FCPA Compliance and Ethics Blog

May 21, 2015

Compliance Week 2015 Wrap Up

Wrap UpCompliance Week 2015 has ended. This year was the tenth anniversary of the annual conference and in many ways I found it to be the best one yet. Matt Kelly and his team put together a conference and experience, which was absolutely first-rate. If you were not able to make this year’s event, I hope you will join us for Compliance Week 2016, which Matt announced the dates for at the conclusion of this year’s event. The dates for 2016 are May 23-26, back of course in Washington DC to be held yet again at the Mayflower Hotel. I wanted to give you some of my thoughts on the highlights of this year’s event and what made it so unique.

At my age, I am somewhat loathe to channel my teenage daughter but the first thing that I noticed was a very different vibe this year over past year’s conferences. From the Cocktail Party reception held on Sunday night, all the way through the conclusion of the event, there seemed to be an air that I have not quite been able to put my finger on. It was more than an acknowledgement and perhaps even an excitement about how far the compliance profession has come in the past ten years. While I have written about the Chief Compliance Officer (CCO) and compliance profession as CCO 2.0, I had the feeling that we may be moving on to CCO 3.0, as that was even the title of a session.

But this vibe was more tangible than simply a feeling. One key ingredient for me was the use of social media into the conference experience. While many events have a conference app, which can provide you information on such things as the agenda, speakers and their presentations, room locations and the like; the Compliance Week 2015 app was fully interactive, allowing you to live tweet, send IM to fellow conference attendees and receive text messages when a room changed or other conference alteration occurred. It also provided a virtual help desk for all attendees.

Many of sessions were led by CCOs from major corporations and they were able to provide a strategic vision of where they were going at their organizations. This was kicked off from the start of the conference, from the first panel on the first day where the CCOs from Boeing, GE and the Director of Compliance for Wal-Mart began the event. Obviously these are three of the largest companies in the US and do business on a worldwide basis. Yet, while sharing their strategic visions, each one was able to provide a solid example from their respective organization that a CCO or compliance practitioner from any sized company could implement. From Wal-Mart with a workforce of 2.2 million employees, it was keep the message simple. From Boeing, it was incorporate any compliance failures as teaching moments or lessons learned into your internal compliance training going forward. From GE, it was how to inculcate and incorporate compliance into your everyday business planning.

The conversations were excellent as usual. I led the FCPA conversation and there were several alumni present, who told me they look forward to attending each year. One of the reasons is that there is no avenue in their hometowns to get together in an environment to discuss issues of mutual concern. It is concept that Mike Snyder and I used in founding the Houston Compliance Roundtable. A place where you can ask any question and have it answered by another compliance professional in an environment where Chatham House rules apply. While I certainly started the discussion, it quickly became fully interactive with all participants sharing their views on a variety of topics. While we have some great compliance talent in Houston at our Roundtable, it cannot top the level of maturity and sophistication present at the Compliance Week annual conference. We all benefited from the experience.

This experience was doubled when I led a breakfast event on Tuesday. While an inducement to attend was a complimentary copy of my book Doing Compliance, there were 25 attendees who joined me for a very engaging and free-flowing conversation about the state of compliance, we practitioners and where enforcement may be heading. Compliance Week treated us all to breakfast and, once again, I probably learned as much as any one. But since Chatham House rules were in effect, I cannot report on any of the substantive things that were discussed. I will share with you that I am excited to lead such a breakfast again next year and I hope you will be one of the 25 to sign up.

As always there were a number of government representatives who spoke at Compliance Week again this year. For me, the parade was led by Department of Justice (DOJ) Assistant Attorney General Leslie Caldwell. While I will be writing further, and in more detail, about Caldwell’s remarks, she said a few things that I think bear emphasis. One was that compliance professionals need to work towards more data analytics in the form of transaction monitoring to assist in moving to a prevent and even predictive and prescriptive mode for your best practice compliance program. Next she emphasized that your compliance program must not be static but must evolve as your business risks evolve. Finally, and much closer to my heart, were her remarks that you need to “sensitize your business partners to compliance.” It was if she was channeling her inner Scott Killingsworth with his groundbreaking work on ‘Private-to-Private’ or P2P compliance solutions. Or, as I might say, she was advocating a business solution to the legal problem of bribery and corruption across the globe.

But Caldwell was not the only DOJ representative as we had Laurie Perkins, Assistant Chief, Foreign Corrupt Practices Act (FCPA) Unit and Kara Brockmeyer, Chief, FCPA Unit; Division of Enforcement from Securities and Exchange Commission (SEC), on a panel moderated by yours truly. First I would urge that if you are ever asked to moderate a panel with FCPA enforcers and regulators, jump at the chance. The reason is that you get to ask the questions you want answers to; even if you get past your prepared questions, when there is a lull in questions from the audience, you can follow up with something you want to know or in my case always wanted to know. So I asked some basic questions like: What is Criminal Information? (to Perkins) and Could you explain the process for the SEC’s Administrative Procedure? (to Brockmeyer). I was certainly enlightened by their answers to both questions.

The event sponsors were of course there to provide information on their solutions to assist any compliance practitioner. If you have never been to an event at the Mayflower Hotel in Washington, the conference rooms are along a wide hall that allows good people flow and adequate room for the sponsors and others to set up, meet attendees and discuss their products and services. I view the sponsors and vendors as a part of the compliance solution going forward and while they are clearly there to sell; they also engage in a fair amount of education. But the education runs both ways with many compliance practitioners communicating needs they have which can be incorporated into new product developments.

Unfortunately Compliance Week 2015 had to come to an end. But the feeling, information and new friends I met will last with me until Compliance Week 2016 next year. I hope you will plan to join me.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 13, 2015

Senn Interview, Part III – Post Incident Remediation

RemediationI conclude my three-part series based upon my podcast interview of noted white-collar defense lawyer and Foreign Corrupt Practices Act (FCPA) practitioner Mara Senn, a partner at Arnold & Porter LLP. In Part I, I considered Senn’s thoughts on conducting internal investigations. In Part II, I looked at Senn’s decision-making calculus around the decision to self-disclose if you have determined that a potential FCPA violation existed. Today, I consider her thoughts on what steps a company should take if it comes to the decision not to self-report a potential FCPA violation. These include the remediation of potential or actual conduct that might arguably violate the FCPA and the actions you should take on an ongoing basis.

One of the things Senn made clear is that whether you decide to self-disclose or not, your company must fully remediate the issue which led to that. She suggested that a company should act as if they will draw government scrutiny. She said, “the best way to go about it is to assume, act as if, the government is breathing down their necks on this very issue and fully remediate. The nice thing is they can decide what that means, fully remediate.”

