 1943. Its programs were extremely popular and contributed significantly to Roosevelt’s landslide reelection in 1936.

I have always been amazed at the variety of works that the WPA had a hand in creating, from vast public building projects like the construction of highways, bridges, and dams to the careers of several important American artists, including Jackson Pollock and Willem de Kooning. Many of the most interesting art deco buildings still in use were built during the 1930s through the auspices of the WPA.

While the WPA constructed and led to many good works during its existence, one of the banes of corporate existence is the number of meetings that one must attend. Even worse than the raw number of meetings is the lack of any good that comes out of most meetings. Most meeting organizers have no clue how to run a successful or even useful meeting. I thought about this when I read a recent article in the Houston Business Journal (HBJ), entitled “10 ways to make your next meeting more productive by Dana Manciagli.

Manciagli began her piece by noting that researchers from the London School of Economics and Harvard University found that business leaders “spend 60% of their time in meetings, and only 15% working alone.” While this statistic alone is troubling enough, when you overlay that with the number of meetings where nothing is accomplished, it is clear to me you have a complete waste of time and resources. I do recognize that some companies have taken accomplishing nothing in meetings as a matter of corporate policy. General Motors (GM) took this to an art form in the well-documented GM Nod, which signified that there was agreement on an issue but that no one would actually do anything about it.

But for those who might want to actually accomplish something in a meeting, Manciagli pointed to Andrea Driessen whom she described as “chief boredom buster” at Seattle-based No More Bored Meetings . How is that for a moniker and company name? Manciagli related Driessen’s top ten tips for developing, running and ultimately having a successful meeting.

  1. Be a Know-it-all

Manciagli writes that because it is “natural to disengage when meeting content isn’t relevant. The most effective meeting hosts review all potential agenda segments to determine whether they apply to all attendees. If participants already know a particular content slice, then simply don’t cover that segment for the broader audience. Or if you have vastly different levels of awareness in the room, divide people accordingly to ensure maximum relevance for all.” Of course this means you will need to put some thought into your pre-meeting planning.

  1. No Problem? No Meeting!

We have all been subjected to it, the daily, weekly, monthly meeting check-in to see how the project is progressing. But Manciagli believes that “many of these less-than-productive meetings could be canceled or shortened if we identified the problem the meeting is intended to solve. And if we can’t find an identifiable problem, then don’t have the meeting.” Manciagli concludes, “Sometimes, it’s that simple.”

  1. Get Real

This is another pre-meeting planning point. Do you try to squeeze 13 action items for discussion and resolution into a 30-minute meeting? Conversely you do not need to book a 60-minute window to handle a couple of points. If you can handle a matter via email or need to go offline, do so.

  1. Prioritize, Prioritize, Prioritize!

Like its related cousin, Document, Document and Document, this phase should be more than simply a catchword. It should be an action item in your meeting planning process. Tackle your important issues first to “save time and solve your most pressing problem.”

  1. Play “Pass the Pad” To Avoid Late Arrivals

The biggest offender of this rule is, unfortunately, us lawyers. Why, because we are always (in our eyes) the most important. Yet not being able to start because someone is not present or having to repeat points is one of the worst problems there is around efficient meetings. The article notes, “Meeting productivity suffers when people arrive late, and the punctual are penalized.” Her solution is to require the latecomer to take notes in the meeting, writing “People learn quickly that they can either be on time, or become the dreaded note-taker if they are late. As host, you’ll see positive behavior change with little effort on your part.”

  1. Be a Meeting Bouncer

Manciagli tactfully writes about that “common meeting malady: the tangent talker.” I would perhaps less tactfully say there are way too many people who like to hear the sound of their own voices way too much. Manciagli suggests a little humor by “naming a tangent officer who monitors and records tangents for later. Use that parking lot! And you can lighten it up by using a toy police badge.” Nothing like a little corporate shame to keep things moving.

  1. Make it Multi-Sensory

It is not simply millennials who respond to social media. Most people do better when they are visually engaged. Manciagli suggests using more than simply oral presentations, use other tools, including the following: “Graphic illustration, in which someone draws out ideas in real time; Customer testimonials that emotionally inspire; Quizzes and games; Product demos; Surprise guests; Props that foster kinesthetic learning.”

  1. PPPPP

Everyone understands the Five P rule, aka prior planning prevents poor performance. As a meeting host, this means you must absolutely be prepared prior to the meeting. If there are technical issues, you should pass out that information prior to the meeting. Manciagli pointed out that “the more skin we all have in the game, the more likely we are to own and be accountable to group outcomes.”

  1. Hire an “Accountant”

Accountability. How many meetings have you attended where there was no accountability? Manciagli believes “Most meetings lack built-in accountability structures.” She gives the tangible hint to “ask everyone to record at least one goal related to the meeting that they’ll commit to completing in the next week or month, and have them check in with one another. Teams gain measurable accountability, and you get recognized for generating stronger results tied to your meetings.”

  1. Remember: Humor is No Joke

Humor has a big use in meetings, “The power of humor — if used effectively within the meeting mix — is no laughing matter. Indeed, there is a strong business case to be made for laughing while learning.” It can also lower the stress level in meetings, once again if used properly.

I am sure that you have your own horror stories of aimless, wandering meetings that go nowhere painfully slow. As a Chief Compliance Officer (CCO) or compliance practitioner, one of your most valuable items in a corporation is time. You can set an example about running an efficient and productive meeting and then lead your company down the path laid out in the article. Who knows, the results of what you start in your company may last as long as WPA work.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 2, 2015

Managing Your Third Parties in a FCPA Compliance Program

7K0A0501The building blocks of any Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program lay the foundations for a best practices compliance program. For instance in the lifecycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third party management becomes more important. It is also the one where the rubber meets the road of actually doing compliance.

In the March/April issue of Supply Chain Management Review is an article by Mark Trowbridge, entitled “Put it in Writing: Sharpening Contracts Management to Reduce Risk and Boost Supply Chain Performance”, that provides some useful insights into the management of the third party relationship. While the focus of the article was about having a “strategic approach to contracts management” I found the author’s “five ways to start professionalizing your approach to outsourcing contracts” as steps a compliance practitioner can use in the management of third party relationships, both on the sales side and those which come into your company through the Supply Chain.

By taking his analysis into the compliance realm, I believe there are concrete steps you can take going forward. The key is to have a strategic approach to how you structure and manage your third party relationships. This may mean more closely partnering with your third parties to help manage the anti-corruption compliance risk. It would certainly lead towards enabling your company to “control risk while optimizing the performance” of your third parties. To achieve these goals, I have revised Trowbridge’s prescriptions from suppliers to third parties.

I. Consolidate Third Parties but Retain Redundancy

It is incumbent that consolidation in your third party relationships on the Supply Chain side to a smaller number of suppliers will “yield better cost leverage.” From the compliance perspective it also should make the entire third party lifecycle easier to manage, particularly steps 1-4. However a company must not “over-consolidate” by going down to a single source supplier. Trowbridge advocates a diversified supplier base, with a technique he calls “dual-sourcing”. From the compliance perspective, you may want to have a primary and secondary third party that you work with in a service line or geographic area to retain this redundancy.

II. Keep Tabs on Subcontracted Work

This is one area that requires an appropriate level of management. If your direct contracting party has the right or will need to subcontract some work out, you need to have visibility into this from the compliance perspective. You will need to require and monitor that your direct third party relationship has your approved compliance terms and conditions in their contracts with their subcontractors. You will also need to test that proposition. In other words, you must require, trust and then verify.

III. When Disaster Strikes, Make Sure Your Company is Legally Protected Too

This is where your compliance terms and conditions will come into play. One of the things that I advocate is a full indemnity if your third party violates the FCPA and your company is dragged into an investigation because of the third party’s actions. Such an indemnity may not be worth too much but if you do not have one, there will be no chance to recoup any of your legal or investigative costs. Another important clause is that any FCPA violation is a material breach of contract. This means that you can legally, under the terms of the contract, terminate it immediately, with no requirement for notice and cure. Once again you may be somewhat constrained by local laws but if you do not have the clause, you will have to give written notice and an opportunity to cure. This notice and cure process may be too long to satisfy the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) during the pendency of a FCPA investigation. Finally, you need a clause that requires your third party to cooperate in any FCPA investigation. This means cooperation with you and your designated investigation team but it may also mean cooperation with US governmental authorities as well.

You also need the ability to move between third parties if the need arises. This is the redundancy issue raised above. You do not want to be stuck with no approved freight forwarders or other transporters in a certain geographic area. If a compliance related matter occurs, you may well need certain contractual rights to move your work and to require your prime third party to cooperate with the transition to your secondary third party.

IV. Keep Track of Your Third Parties’ Financial Stability

This is one area that is not usually discussed in the compliance arena around third parties but it seems almost self-evident. You can certainly imagine the disruption that could occur if your prime third party supplier in a country or region went bankrupt; but in the compliance realm there is another untoward Red Flag that is raised in such circumstances. Those third parties under financial pressure may be more easily persuaded to engage in bribery and corruption than third parties that stand on a more solid financial footing. You can do this by a simple requirement that your third party provide annual audited financial statements. For a worldwide logistics company, this should be something easily accomplished.

Trowbridge says, “Automated financial tracking tools can also be used to keep track of material changes in a supplier’s financial stability.” You should also use your in-house relationship manager to regularly visit key third party relationships so an on-the-ground assessment can be a part of an ongoing conversation between your company and your third parties.

V. Formalize Incentives for Third Party Performance

One of the key elements for any third party contract under the FCPA or UK Bribery Act is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes. It is mandatory that your company link any commission or payment to the performance of the third party. If you have a long-term stable relationship with a third party, you can tie compensation into long-term performance, specifically including long-term compliance performance. This requires the third party to put skin into the compliance game so that they have a vested, financial interest in getting things done in compliance with the FCPA or other anti-corruption compliance regime.

Additionally, as Trowbridge notes, “The fact is, linking contractual compensation to performance does make a significant difference in supplier performance. This is especially valuable when agreed upon key performance indicator (KPI) metrics can be accurately tracked.” This would seem to be low hanging for the compliance practitioner. If you cannot come up with some type of metric from the compliance perspective, you can work with your business relationship team to develop such compliance KPIs.