I inquired as to whether that meant a systemic look at the company’s operations on a global, worldwide basis, particularly in view of Assistant Attorney General Leslie Caldwell’s recent admonition not to ‘boil the ocean’ in the context of your FCPA internal investigation. Senn replied, “It used to be that in the government’s view, fully remediating meant go to 10 different countries, even if there’s no suspicion of any activity going on, just to make sure that everything’s okay. They’re now backing away from that, and in fact, they’re saying that the private sector is the one who started that whole trend, which is not quite consistent with history.”

Recognizing that there is always a risk that the government will come knocking, either via a whistleblower or other mechanism, Senn replied, “you want to be squeaky clean, so that when the government comes to you, if in the future, like a year down the line, you have another problem or the government has a whistleblower or whatever, that you can say, look, in our opinion, we did an analysis, and we thought it was not necessary to self-disclose. On the other hand, we were horrified and very upset by the fact that this potential infraction happened on our watch, and we’ve done the following 5 things, and we’ve remediated.”

She went on to explain, “What you want to do is show to the government, “We understand the problems that caused this, and we got to the root of it. Either it’s a bad apple, and we got rid of that bad apple, or it was really a failure of compliance structures, and we’ve fixed that part of the compliance structures. In fact, we’ve added more, just to double check and make sure that in this particular area or similar areas, depending on what it is, we will detect, prevent, and if we detect something, we will remediate.” They, the government, can feel comfortable that you did what they would have asked you to do anyways. That doesn’t always have to be onerous, sometimes it is depending on the scope of the issue, but that’s what I would say about that.”

Senn listed several actions that a company could engage in to demonstrate that it had taken solid remediation steps. Obviously, a company can “bulk up its compliance program.” But she added that it is important that a company demonstrate action taken against the nefarious party or parties. A company can discipline up to and including discharge. But do not forget lesser forms of discipline including docking pay or suspension without pay or other steps short of termination. I would add that you should consider the FCPA Guidance on this final point where it notes, “A compliance program should apply from the board room to the supply room—no one should be beyond its reach. DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation.” [emphasis supplied]

Yet more than simply remediating an issue or even violation, Senn believes that a company should work to stay on top of its program thereafter. Certainly if you agree to a Deferred Prosecution Agreement (DPA) or Non-Prosecution Agreement (NPA), your company will either have an external monitor or reporting obligation to the Department of Justice (DOJ) going forward.

I asked her about ongoing monitoring of your compliance program; both the enhancements you might put in place to remedy generally and the specific issues that caused the problem initially. Senn agreed that is an important step going forward, she stated, “Absolutely, but I think that the monitoring requirement has now essentially expanded to the whole program. The government really expects you now to be having ongoing improvement and ongoing monitoring, so it’s not like you put in a policy 3 years ago and don’t do anything and then assume it’s okay. I think maybe you would put in a special extra audit or something like that on that particular situation, but really you should have in your compliance program an overall monitoring function that allows you to do that for all of your programs to various levels and various degrees. Yes, I think so, but it may not be as intensive as your typical external monitor, because you’re going to be integrating that into a program that’s really more holistic than just checking on that one thing. You’re going to be checking on a system-wide basis.”

Clearly this position was articulated in the FCPA Guidance as Hallmark Nine of an Effective Compliance Program. The Guidance states, “An organization should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas.” The Guidance ended this Hallmark by stating, “Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”

To listen to the full Mara Senn interview, go to the FCPA Compliance and Ethics Report, by clicking here, or download it from iTunes.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 12, 2015

Senn Interview, Part II – A Discussion of the Decision to Self-Disclosure

Self-DisclsoureIn today’s post, I continue to explore my recent interview of Mara Senn, a partner at Arnold & Porter LLP in Washington DC. Senn is a white-collar practitioner who whose practice includes representing companies in investigations of the Foreign Corrupt Practices Act (FCPA). In Part I, we reviewed Senn’s thought on how to prepare and deal with a FCPA investigation. Today I review her thoughts on the decision to self-disclose if a potential FCPA violation arises.

One of the things that has always been difficult is to quantify the benefits of self-disclosure of a potential FCPA violation by a company to the Department of Justice (DOJ) or Securities and Exchange Commission (SEC). At least for the DOJ, its base line analysis for calculating penalties comes from the US Sentencing Guidelines. As stated in the FCPA Guidance, “To determine the appropriate penalty, the “offense level” is first calculated by examining both the severity of the crime and facts specific to the crime, with appropriate reductions for cooperation and acceptance of responsibility, and, for business entities, addi­tional factors such as voluntary disclosure, cooperation, pre-existing compliance programs, and remediation.”

The Sentencing Guidelines, §8C2.5(g) states that an overall fine can be reduced through the following:

(g)       Self-Reporting, Cooperation, and Acceptance of Responsibility  

If more than one applies, use the greatest:

  • If the organization (A) prior to an imminent threat of disclosure or government investigation; and (B) within a reasonably prompt time after becoming aware of the offense, reported the offense to appropriate governmental authorities, fully cooperated in the investigation, and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct, subtract 5 points; or
  • If the organization fully cooperated in the investigation and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct, subtract 2 points; or
  • If the organization clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct, subtract 1 point. 

Both the DOJ and SEC representatives consistently state in speeches and other public commentary on the benefits of self-disclosure. Some commentators, notably Mike Volkov in his blog, caution that any decision to self-disclose should be well thought through and that if an issue can be resolved through an internal investigation, subsequent remediation and ongoing monitoring to make sure it does not happen again, self-disclosure many not be warranted. In my podcast interview with Mara Senn I ask her how she might help a client work through this most difficult issue.

While self-reporting has in many ways become the norm in many situations where a company uncovers what might arguably be a FCPA violation; Senn comes down that self-reporting should be “the exception and not the rule.” She first pointed to the “structure of self-reporting, the thing that I think gets lost in the shuffle is there’s absolutely no legal obligation to self-disclose in FCPA cases, at all. There may be other disclosure obligations, because of a public company or what have you, but under the law of the FCPA, and under criminal law, no company has an affirmative duty to self-disclose.”

She went on to explain unlike in anti-trust or cartel cases, “where the first company who’s the first in to self-report gets immunity. It’s a totally different structure in the FCPA area for many reasons, most of which are appropriate, but you don’t get immunity, you get cooperation credit”. This cooperation credit is based on the Sentencing Guidelines cited above but Senn explained that, from her perspective, “The problem is, a lot of these calculations are very very opaque. Under the sentencing guidelines, you get a 5-point decrease if you self-report, cooperate, and accept responsibility. You get 2 points off if you cooperate and accept responsibility, and then just 1 point for accepting responsibility. Under this system, supposedly, self-disclosure standing alone is worth 3 points, and each of the other ones are worth 1.” This leads her to believe that “in my experience, you get almost as much credit, if not as much credit, for cooperating with the government once they come to you, even if you didn’t disclose in the first place. The myth is that self-disclosure is some kind of really big bump in cooperation credit. I think, in practice, that really doesn’t bear water.” This leads her to believe that “This idea of credibility by self-disclosing is so intangible, and it’s not quantifiable.”