While Trowbridge’s article focused on the suppliers, I found his ideas easily transferable to the compliance field. Near the end of the article Trowbridge suggested ranking suppliers based upon a variety of factors including performance, length of relationship, benchmarking metrics and KPIs. This is a way for the compliance practitioner to have an ongoing risk ranking for third parties that can work as a preventative and even proscription prong of a compliance program and allow the delivery of compliance resources to those third parties that might need or even warrant them.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 1, 2015

Supply Chain as a Source of Compliance Innovation

Supply ChainOn this day we celebrate the greatest upset in the history of the NCAA Basketball Tournament, when Villanova beat Georgetown for the 1985 national championship. Georgetown was the defending national champion and had beaten Villanova at each of their regular season meetings. In the final the Wildcats shot an amazing 79% from the field, hitting 22 of 28 shots plus 22 of 27 free throws. Wildcats forward Dwayne McCain, the leading scorer, had 17 points and 3 assists. The Wildcats’ 6’ 9” center Ed Pinckney outscored 7’ Hoyas’ center, Patrick Ewing, 16 points to 14 and 6 rebounds to 5 and was named MVP of the Final Four. It was one of the greatest basketball games I have ever seen and certainly one for the ages.

I thought about this game when I read an article in the most recent issue of Supply Chain Management Review by Jennifer Blackhurst, Pam Manhart and Emily Kohnke, entitled “The Five Key Components for SUPPLY CHAIN”. In their article the authors asked “what does it take to create meaningful innovation across supply chain partners?” Their findings were “Our researchers identify five components that are common to the most successful supply chain innovation partnerships.” The reason innovation in the Supply Chain is so important is that it is an area where companies cannot only affect costs but can move to gain a competitive advantage. To do so companies need to see their Supply Chain third parties as partners and not simply as entities to be squeezed for costs savings. By doing so, companies can use the Supply Chain in “not only new product development but also [in] process improvements”.

I found their article resonated for the compliance professional as well. It is almost universally recognized that third parties are your highest Foreign Corrupt Practices Act (FCPA) risk. What if you could turn your Supply Chain from being considered a liability under the FCPA to an area that brings innovation to your compliance program? This is an area that not many compliance professionals have mined so I think the article is a useful starting point. The authors set out five keys to successful innovation spanning Supply Chain partners. They are: “(1) Don’t Settle for the Status Quo; (2) Hit the Road in Order to Hit Your Metrics; (3) Send Prospectors Not Auditors; (4) Show Me Yours and I’ll Show You Mine; and (5) Who’s Running the Show?”

Don’t Settle for the Status Quo

This means that you should not settle for simply the status quo. Innovation does not always come from a customer or even an in-house compliance practitioner. Here the key characteristics were noted to be “cooperative, proactive and incremental”. The authors emphasize that “you need to be leading the innovation change rather than catching up from behind.” If a company in your Supply Chain can suggest a better method to do compliance, particularly through a technological solution, it may be something you should well consider.

Hit the Road in Order to Hit Your Metrics

To truly understand your compliance risk from all third parties, including those in the Supply Chain, you have to get out of the ivory tower and on the road. This is even truer when exploring innovation. You do not have hit the road with the “primary goal to be the inception point for innovation” but through such interactions, innovation can come about “organically”. There is little downside for a compliance practitioner to go and visit a Supply Chain partner and have a “face-to-face meeting simply to get to know the partner better and more precisely identify that partner’s needs.”

Send Prospectors Not Auditors

While an audit clause is critical in any Supply Chain contract, both from a commercial and FCPA perspective, the authors believe that “Too often firms use supply chain managers as auditors when they are dealing with supply chain partners.” The authors call these types of managers “innovation partners.” Every third party should have a relationship manager, whether that third party is on the sales side or the Supply Chain side of the business. Moreover, the innovation partners are “able to see synergies where [business] partners can work together for the benefit of everyone involved.”

Show Me Yours and I’ll Show You Mine

Here the authors note, “Trust plays an extremely important role in supply chain innovation. Firms in successful innovations discussed a willingness to share resources and rewards and to develop their partners’ capabilities.” The authors believe that “Through the process of developing trust, firms understand their partner’s strategic goals.” I cannot think of a more applicable statement about FCPA compliance. Another way to consider this issue is that if your Supply Chain partner has trust in you and your compliance program, they could be more willing to work with you on the prevent and detect prongs of compliance regimes. Top down command structures may well be counter-productive.

Who’s Running the Show?

I found this point particularly interesting as for the authors, this prong means “who is doing what, but also what each firm is bringing to the relationship in terms of resources and capabilities.” In the compliance regime it could well lead to your Supply Chain partner taking a greater role in managing compliance in a specific arena or down a certain set of vendors. Your local Supply Chain partner might be stronger in the local culture, which could allow it to lead to collaborations by other vendors in localized anti-corruption networks or roundtables to help move the ball forward for doing business in compliance with the FCPA or other anti-corruption laws such as the UK Bribery Act.