I posed the question of credibility with the government. One of things that I consistently advocate is that you need to have credibility with the DOJ or SEC when you sit across the table at any point during a FCPA investigation. I had thought that self-disclosure would add to that credibility. However Senn explained that it is the lawyer or law firm representing the company that can go a long way towards establishing credibility. She said, “For those of us who regularly appear before the government, we already have credibility, and they understand that the client may or may not agree with recommendations we make, and they know that we’ll be a straight shooter once we’re in front of them, however we get in front of them.” But is more than the lawyer or law firm that brings credibility; it is actions of the company as well. Of course this means the steps the company has taken and its cooperation with the government during the pendency of the FCPA investigation.

Senn even described a visual way to think through this by describing an X and Y-axis that creates four squares. She articulated it as follows, “On one axis, you have the seriousness of the potential violation, and then the likelihood of discovery on the other axis. In both of these areas, both the seriousness and the likelihood of discovery, I draw the line to be in a more rational, but it may be different, than the traditional norm.”

I asked Senn about the plethora of ways that a FCPA violation or issue can be reported now and if that should play a role the calculus to self-disclose or not. I found her response very interesting. She said, “I think that the likelihood of discovery issue is really really important if you think that companies get a lot of credit for self-reporting. If you don’t think that, which I don’t think that they do particularly, then really the focus is on cooperation and not so much on the self-reporting itself.” Even with the wide spread knowledge of Dodd-Frank whistleblower awards and protections Senn believes that “most employees really don’t realize they can get money from the government if they are whistleblowers on these sorts of things. I don’t think it’s been particularly well publicized, and obviously employers are not training their employees to explain to them that they can be whistleblowers.” She even pointed to the recent statistics from the SEC report on whistleblowers, stating, “If you look at the latest SEC whistleblower report, only 4.3% of the tips reported were FCPA cases. It’s not like people are hitting down their door with all these FCPA cases.”

I found Senn thoughts on the issue of self-disclosure certainly an interesting way to consider this most complex and significant issue. For all the criticism of FCPA Inc. and the FCPA Paparazzi, it also demonstrates the importance of having counsel well versed in both the legal issues of the FCPA and representing a company before the government in the event your company is in an investigation.

In Part III of my series on Senn’s interview, I will focus on her thoughts on remediation of any FCPA violation and steps going forward.

To listen to the full Mara Senn interview, go to the FCPA Compliance and Ethics Report, by clicking here, or download it from iTunes.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 11, 2015

Senn Interview, Part I – Investigations Under the FCPA

FCPA InvestigationsOne of the things that I am questioned on is when to bring in outside counsel for a Foreign Corrupt Practices Act (FCPA) investigation or simply to take a look at an issue that may have raised a Red Flag but is not yet a FCPA violation. Clearly a reason is retain the attorney client privilege and I think most Chief Compliance Officers (CCOs) and compliance practitioners understand that reason, but one of the things I learned as a trial lawyer is that you need to understand who your ultimate audience will be in work you do as a lawyer. If you draft a contract, you need to think through how it will play out in front of a judge or jury. If you start an FCPA investigation, your ultimate audience may well be the Department of Justice (DOJ) and Securities and Exchange Commission (SEC). I recently had the opportunity to visit with white-collar practitioner Mara Senn, a partner at Arnold & Porter LLP, on this issue. She had several insights that I thought were insightful to assist a CCO or compliance practitioner to think through these issues. Today, I begin a three-part blog post on some of Senn’s thoughts on investigations for potential FCPA violations; tomorrow we will look at the decision (or not) to self-disclose and, finally, remediation if you discover a FCPA violation.

Unfortunately, many investigations being in a crisis situation, where a company may have discovered something that they know is bad but they do not know how bad that particular problem might be or they are not aware just how widespread the problem is. Senn indicated that the first thing she would note is that not every single incident requires outside counsel. There are all kinds of issues that can be handled very efficiently and effectively by in-house counsel. Moreover, there will be other issues and corporate disciplines involved such as the Human Resources (HR) Department. She explained that for a typical compliance blip that may happen, you do not need to call in an outside counsel right away, but if you do have these indicia of larger problems, particularly if you are a public company, it is a good idea to call outside counsel because you may be involved in reporting obligations. She cautioned that even at this early stage, outside counsel does not have to be boots on the ground and may not be required to be intimately involved if it is not a very complicated case.

Even with the above information, I asked Senn if there were any advantages she might see from bringing in outside counsel from the get-go rather than waiting. She articulated a number of things. First, there is more credibility if it is an independent review. If you are working for the company in whatever capacity, the government is not going to believe, as much, that it’s an independent investigation. From the government’s perspective, DOJ and/or SEC, they do not typically know the company involved in the investigation. Further, government regulators and enforcement officials are typically suspicious that a company is going to try to do what is right for the company. Of course there have been documented enforcement actions where companies have either destroyed documents or tried to hide things, such as witnesses or other evidence. In certain situations, an employee may look the other way, either purposefully or not really realizing what they’re seeing, and may take the investigation in the wrong direction. You want to just inoculate against that kind of problem.

Second, Senn said that there are very complicated issues that come up in cross-border situations. She provided four quick examples: privacy laws; labor laws; cultural issues and language issues. It can be very helpful, more cost effective and important from a legal compliance perspective to have somebody who is experienced in those kinds of issues.

Finally, and what I found most interesting, was Senn’s perspective on document preservation. She believes that “probably from the government’s perspective, the most important aspect of setting up an investigation in a way that makes them feel comfortable, is ensuring that all data is locked down.” Some questions that she believes counsel needs to ask are: “Do you have hand held devices? Where are all of your servers? What is your back-up tape situation? Are you trained in forensically retaining information?” Basically you need to get into the technical nitty gritty and if you do not, you could end up having a situation where either information is lost or there’s a possibility or suspicion that information is lost. Unfortunately, that is the situation that leads to a prosecutor’s imagination going wild. Senn ended her thoughts on this key point with the following, “the thing you want to do is just lock down that information, so if it ever comes to a point where the government says, “Well, we want to kick the tires,” you can say, “Okay, don’t worry. We’ve got everything you would have gotten otherwise.”

All of these steps can lead your company, through its investigation counsel, to having credibility with the DOJ and SEC. She made clear that the government will not only put you through your paces but also test the vibrancy of your investigation protocol and steps you might take as an independent assessor. She said that “if they realize, or they think, that all you’re doing is parroting what they consider to be the company line, and you haven’t gone in and independently really taken a look for yourself, you’re just going to come off as less credible, as somebody that they can’t really trust. That is definitely something that a company wants to avoid at all costs.”

I really liked the way Senn phrased the next step, “You don’t want to go too crazy” around scoping out the investigation. After getting the documents and technology locked down you should try and figure out the bad actor(s). Depending on the situation of whether the investigation target is aware of their status, you may be forced into “somewhat of a stealth investigation, where instead of going full bore and sending out document holds and things like that, you first want to essentially get that person’s information and make sure that they’re not going to do anything to their information. If there are a number of people you know are at issue, you want to lock that down, as well.”

The next step is to collect the documents forensically and use the information gleaned from this step in the process to do what Senn called “lay of the land interviews” where you try and obtain enough information to have a basic understanding of the situation, who the key players and who may be involved in the incident. Senn also believes you can garner quite a bit of information from working with your client before the actual interviews begin. You can look at organizational charts; see the number of employees who could have touched the transaction(s) at issue and also the countries involved. Also a review of the company’s financial accounting systems is critical so that you can assess how much will have to be done manually and in-country. (Think Avon)

One of the questions that I have struggled with is at what point in the investigation process is it appropriate to discipline employees, up to and including termination? I was gratified when Senn said this not only was a difficult question but also required a case-by-case analysis. You should begin by taking any persons out of the responsible situation. Paid leave pending an investigation is one option. If you terminate them, they will be gone and you will have zero control over them for initial interviews, follow-up interviews or assistance. She explained, “the government might want to interview that person. If you fired them, and that person has moved away or is now inaccessible to the government, it’s actually worse. My tendency is to keep them around, but just prevent them from continuing to do any of the harm that they may have previously done.”

In my next post, I will review Senn’s thoughts on the subject of self-disclosure.

To listen to the full interview with Mara Senn, go to the FCPA Compliance and Ethics Report, by clicking here, or download it from iTunes.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 1, 2015

King Arthur Week – The Quest for the Holy Grail and Compliance Defense – Part V

Holy GrailWe conclude our Arthurian themed week with the Holy Grail, which has fired the imagination of artists for millennia. What was the Holy Grail? According to Professor Dorsey Armstrong in her Teaching Company lecture series, entitled “King Arthur: History and Legend”, the Holy Grail has taken various forms over the years. For Chrétien de Troyes, it was a fancy serving dish; for Wolfram von Eschenbach, it is a magical stone; for Robert de Boron, it is the cup that Christ drank from at the Last Supper; for the comedy troupe Monty Python, it is a cartoon sketch that no one ever finds; and for the modern day author Dan Brown, it is both a person, who is a descendant of Mary Magdalene, and a bloodline which leads to the Merovingian kings of France. In other words, it means many things to many people.

One of the articulated reasons for the creation of King Arthur’s Round Table was tied to the Holy Grail, since it was allegedly used at the Last Supper, it seems only natural that Arthur would seek it from his table as well. Indeed in Robert de Boron’s account of Arthur, the wizard Merlin tells Arthur the Round Table was established to identify the one Knight, who was pure of heart, who could find the Holy Grail. Only after the great quest for and locating of the Holy Grail was achieved could Arthur’s other ambitions come to pass.

Another interesting twist on the Grail legend is that it was in Britain. Curiously it was first ‘discovered’ by some enterprising Monks in Glastonbury, England in the late 12th century. They just happened to come across a well that ‘bled’ water around the time of an annual pilgrimage. Going viral in the Middle Ages was tough but the Monks built upon their initial find by claiming that both King Arthur and his Queen Guinevere were also buried at their abbey. Do you believe any of the above? Are you on your own Grail Quest, however dreamy that quest might be?

I thought about the quest for the Holy Grail in the context of the renewed call for a compliance defense addition to the Foreign Corrupt Practices Act (FCPA), which would give companies a pass if they had sustained a FCPA violation. In a recent blog post, entitled “Wal-Mart’s Recent Disclosures, the FCPA Professor renewed his clarion call for a compliance defense for FCPA violators, using Wal-Mart’s last three-year spend on compliance resources as a starting point. He wrote, “Wal-Mart disclosed spending approximately $220 million over the past three years in global compliance program and organizational enhancements.” He went on to note, “The key policy issue is this. Wal-Mart has engaged in FCPA compliance enhancements in reaction to its high-profile FCPA scrutiny. Perhaps if there was a compliance defense more companies would be incentivized to engage in compliance enhancements pro-actively. A compliance defense is thus not a “race to the bottom” it is a “race to the top” (see here for the prior post) and it is surprising how compliance defense detractors are unable or incapable of grasping this point.”

Leaving aside the issue of whether I am “unable or incapable” to grasp these issues I raised, I see this quest for (or ‘race’ as the FCPA Professor calls it) for a compliance defense for companies that violate the FCPA to be as quixotic as the quest for the Holy Grail. As there were two requirements for the Knight who was destined to find the Grail, we will begin pureness of heart. Recognizing that it might be difficult to find a corporation that is ‘pure of heart’, the appropriate analogy might be more than simply spending what may appear to be a large dollar amount on a compliance program. This is because it is not the amount of money you spend that informs the effectiveness of your compliance program. In three years Wal-Mart has reported it spent $220MM. The FCPA was enacted into existence in 1977. What do you get if you divide $220MM total spend into 38 years? My (recovering) trial lawyer math shows that to be approximately $5.78MM per year. How many billions of dollars per year was the annual revenue of Wal-Mart during that time? (Hint – a lot)

Moving our quest time frame to the modern era of FCPA enforcement, to say 2005. That would give an annual compliance spend of $20MM per year. If one looks at the company’s revenue from the middle of the last 10 years, for the fiscal year ending January 31, 2011, Wal-Mart reported net income of $15.4 billion on $422 billion in gross sales. Now what do you think about Wal-Mart’s quest for an effective compliance program based upon three year’s spending of $220 being significant? Indeed what is the percent of its revenues over the past three years that Wal-Mart spent creating its compliance program? Alas my trial lawyer math skills do not allow me to calculate a number so small.

How about the second part of the Grail quest that requires a ‘chaste’ Knight? Once again it is somewhat difficult to understand how a corporation could be chaste but I think the appropriate analogy is the doing of compliance. Put another way, it is not having a compliance program in place but having an effective compliance program. So not only does the amount of money a company spends become immaterial to our quest but also the same can be said to the claim that having a written program should entitle you some type of defense to any FCPA violations. Just as questing for the Holy Grail is seeking something that does not exist, affording companies a defense from their own FCPA violations by having a written program in place is not a temporal reality.