The authors ended by remarking, “we noticed that leveraging lean and process improvement was mentioned by virtually every firm.” This is true in the area of process improvement, which is the essential nature of FCPA compliance. Another interesting insight from the authors was that utilization can increase through such innovation in the Supply Chain. Now imagine if you could increase your compliance process performance by considering innovations from your Supply Chain third parties? The authors conclude by stating that such innovation could lead to three “interesting outcomes 1) The trust and culture alignment is strengthened through the partnership innovation process leading to future innovations and improvement; 2) firms see what is needed in terms of characteristics in a partner firm so that they can propagate the success of prior innovations to additional partners; 3) by engaging supply chain partners as innovation partners, both sides reap rewards in a low cost, low risk, highly achievable manner.” With some innovation Villanova coach Rollie Massimino led his team over the prohibitive favorite Georgetown, and you may be able to tap into a resource immediately available at your fingertips, your Supply Chain.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 31, 2015

Do Your Executives Have (Compensation) Skin in the Game?

Whymper and MatterhornThis year marks the 150th anniversary of the ascent of the most famous mountain in Europe, the Matterhorn. On Bastille Day, in 1865, four British climbers and three guides were the first climbers to reach the summit. In an article in the Financial Times (FT), entitled “In Whymper’s steps”, Edward Douglas wrote, “It was a defining moment in the history of mountaineering, arguably as pivotal as the first ascent of Everest. Before this calamity climbing was a quirky minority pastime and Zermatt an indigent and obscure village. All that changed on July 14, 1865. As locals cheerfully acknowledge, the Matterhorn disaster enthralled the public around the world and sparked an unprecedented tourist boom.”

The disaster had befallen the climbing team on its descent after having scaled the summit. The team was led by Edward Whymper. As they were coming back down, they were all tied together with rope. When one of the team slipped, he knocked over his guide and “their weight on the rope pulled off the next man…and a fourth climber as well.” Only expedition leader Whymper and two Swiss guides, a father and son duo from Zermott, survived the disaster when “they dug in and the rope tightened – then snapped – leaving them to watch in horror as the bodies of their companions cartwheeled thousands of feet down the mountain.” The depiction of the disaster by the French artist Gustave Doré captures for me the full horror of the tragedy.

Yesterday I wrote about the role of compensation in your best practices compliance program. Today I want to focus on the same issue but looking at senior management and compensation. I thought about this inter-connectedness of compensation in a compliance program, focusing up the corporate ladder when I read a recent article in the New York Times (NYT) by Gretchen Morgenson, in her Fair Game column, entitled “Ways to Put the Boss’s Skin In the Game”. Her piece dealt with a long-standing question about how to make senior executives more responsible for corporate malfeasance? Her article had some direct application to anti-corruption compliance programs such as those based on the US Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Morgenson said the issue was “Whenever a big corporation settles an enforcement matter with prosecutors, penalties levied in the case – and they can be enormous – are usually paid by the company’s shareholders. Yet the people who actually did the deeds or oversaw the operations rarely so much as open their wallets.”

She went on to explain that it is an economic phenomenon called “perverse incentive” which is one where “corporate executives are encouraged to take outsized risks because they can earn princely amounts from their actions. At the same time, they know that they rarely have to pay any fines or face other costly consequences from their actions.” To help remedy this situation, the idea has come to the fore about senior managers putting some ‘skin in the game’. Her article discussed three different sources for this initiative.

The first is a current proxy proposal in front of Citigroup shareholders which “would require that top executives at the company contribute a substantial portion of their compensation each year to a pool of money that would be available to pay penalties if legal violations were uncovered at the bank.” Further, “To ensure that the money would be available for a long enough period – investigations into wrongdoing take years to develop – the proposal would require that the executives keep their pay in the pool for 10 years.”

The second came from William Dudley, the President of the Federal Reserve Bank of New York, who made a similar suggestion in a speech last fall. His proscription involved a performance bond for the actions of bank executives. Morgenson quoted Dudley from his speech, “In the case of a large fine, the senior management and material risk takes would forfeit their performance bond. Not only would this deferred debt compensation discipline individual behavior and decision-making, but it would provide strong incentives for individuals to flag issues when problems develop.”

Morgenson reported on a third approach which was delineated in an article in the Michigan State Journal of Business and Securities Law by Greg Zipes, “a trial lawyer for the Office of the United States Trustee, the nation’s watchdog over the bankruptcy system, who also teaches at the New York University School for Professional Studies.” The article is entitled, “Ties that Bind: Codes of Conduct That Require Automatic Reductions to the Pay of Directors, Officers and Their Advisors for Failures of Corporate Governance”. Zipes proposal is to create a “contract to be signed by a company’s top executives that could be enforced after a significant corporate governance failure. Executives would agree to pay back 25 percent of their gross compensation for the three years before the beginning of improprieties. The agreement would be in effect whether or not the executives knew about the misdeeds inside their company.”

As you might guess, corporate leaders are somewhat less than thrilled at the prospect of being held accountable. Zipes was cited for the following, “Corporate executives are unlikely to sign such codes of conduct of their own volition.” Indeed Citibank went so far as to petition the Securities and Exchange Commission (SEC) “for permission to exclude the policy from its 2015 shareholder proxy.” But the SEC declined to do and at least Citibank shareholders will have the chance to vote on the proposal.