Under the FCPA Ten Hallmarks of an Effective Compliance Program, that it is an interplay of the right compliance message, tools in place to communicate and enforce the compliance message and then oversight to ensure compliance with the entire compliance regime. Such things as monitoring are recognized as a key element so your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with the finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally, the global compliance committee should meet or communicate as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.

In addition to monitoring, structural controls are recognized as an important element. It has been said that large companies “must use structural means to maintain control.” One of the best explanations of the use of internal controls as a structural component of any best practices compliance program comes from Aaron Murphy, a partner at Foley and Lardner in San Francisco, in his book entitled “Foreign Corrupt Practices Act”, where he said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.” These two parts are but a sampling but it is in the doing of compliance that any anti-corruption compliance program becomes effective; it is not simply having one in place.

Finally, as with all quests, what will it bring you if you actually achieve it? As with the Holy Grail, it is a good story but that is about it. I find this view best articulated by Matthew Stephenson, in a blog post entitled “The Irrelevance of an FCPA Compliance Defense”, where he gave three reasons why a compliance defense is not warranted. First (and perhaps almost too obvious to state) is that if your company is invoking a compliance defense, there has been a FCPA violation. The second is “The U.S. Department of Justice (DOJ) already takes into account a corporation’s good-faith efforts to implement a meaningful compliance program when the DOJ decides whether to pursue an FCPA action against the corporation, and what penalties or other remedies to impose. Indeed, the adequacy of the corporation’s compliance program is a standard subject of negotiation between the DOJ and corporate defendants.” Third is that “An FCPA compliance defense would only alter the DOJ’s bargaining position if a corporation unhappy with the DOJ’s position could either (1) convince the DOJ lawyers that the DOJ’s position is unreasonable in light of the corporation’s compliance program, or (2) credibly threaten to go to court and defeat the DOJ’s enforcement action altogether by successfully invoking the compliance defense before a federal judge.” Stephenson discounts subpart 1 because DOJ lawyers already take a company’s compliance program into account. But his second subpart is even more important because no company will go to trial against the government using a compliance defense to a demonstrable FCPA violation. Leaving aside the Arthur Anderson effect, no company is going to risk losing at trial when they can control their own fate through settlement. The modern day Knights seeking the Holy Grail of a compliance defense will never find it because of this last fact. Moreover, just as there were no real Knights who could meet the requirements to actually find the Holy Grail after their quest, there are no companies which can meet the same criteria; that being that a compliance defense could or even should trump a FCPA violation.

So we leave our King Arthur themed week with our quest intact, bringing message I hope that you have ascertained in these five posts about some of the things you need to do around the ‘nuts and bolts’ of anti-corruption compliance. I also hope that you might be able to look at the tales surrounding the King Arthur myth for your own inspiration.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 28, 2015

King Arthur Week – the Pentecostal Oath and Code of Conduct – Part II

Mort D'ArthurOne thing for which King Arthur is remembered are his chivalric knights. He helped create this legend, in large part, by establishing a Code of Conduct for the Knights of the Round Table. The King required each one of them to swear an oath, called the Pentecostal Oath, which was Arthur’s ideal for a chivalric knight. The Oath stated, “The king established all his knights, and gave them that were of lands not rich, he gave them lands, and charged them never to do outrageousity nor murder, and always to flee treason; also, by no mean to be cruel, but to give mercy unto him that asketh mercy, upon pain of forfeiture of their worship and lordship of King Arthur for evermore; and always to do ladies, damosels, and gentlewomen succor upon pain of death. Also, that no man take no battles in a wrongful quarrel for no law, ne for no world’s goods. Unto this were all the knights sworn of the Table Round, both old and young. And every year were they sworn at the high feast of Pentecost.” (Le Morte d’Arthur, pp 115-116)

Interestingly, the Oath first appeared in Sir Thomas Malory’s Le Morte d’Arthur and in none of the prior incarnations of the legend. In Malory’s telling, after the Knights swore the Oath, they were provided titles and lands by the King. The Oath specifies both positive and negative conduct; that is, what a Knight might do but also what conduct he should not engage in. The Pentecostal Oath formed the basis for the Knight’s conduct at Camelot and beyond. It was clearly a forerunner of today’s corporate Code of Conduct.

The foundational document of any Foreign Corrupt Practices Act (FCPA) compliance program is its Code of Conduct. This requirement has long been memorialized in the US Sentencing Guidelines, which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). These requirements were incorporated into the 2012 FCPA Guidance. The US Sentencing Guidelines assume that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct”.

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)

An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws.

In the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) state, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program the DOJ and SEC will review whether the company chapter has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.

In each DPA and NPA over the past 36 months the DOJ has stated the following as item No. 1 for a minimum best practices compliance program.

  1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors that should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed their Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Just as the Pentecostal Oath was required to be sworn out each year, you should have your employees recertify their adherence to your Code of Conduct. Moreover, just as King Arthur set his expectations for behavior your company should do so as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 27, 2015

King Arthur Week, King Arthur and Leadership – Part I

King ArthurI have been studying the legend of King Arthur and thought it would be good idea to have a week of blog posts around the legend of King Arthur, the Roundtable and his knights. Today I begin with King Arthur and some leadership lessons that might apply to a Chief Compliance Officer (CCO), compliance practitioner or others who might be responsible for an anti-corruption compliance program based on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or similar anti-bribery law.

According to the legends, King Arthur achieved quite a bit in one lifetime. He, established a kingdom, ruled his castle, Camelot and brought peace and order to the land based on law, justice, and morality. He founded an order known as the Knights of the Round Table where in all knights are seated as equals around the table, symbolizing equality, unity, and oneness. Nicole Lastimado, in a blog post entitled “Characteristics of a Good Leader :), identified five characteristics that she believed made Arthur a good leader.

Adapting Lastimado King Arthur was (1) Honest, in that he displayed sincerity, integrity, and candor in his actions. (2) Intelligent, because he read and studied. (3) Courageous, because he had the perseverance to accomplish a goal, regardless of the seemingly insurmountable obstacles. (4) Imaginative because he adapted by making timely and appropriate changes in his thinking, plans, and methods. Finally, (5) Inspiring, because through demonstrating confidence, he inspired his knights and those in his Kingdom to reach for new heights. I would add as a separate category that Arthur led from the front.

I thought about those qualities when I read a couple of recent articles in the Houston Chronicle. The first was by the Chronicle Business Columnist, L. M. Sixel, entitled “Leaders possess the keys to safety”, and the second was an Op-Ed entitled “Trust Shaken”. Both articles discussed corporate issues that have led to catastrophic injuries or even deaths and more importantly how the entities involved reacted. The first article discussed safety at the workplace and the second health issues in the processing of food products.

In her article Sixel, wrote, “A company truly interesting in making sure its workers are safe has to come up with ways to make it easy and risk-free to bring up potential safety problems.” Moreover, the corporate attitude which fosters this “starts with leadership.” She cited to Frank Reiner, the president of the Chlorine Institute, who recently said in a speech to the group’s annual conference in Houston “You have to eliminate the fear.” Additionally, “Once the cause is identified, similar accidents can be prevented, he said. The message that people are free to come forward to talk about what went wrong and why has to come from the top down. Identifying problems not only is everyone’s responsibility but also a companywide expectation.”

Equally important is for a company to learn from its mistakes. Obviously there should be a root cause analysis after a disaster. At the same conference, the Keynote Speaker, John E. Michel, a retired U.S. Air Force brigadier general and author of The Art of Positive Leadership: Becoming a Person Worth Following, said “After a disaster, there is a big investigation to find out why it happened and fix the problem before it can happen again. Sometimes, whole fleets are grounded after an airline crash.” However Michel noted that it is important to keep learning even if there is no disaster. Michel “likes to pay attention to “near misses” and learn from the times things could have gone horribly wrong but didn’t” and that “There are debriefing sessions even when things go well on a flight mission and there are always tweaks to be made.”

Another speaker at the conference Mark Briggs, area director of the Houston South office for OSHA, noted it was important for employees to feel their suggestions and comments around safety are considered by management, saying “You have to show you care and that’s its not just a one-month project.” If management shows that it takes employee recommendations around safety seriously, it will help employees down the chain feel more secure about bringing them to management’s attention.

The Chronicle Op-Ed piece focused on one of the most beloved institutions in the great state of Texas – Blue Bell Ice Cream. Unfortunately for Blue Bell, in March there were five cases of listeria in Kansas, linked to a Blue Bell plant. Three of those persons died, “although a Kansas health official stated that the listeriosis was not the cause of death.” The Chronicle piece noted that after that initial discovery, “multiple strains of listeria have been found in its Brenham and Oklahoma plants, almost 500 miles apart, according to the CDC [Center for Disease Control and Prevention]. Possible explanations include lax safety standards, extremely bad luck striking twice or some undisclosed manufacturing issue.”

A The Texas Tribune article by Terri Langford, entitled “State Health Tests Prodded Blue Bell Recall, said, “The crisis for Blue Bell began on March 13, when Kansas officials determined that Listeria-tainted portions of the company’s ice cream made it into products served to five hospital patients between January 2014 and January 2015. Of the five who became ill, three died. By March 24, Kansas officials traced the source of the listeria to Blue Bell’s plant in Broken Arrow, Okla., built by the Texas company in 1992. On April 3, the Centers for Disease Control had traced Blue Bell’s Listeria strain to six other patients going back to 2010. Four had been hospitalized in Texas for unrelated problems when they became sick from listeria. Five days later, on April 8, the CDC had identified two clusters of Blue Bell listeria victims. The strains were traced to the plants in Oklahoma and Texas.”

Yet it was not until Blue Bell was notified by a representative from the Texas Department of State Health Services, that “lab tests on two Blue Bell ice cream flavors — Mint Chocolate Chip and Chocolate Chip Cookie Dough — came back “presumptive positive” for the deadly bacteria Listeria monocytogenes” that the company announced it was pulling product from its shelves for testing.

What are the lessons from for the CCO or compliance practitioner? You should channel your inner King Arthur and lead. You have to lead management to understand that one of the best sources of information on your own business is your employees. There is a reason the FCPA Guidance lists internal reporting as one of the Ten Hallmarks of an Effective Compliance Program. You must give employees a way to report misconduct and then you must use that information to investigate and communicate to employees going forward. If there are lessons to be learned use those lessons for in-house compliance training. If a true catastrophe or disaster befalls the company, do not wait to remediate. Do so as soon as is practicable, not when the government calls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 23, 2015

Interview with James Koukios

KoukiosEd. Note-today I continue my series of interviews with people prominent in the FCPA space. Today is James Koukios, formerly a Manager in the DOJ’s FCPA unit, who recently went into private practice at Morrison & Foerster 

Where did you grow up?

I was born and raised in Grand Rapids, Michigan.

Where did you go to college, what did you study and how did it influence your career going forward?

I graduated from the University of Michigan in 1996.  Like a lot of people who end up at law school, I was a political science major.  Studying poli sci influenced my career in at least two ways.  First, my interest in the political process is what initially brought me to Washington, as a summer intern in 1995.  That was my first time living outside the state of Michigan, and, although I later went to law school in Boston and spent my law school summers in New York and Chicago, my positive experience that summer eventually led me back to Washington, where I have spent the majority of my legal career.  Second, during my summer internship, at the Atlantic Council of the United States, I was assigned a project researching corruption in Asia.  One of the questions I was asked to address was why corruption in Asia should matter to the United States, and it was in answering that question that I first encountered the U.S. Foreign Corrupt Practices Act.  I found the topic fascinating, but little did I know how important it would eventually become to my career.

What were the highlights of your clerkship with Judge Clement?

During law school, I realized that I wanted to be a trial lawyer.  So, when I started looking for clerkships, I applied only to federal district court judges (Judge Clement was later elevated to the Fifth Circuit, but at the time, she sat on the U.S. District Court for the Eastern District of Louisiana).  My clerkship did not disappoint.  Among the many trials that I worked on, the highlight was the criminal prosecution of Edwin Edwards, the former four-term governor of Louisiana, and Jim Brown, Louisiana’s then-sitting Insurance Commissioner, for an allegedly corrupt scheme to bail out a failed insurance company.  The trial was full of colorful characters, complex legal issues, and superb lawyering.

Two other highlights were Judge Clement herself and the city of New Orleans.  Judge Clement has been a mentor to me throughout my legal career, and I attribute much of my success not only to what I learned while clerking for her but also to the continuous support she has always given me.  As for New Orleans, what a terrific city.  Food, music, and culture unlike any other in the United States.  It is a special place.

What was your early DOJ career like in Miami and how did you get to Main Justice?

Being an AUSA in Miami was a dream come true for an aspiring trial lawyer.  Miami has one of, if not the, heaviest criminal dockets in the country, and a large portion of those cases go to trial, often very quickly after indictment.  I tried over 15 felony jury cases in my first three years alone and was in court every day.  Early on, I focused on all manner of reactive crimes, violent crimes, and arms trafficking cases.  During my last two years, I started focusing on more complex and time-consuming cases – including a narcotics wiretap case that revealed police corruption and a high-profile defense procurement fraud case, United States v. AEY, Inc., that garnered national attention.