In the FCPA compliance context, these types of proposals seem to me to be exactly the type of response that a company or its Board of Directors should want to put in place. Moreover, they all have the benefit of a business solution to a legal problem. In an interview for her piece, Morgenson quoted Zipes as noting, “This idea doesn’t require regulation and its doesn’t require new laws. Executives can sign the binding code of conduct or not, but the idea is that the marketplace would reward those who do.” For those who might argue that senior executives can not or should not be responsible for the nefarious actions of other; they readily take credit for “positive corporate activities in which they had little role or knew nothing about.” Moreover, under Sarbanes-Oxley (SOX), corporate executives must make certain certifications about financial statement and reporting so there is currently some obligations along these lines.

Finally, perhaps shareholders will simply become tired of senior executives claiming they could not know what was happening in their businesses; have their fill of hearing about some rogue employee(s) who went off the rails by engaging in bribery and corruption to obtain or retain business; and not accept that leaders should not be held responsible.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 30, 2015

Compensation Incentives in a Best Practices Compliance Program

Compensation IncentivesOne of the areas that many companies have not paid as much attention to in their Foreign Corrupt Practices Act (FCPA) anti-corruption compliance programs is compensation. However the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have long made clear that they view incentives, rewarding those employees who do business in compliance with their employer’s compliance program, as one of the ways to reinforce the compliance program and the message of compliance. As far back as 2004, the then SEC Director of Enforcement, Stephen M. Cutler, said “[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it.” The FCPA Guidance states the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance pro­gram, and rewards for ethics and compliance leadership.”

In a Harvard Business Review (HBR) article, entitled “The Right Way to Use Compensation, Mark Roberge, Chief Revenue Officer of HubSpot, wrote about his company’s design and redesign of its employee’s compensation system to help drive certain behaviors. The piece’s subtitle indicated how the company fared in this technique as it read, “To shift strategy, change how you pay your team.” Several interesting ideas were presented, which I thought could be applicable for the Chief Compliance Officer (CCO) or compliance practitioner when thinking about compensation as a mechanism in a best practices compliance program.

Obviously Roberge and HubSpot were focused on creating and retaining a customer base for a start-up company. However because the company was a start-up, I found many of their lessons to be applicable for the compliance practitioner. As your compliance program matures and your strategy shifts, “it’s critical that the employees who bring in the revenue-the sales force-understand and behave in ways that support the new strategy. The sales compensation system can help ventures achieve that compliance.” The prescription for you as the compliance practitioner is to revise the incentive system to focus your employees on the goals of your compliance program. This may mean that you need to change the incentives as the compliance programs matures; from installing the building blocks of compliance to burning anti-corruption compliance into the DNA of your company.

Roberge wrote that there were three key questions you should ask yourself in modifying your compensation incentive structure. First, is the change simple? Second, is the changed aligned with your company values? Third, is the effective on behavior immediate due to the change?


Your employees should not need “a spreadsheet to calculate their earnings.” This is because if “too many variables are included, they may become confused about which behaviors” you are rewarding. Keep the plan simple and even employee KISS, Keep it simple sir, when designing your program. If you do not do so, your employees might fall back on old behaviors that worked in the past. Roberge notes, “It should be extraordinarily clear which outcomes you are rewarding.”

The simplest way to incentive employees is to create metrics that they readily understand and are achievable in the context of the compliance program that you are trying to implement or enhance. This can start with attending Code of Conduct and compliance program training. Next might be a test to determine how much of that training was retained. It could be follow up, online training. It could mean instances of being a compliance champion in certain areas, whether with your employee base or third party sales force.


As the CCO or compliance practitioner, you need to posit the most important compliance goal your entity needs to achieve. From there you should determine how your compensation program can be aligned with that goal. Roberge cautions what the DOJ and SEC both seem to understand, that you should not “underestimate the power of your compensation plan.” You can tweak your compliance communication, be it training, compliance videos, compliance reminders or other forms of compliance messaging but it is incumbent to remember that “if the majority of your company’s revenue is generated by salespeople, properly aligning their compensation plan will have greater impact than anything else.”

The beauty of this alignment prong is that it works with your sales force throughout the entire sales channel. So if your sales channel is employee based then their direct compensation can be used for alignment. However such alignment also works with a third party sales force such as agents, representatives, channel ops partners and even distributors. Here Roberge had another suggestion regarding compensation that I thought had interesting concepts for third parties, the holdback or even clawback. This would come into place at some point in the future for these third parties who might meet certain compliance metrics that you design into your third party management program.


Finally, under immediacy, it is important that such structures be put in place “immediately” but in a way that incentives employees. Roberge believes that “any delay in the good (or bad) behavior and the related financial outcome will decrease the impact of the plan.” As a part of immediacy, I would add there must be sufficient communication with your employee or other third party sales base. Roberge suggested a town hall meeting or other similar event where you can communicate to a large number of people.

Even in the world of employee compensation incentives, there should be transparency. He cautioned that transparency does not mean the design of the incentive system is a “democratic process. It was critical that the salespeople did not confuse transparency and involvement with an invitation to selfishly design the plan around their own needs.” However, he did believe that the employee base “appreciated the openness, even when the changes were not favorable to their individual situations.” Finally, he concluded, “Because of this involvement, when a new plan was rolled out, the sales team would understand why the final structure was chosen.”