Around the end of 2008, I was thinking of transitioning full time to prosecuting economic crimes, and my wife and I also started talking about moving back to Washington.  Out of the blue, Chuck Duross, who had moved from the Miami U.S. Attorney’s Office to the Fraud Section in 2007 (and who would later become Deputy Chief of the FCPA Unit), called to tell me that the Fraud Section was looking to bring in experienced AUSAs to prosecute FCPA cases and asked whether I would be interested.  Needless to say, I was, and about six months later, I was fortunate enough to transfer to the Fraud Section.

What were some of your highlights from your time in the FCPA Unit?

Definitely the Esquenazi and Duperval trials.  Both came at a time when the Fraud Section’s ability to win an FCPA case at trial was being heavily questioned, and, going back to that first conversation I had with Chuck Duross in 2008, I felt I had been brought to the Fraud Section for precisely this reason.  As an added bonus, I was able to return to Miami, where I learned how to be a prosecutor, to try these cases.  I joined the Esquenazi trial team one month before trial (I had been on detail as Special Counsel to FBI Director Robert Mueller for the previous year and came back to Fraud to try the case) and was immediately impressed by the thorough investigation that my colleagues had done—the evidence was truly overwhelming.  Over the next month, we focused on how best to present that evidence, and I was extremely proud of the finished product.  It was also rewarding when the Eleventh Circuit agreed with our position that the Haitian state-owned telecommunications company, Haiti Teleco, was an “instrumentality” of the Haitian government and, therefore, that its officers and employees were “foreign officials” under the FCPA.  Much like our trial victories, the appellate ruling helped validate a crucial aspect of our enforcement program.

Becoming a manager in the FCPA Unit was also a highlight.  In a bit of a surprise, I discovered that I enjoyed supervising cases as much as I enjoyed trying them.  Given my experience, I was able to mentor new prosecutors and help them improve their investigations and cases.  But the learning was not a one-way street.  Several of the attorneys I supervised had recently left large law firms and brought with them insights into corporate governance, internal investigations, data privacy, and a host of other issues that are critically important to the work of the FCPA Unit but do not necessarily come into play in other types of criminal prosecutions.  By combining experienced AUSAs with experienced corporate litigators, we assembled a tremendously talented and well-rounded team in the FCPA Unit, from which we all benefitted.

Finally, becoming more involved in the policy process as a manager was also very rewarding.  Because the Fraud Section has the exclusive mandate for FCPA prosecutions, we were able to formulate—and execute—policy decisions in a manner that, I believe, had a significant impact on corporate compliance programs and the global anti-corruption movement.   

You recently moved over to Morrison & Foerster. In which areas do you intend to focus and what are you looking forward to in private practice?

I am a partner in MoFo’s Securities Litigation, Enforcement and White-Collar Defense practice group.  Generally speaking, I intend to focus on all aspects of that group’s work, from compliance counseling, to internal investigations, to representing corporations and individuals before government regulators and at trial.  Given my extensive FCPA background, much of my work will be focused in the anti-corruption sphere.  In that regard, I am particularly excited about being reunited with two of my former FCPA Unit colleagues and friends, Chuck Duross and Amanda Aikman, at MoFo.  But I also intend to work in other areas in which I have experience, including health care fraud, defense procurement fraud, and export violations, in both the civil and criminal contexts.  And, as someone who still enjoys trial work, I intend to work on any type of trial when there is a need, whether that trial falls within my practice group or another practice area.

Overall, I am looking forward to bringing to bear the experiences and insights I gained during my decade as a federal prosecutor, including my six years as an FCPA prosecutor and supervisor, to help our clients navigate complex issues and to mitigate and avoid problems.  And I’m looking forward to doing all this with my new team.  MoFo has a well-earned reputation for collegiality and for working as one team across all of our offices worldwide to best serve our clients’ needs.  The sense of collegiality and of working together for a common purpose were two of the aspects of government service that I most enjoyed, and I am fortunate to have found a law firm that shares those values.

James Koukios can be reached at JKoukios@mofo.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 10, 2015

International Anti-Corruption Enforcement Efforts

ARound the GlobeWhile the US Foreign Corrupt Practices Act (FCPA) is still the most widely recognized and enforcement anti-bribery and anti-corruption law across the globe, there have been a number of initiatives which will lead directly to greater anti-bribery and anti-corruption enforcement. This increased enforcement will lead to increased risks for companies that do not have anti-bribery and anti-corruption compliance programs in place. This post discusses the efforts of other countries to enact and enforce legislation to curb bribery and corrupt across the globe.

China 

Over the past 18 months, GlaxoSmithKline PLC (GSK) was embroiled in a very public, very nasty bribery and corruption investigation. It culminated in the conviction of GSK and the assessment of a $491 million fine, criminal conviction of four senior GSK China subsidiary managers and the criminal convictions of two ancillary GSK-hired investigators. The entry of the Chinese government into the international fight against corruption and bribery is truly a game-changer. While there may be many reasons for this very public move by the Chinese government, it is clear that foreign companies are now on notice. Doing business the old fashioned way will no longer be tolerated. This means that international (read: western) companies operating in China have a fresh and important risk to consider; that being that they could well be subject to prosecution under domestic Chinese law.

The international component of this investigation may well increase anti-corruption enforcement across the globe. First of all, when other countries notorious for their endemic corruptions, for example India, see that they can attack their domestic corruption by blaming it on international businesses operating in their country, what lesson do you think they will draw? Most probably that all politics are local and when the localities can blame the outsiders for their own problems they will do so. But when that blame is coupled with violations of local law, whether that is anti-bribery or anti-price fixing, there is a potent opportunity for prosecutions.

One of the audit failures of GSK was around well known compliance risks in China, including (1) event abuse planning; (2) mixture of legitimate and illegitimate travel; (3) other collusion with travel agencies; and (4) parallel itineraries. So those risks are well known and have been documented. While the cost of monitoring is high and would involve the tedious work of verifying millions of receipts by calling hotels, airlines and office supply stores and scrutinizing countless transactions for signs of fraud; if your compliance risks are known for a certain profile, then you should devote the necessary resources to making sure you are in compliance in that area.