So just as Roberge, working with HubSpot as a start-up, learned through this experience “the power of a compensation plan to motivate salespeople not only to sell more but to act in ways that support a start-up’s evolving business model and overall strategy”; you can also use your compensation program as such an incentive. For the compliance practitioner one of the biggest reasons is to first change a company’s culture to make compliance more important but to then burn it into the fabric of your organization. But you must be able to evolve in your thinking and professionalism as a compliance practitioner to recognize the opportunities to change and then adapt your incentive program to make the doing of compliance part of your company’s everyday business process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 27, 2015

Compliance Programs under the Brazilian Clean Companies Act

BrazilEd. Note-I recent asked Rafael Mendes Gomes if he could give my readers some information about the recent regulations issued by the Brazilian government around the Clean Companies Act. Both he and Vitor Lopes da Costa Cruz responded with today’s guest post. 

According to the World Bank, Brazil is the world’s seventh wealthiest economy, with a Gross Domestic Product (GDP) of US$ 2.253 trillion in 2012. On the other hand, Brazil is ranked 69th out of 175 countries in Transparency International’s 2014 Corruption Perception Index, and was recently shaken by investigations into a multi-billion dollar scandal involving the state controlled oil giant Petrobras, threatening to engulf the country’s most senior politicians—including its president. Brazil is also a signatory of the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions – the “OECD Convention”.

The OECD Convention entered into force in 1999, and the OECD’s Working Group conducts peer reviews to evaluate the implementation of the Convention and effective enforcement of measures to prevent, detect, investigate and prosecute bribery, but Brazil was one of the last signatories to pass a law focused on the supply side of the bribes: business organizations. Law 12.846/2013, often referred to as the Clean Companies Act, took effect on January 29th, 2014, and makes business organizations liable for illegal acts against national or foreign public administration, including bribery. An English translation of Law 12.846/2013 is available here.

The Clean Companies Act applies to any Brazilian business organization, company, foundation, association of persons or entities, formally organized or not, regardless of how they are organized or the corporate model they adopt, as well as foreign companies having office, branch, or representation in the Brazilian territory, even if informally and/or temporarily. The Act subjects companies to severe civil and administrative penalties and sanctions for bribing domestic or foreign government officials, and the fines can be of up to 20 percent of the company’s annual gross revenues.

In Article 7, VIII, the statute provides for that, in defining the penalties to be applied to an organization for violations of the statute, the enforcer will take into account the “existence of internal mechanisms and procedures of integrity, audit and incentive for the reporting of irregularities, as well as the effective enforcement of codes of ethics and codes of conduct within the organization” (free translation). The problem was that the statute did not provide guidance on what said mechanisms and procedures consisted of, or how much discount or credit would be granted to companies that have effective compliance programs in place. In the Sole Paragraph or Article 7, the statute sets forth that the criteria of evaluation of the compliance mechanisms and procedures were to be defined by Regulation to be issued by the Federal Executive Branch.

Finally, after over a year of the Clean Companies Act having entered into force, on March 18th, President Dilma Rousseff issued a Federal Decree (8.420/2015) regulating the statute, as a part of a series of anti-corruption measures to counter the increasing public opinion pressure against her administration. The Decree covers some of the crucial aspects of the Act, concerning the evaluation of compliance or corporate integrity programs, the administrative procedure for imposing corporate liability and assessing fines, and the rules regarding leniency agreements.

Of particular interest to companies doing business in Brazil is what the Decree sets forth that regulators and enforcers shall regard as the hallmarks of an effective compliance program, which guidelines are in our view closely aligned with international standards, mainly those provided by the FCPA Resource Guide and OECD’s Good Practice Guidance on Internal Controls, Ethics, and Compliance.

In this post we will focus on the available legal guidance in Brazil, regarding compliance programs, as provided for in the recently enacted Decree, outlining the hallmarks of a compliance program under Brazilian law:

  1. Tone at the Top, translated as the commitment from the top executives of the company, including members of the board, evidenced by the visible and unequivocal support to the compliance program.
  2. Ethics Code and written policies and procedures, enforced to all members in the organization, extended to third parties when applicable.
  3. Periodic Training regarding the organizations Compliance Program.
  4. Periodic Risk Assessment, aimed at making the necessary adjustments to the company’s compliance program.

As regards risk assessment, the Decree sets forth that the Brazilian Authorities shall consider the following when assessing the effectiveness of a Compliance Program, during an investigation:

  • The number of employees;
  • The complexity of the company’s internal hierarchy and the number of departments, governance bodies or sectors;
  • The use of third parties intermediaries as consultants or sales agents;
  • The industry or sector in which the company operates;
  • The countries in which it operates, directly or indirectly;
  • The level of interaction with the public sector and the importance of permits, licenses, and governmental approvals for its operations;
  • The amount and location of legal entities that form the economic group; and
  • Whether the company is regarded by law as a micro or small business.
  1. Accounting Records that comprehensively and accurately reflect the company’s transactions.
  2. Political Contributions. Transparency as regards donations and contributions to political campaigns, candidates and political parties
  3. Relationship with the Public Administration. Specific Proceedings around prevention of fraud or irregularities in public tenders, in the performance of public contracts, and in the interaction with the public sector (including tax collections and inspections, governmental authorizations, licenses, and permits).
  4. Compliance Officer: Independence, structure, and authority of the internal body responsible for implementing and enforcing the compliance program.
  5. Confidential Reporting Channels (hotline), widely advertised to the company’s employees and third parties, and mechanisms for the protection of whistleblowers acting in good faith.
  6. Disciplinary Action in case of violations and procedures to ensure the prompt interruption of the wrongful conduct or violation, and timely remediation of damages caused.
  7. Third Party Due Diligence for the hiring of third party intermediaries, such as consultants, vendors, contractors, suppliers, and service providers, and, if applicable, the monitoring of the intermediaries’ activities.
  8. M&A Due Diligence: M&A anti-corruption due diligence and risk assessment.
  9. Monitoring and Continuous Improvement. Constant monitoring of the compliance program, in order to ensure its continuous improvement.

Having the Federal Executive Branch provided guidelines and clarifications on critical aspects of the Clean Companies Act, by means of the Decree in review, defining parameters and criteria for application of the statute, companies now have a clearer picture of what is expected from them, how investigations are supposed to be conducted, and how cooperation will take place. It is also true that enforcers are now better equipped, at least from the legislation standpoint, to fight corporate bribery.

Now Brazil has the challenge to demonstrate effective enforcement of such laws.


Rafael Mendes Gomes is the partner in charge of compliance and anti-bribery at Chediak Advogados, with offices in São Paulo and Rio de Janeiro, Brazil. The firm offers legal assistance to both Brazilian and international clients across different industries and business sectors.


Vitor Lopes da Costa Cruz is a senior associate in the compliance and anti-bribery team at Chediak Advogados. He assists companies in the assessment, design, and implementation of compliance programs.


You can access Chediak Advogados Compliance and Anti-bribery web page here.

March 26, 2015

The Power of Positive Thinking

Tough CookieEd. Note-I am on Spring Break this week and the Two Tough Cookies graciously agreed to provide a week of guest posts.

Wrapping up this week’s communication series, I am reminded of my own personal flaws… and I can be my own worst enemy. Nothing you’ve read these past few days should be surprising to you, but I hope they have served as a reminder on some easy things you can do to improve your communications within your organization. You need to be a “trusted resource” within your organization to be an effective change agent. Even if you aren’t leading the change efforts, just reinforcing the concepts for your organizational leaders makes you an important part of the change underway. How you present yourself to the larger organization goes a long way to reinforcing your credentials as a “trusted resource” and gives you the staying power to ride the tide of change.

Take this short quiz, and recognize your thought patterns from your answers:

  • You’ve been dieting for a while and you just lost 10 pounds. You think:
    1. This diet is taking so long I’m never going to look good in that suit for my brother’s wedding
    2. I’m proud of the self-control I’ve had so far
  • You miss your flight, and have to wait for a later one. You think:
    1. No matter what I do, something always makes me late
    2. I should have looked at the gap between connecting flights and given myself more time to change gates
  • Work rolls out a new computer app for you to use, and you are still struggling to get the hang of it. You think:
    1. I’ll embarrass myself if I ask for help
    2. I’m going to ask for help with this

In all three scenarios above, answer B is “positive thinking” because they

  • Give credit for positive outcomes
  • Identify strengths that make success possible
  • “Failures” are “foot faults” and not a personal flaw

Answer A, on the other hand, demonstrates negative thinking because

  • Success is due to luck or external factors
  • Success is random and had nothing to do with hard work
  • There’s assumption of failure and not success, and
  • Failure comes as no surprise

Circling back to Appreciative Inquiry, we already know to focus on what success looks like to you and your organization. Emotional Intelligence has you presenting yourself in the most positive way possible through the use of understanding and working with your emotions, knowing that the power to control your reactions goes a long way to controlling the outcome of your interactions with others in the workplace. Both these disciplines focus on the positives, and the Power of Positive Thinking takes it to the next level. As Gandhi is quoted as saying:

Watch your thoughts, for they become your words… Watch your words, for they become your actions…. Watch your actions, for they become your habits… Watch your habits, for they become your values…. And understand your values, for they become your destiny.

Positive thinkers are better at coping with workplace challenges. They are more resilient, they look to be part of the solution and not the problem, are more likely to ask for help, and function better in a crisis. They also tend to have an increased capacity for joy, are kinder, and less likely to feel the negative effects of stress, because they focus on what they can change. As compliance professionals, we work in a world ripe with stress of all kinds.     So how does positive thinking help us cope with workplace challenges? Here’s an example that I hope you can derive some useful tips from….

I was faced with a situation in a manufacturing plant where one worker hated another with a vengeance, and the Helpline had multiple calls from her over the course of a couple weeks, precipitating an “intervention.” The HR manager, new to the plant (but not new to HR), had thrown his hands up and said “I can’t deal with these two!” so I offered to personally come, hear them out, and help him work through a solution.

We sat the two down in a joint session, and I set some simple ground rules. Each would get 10 minutes to “present” their case and “air” their concerns, with another 5 minutes to rebut once the other had finished talking. First instance of interruption would take a minute off their “air time,” second interruption, two minutes, third interruption would and so on. Both agreed to the terms, and I tossed a coin for who would go first. The first, who had “seniority” in the plant, argued her case, and insisted that the other be reassigned to second shift so she wouldn’t have to see her face every day. The other worker stated she’d been given a hard time since day one, and learned it was because the complainant wanted her friend (who worked second shift) to get the job on first shift instead so they could have more friend time together. She then told us that first shift was important to her, because her husband worked second shift, and this meant they didn’t have to worry about day care for their kids. What was critical was that neither party had a performance issue, nor an attendance issue. It was clear to both myself and the HR manager it simply a matter of the complainant wanting her friend to get the first shift slot instead.

We “recessed” before rebuttal, and I told the HR manager that I had an idea, if he wouldn’t mind me trying something. So, using the power of positive thinking, I invited the complainant to speak with us privately, to rebut what the other employee had to say. Giving us no new “evidence” of misbehavior, after she finished speaking the “dialogue” ensued as follows:

Q: So, you’re unhappy about Employee X working the day shift, correct?
A: Yes
Q: So, you want to have a different shift than Employee X, correct?
A: Yes
Q: And you are suggesting that we move Employee X to second shift, correct?
A: Yes
Q: Are you willing to pay for day care for Employee X’s kids while she works?
A: What?
Q: I asked, are you willing to pay for day care for Employee X to have her kids watched while she works second shift?
A: You crazy or what? That’s not my responsibility! That’s her problem!
Q: Okay, but it wasn’t her problem until you insisted we change her shift. We need help figuring out how to solve this new problem if we do as you ask. Ultimately, you want her to work a different shift than you, right? That’s what you want?
A: That’s right! So she needs to be moved to second shift!
Q: Or, you can be moved to second shift, right? I mean, that will do as you ask, won’t it? You don’t have any kids at home (focus on her “strength”), so it’s what will create the least hardship for everyone, isn’t it (focus on success)? She won’t have to get day care, you won’t have to pay for her day care (win-win), you’ll get to be with your friend, you’ll have what you want (another win-win), right? So, the way I see it we have three choices in front of us: 1) we leave things alone and you leave her alone (best choice), 2) we move her to second shift and you pay her day care (worst choice for complainant and definitely not what she anticipated), or 3) you move to second shift to be with your friend (unlikely, but “accountable” choice). What do you suggest we do from those three options? The choice is yours, all you have to do is tell us what you want us to do, and there’s really no wrong answer here from those three options (all options = success) ….

The silence in the room was deafening. The HR manager later pulled me aside and told me it took everything he had to keep a straight face, and he never in his life saw such an awestruck look on a factory worker’s face. He then thanked me for helping “document” the real issue, and giving him the insight to deal with that worker going forward. I was an instant hero for Employee X, too, as a result, and the HR manager confirmed that there were no more complaints coming from the complainant.

By simply shifting the focus of the problem a little bit, I “helped” the HR manager deal with the stressful complainant, and helped each focus on what they could change and resolve the conflict at work. By intervening on his behalf, I also took on the role of “bad cop” and he was able to preserve his “good cop” image at the plant while also successfully resolving the conflict. Further more, he was able to point to the experience any time other personal conflicts arose, and offered to bring me back anytime to work through the conflicts with the employees. No one took him up on the offer, and I still chuckle when I think back on that episode.

Our brains mimic what we see, so when we spread positivity, and show people alternative ways of thinking through problems, magic happens. I had fun with the exercise above, because it gave me the opportunity to show the complainant how her negative thinking was bringing everyone around her down, when the solution to her “problem” was really simple – I empowered her to think in terms of the hardships she was presenting to others (negativity) and gave her the tools to arrive at a positive outcome, if she was willing to take on some personal accountability in the process. Instead of thinking to myself “this woman is impossible to deal with” I thought instead “how can I empower her to solve this problem herself?” Another priceless leadership moment that I will take with me forever.

So how do you manage your thoughts to ensure positive outcomes? Like any leadership exercise, it’s a marathon, not a sprint. You have to be aware of what you’re doing (that’s where EQ comes in), and examine the triggers that send you into negativity. Change the critical thoughts into goals. Think about your values, and determine what it is you want to be. You don’t have to be positive all the time, nor should you – negative thinking can help you prepare, can also help you see the lighter side of things… It’s the yin to your yang, and helps you aim for balance. But practice your positivity, ask for help (go ahead, guys, ask for directions, it won’t hurt you), have a sense of humor, and enjoy yourself. And remember one thing if nothing else: You cannot be what you cannot see.

The Two Tough Cookies will be publishing a book of their tales shortly, under the title “You Can Not Be What You Can Not See” – look for it from Corporate Compliance Insights, coming soon. 

This publication contains general information only and is based on the experiences and research of the authors. The authors are not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. 

Next Page »

The Rubric Theme. Blog at WordPress.com.


Get every new post delivered to your Inbox.

Join 5,188 other followers