Brazil 

While GSK was a harbinger of international anti-corruption investigations and enforcement actions based on domestic anti-bribery laws; Brazil and its state-owned energy company Petrobras may become the world’s largest corruption investigation. In a New York Times (NYT) article, entitled “Scandal Over Brazilian Oil Company Adds Turmoil to the Presidential Race”, the scandal was detailed by a former Petrobras official, Paulo Roberto Costa. Mr. Costa was the person who oversaw the company’s refining operations. He has admitted to having engaged in the receipt of bribes for at least a 10 year period “equivalent to 3 percent of the value of the deals from the Brazilian construction companies that obtained the contracts” to build refineries. This amounted to literally millions being “stashed in bank accounts in Switzerland and the Cayman Islands.” He “inflated budgets for new projects” by 3% and then had that amount kicked back to him as bribes. The allegations were verified “through an associate, Alberto Youssef, a black-market money dealer who testified that he helped launder funds in the scheme. Mr. Youssef, who has also accepted a plea deal, testified that more than a dozen of Brazil’s largest construction companies had paid hefty bribes to obtain lucrative Petrobras contracts.” Interestingly, Brazilian President Rousseff “has also effectively acknowledged the prevalence of corruption inside the executive suites of Petrobras, while denying that she had known about the kickbacks when they were taking place.”

The scandal has not only engulfed suppliers to Petrobras in Brazil. It has now moved to the international stage. From shipyards in Singapore, which have been alleged to have paid bribes to Petrobras, to Rolls Royce in Great Britain which has been alleged to have paid bribes for the sale of turbine engines; this scandal truly is international in scope and may engulf more companies going forward. In addition to violations of Brazilian law, the US government has reportedly opened an investigation, as Petrobras USA is a US stock-exchange issuing entity and subject to the FCPA. Indeed, in the US there are already multiple shareholder derivative lawsuits against the US entity for mis-representing its true value because of the corruption allegations against the company in Brazil.

The Petrobras scandal continues to make news almost daily and its repercussions continue to reverberate across the globe. The FCPA Blog, in an article entitled “Swiss AG freezes $400 million in Petrobras bribe probe”, stated that in Switzerland alone there are nine open investigations into alleged money laundering tied to Petrobras. In mid-March the Office of the Attorney General of Switzerland (OAG) announced that they had issued an order to freeze $400 million of assets allegedly tied to a Petrobras corruption scheme. The FCPA Blog further stated the OAG announced “The release of over $120 million reflects Switzerland’s clear intention to take a stand against the misuse of its financial center for criminal purposes and to return funds of criminal origin to their rightful owners.”

The domestic Brazilian Anti-Bribery Law, the Clean Company Act, enacted into law in 2014, is uniquely designed for oversight by internal audit. Compliance programs will be evaluated on three prongs: the structure of the program; specifics about the legal entity; and an evaluation of the program’s efficiency. The first prong will include consideration of the existence of mechanisms for reporting suspected or actual misconduct, training, code of conduct, policies and procedures, periodic risk assessments, and application of disciplinary measures against employees (including senior management too) involved in wrongdoing. Under the second prong, the compliance risks associated will be considered. Compliance programs should be tailored to the company’s risks; “one-size-fits-all” programs will not be accepted. The third prong will consist of a case-by-case verification, that it is not simply a paper program.

Finally, and no doubt spurred by the Petrobras corruption scandal, the FCPA Blog also reported, in another article entitled “After protests, Brazil president issues anti-graft regulations”, that Brazilian President Dilma Roussef issued a presidential decree with regulations under the Clean Company Act. The new regulations issued address some of the crucial questions concerning the administrative procedure for imposing corporate liability and assessing fines. It also set out the criteria for determining fines, evaluating compliance programs, and entering into leniency agreements. Finally, the decree also provides that books and records accuracy and completeness will be a key criterion for evaluating compliance programs, no doubt inspired by the FCPA accounting provisions. As the FCPA Blog said, “The regulations under the Clean Company Act are a critical milestone in the effort to restore credibility to Brazil’s federal government, in light of its past commitments to fighting corruption in the corporate world.”

Conclusion 

What does all of the above mean for a global company? It means that some law that prohibits bribery and corruption will cover your business. It will not and does not matter if you are a US, UK or Brazilian company doing business outside of your home country, somewhere a law prohibiting bribery and corruption will cover your actions. Even if you are not covered by the FCPA, the UK Bribery Act or the Clean Company Act, if you are doing business in a local country you can still be subject to prosecution under its domestic anti-bribery laws. This means that there will be greater enforcement going forward and greater cooperation between enforcement agencies.

For businesses the only response to this plethora of new laws is to implement and enhance a best practices anti-bribery/anti-corruption compliance program and there are several examples that companies can follow to do so. In the US, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) provided their suggestions with their Ten Hallmarks of an Effective Compliance Program; the UK Ministry of Justice (MOJ) has provided commentary on the Six Principles of an Adequate Procedures compliance program and the Organization of Economic Cooperation and Development (OECD) has put forth its Good Practice Guidance on Internal Controls, Ethics, and Compliance.

All of these anti-bribery/anti-corruption regimes set forth easily digested concepts that a company could implement. However, there must be more than simply a paper program in place. A company must actually do compliance for it to be effective. By making compliance a part of normal business practices, it will be possible to prevent, detect and then remediate any bribery or corruption issues that may arise.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 3, 2015

Why Tone at the Top Matters and Join the FCPA Professor in Houston

IMG_1173Over this week I have looked at some issues related to compensation and methods from other disciplines that a compliance practitioner might use to test and then improve a company’s third party management regime. Today, I want to go back to the starting point for any compliance program; that is the Tone at the Top. I was reminded of the absolute necessity of having a management not only committed to following the law but the actual doing of compliance when I read about the guilty verdicts in the Atlanta schools cheating scandal.

In an article in the New York Times (NYT), entitled “Atlanta Educators Are Convicted of Racketeering”, reporter Alan Blinder detailed the guilty verdicts handed down in an Atlanta state Superior Court this week where 11 of 12 defendants were convicted in a lengthy trial. Blinder wrote, “On their eighth day of deliberations, the jurors convicted 11 of the 12 defendants of racketeering, a felony that carries up to 20 years in prison. Many of the defendants — a mixture of Atlanta public school teachers, testing coordinators and administrators — were also convicted of other charges, such as making false statements, that could add years to their sentences.” Most stunningly, the trial judge “ordered most of the educators jailed immediately, and they were led from the courtroom in handcuffs.”

The school district’s top administrator Dr. Beverly Hall, channeling her inner Ken Lay, had the temerity to pass away during the trial so there was no finding as to her conduct. Unrepentant to end she said “she had done nothing wrong and that her approach to education, which emphasized data, was not to blame.” When interviewed back in 2011, Dr. Hall had said, “I can’t accept that there’s a culture of cheating. What these 178 are accused of is horrific, but we have over 3,000 teachers.”

Think about those two statements for a moment. They mimic the same tired excuses used by apologizers in the anti-corruption world. First it was only a small subset of those involved who actually broke the law. In other words, the oldie but goodie rogue employee(s) defense. It did have the notable exception that there were 178 roguies out there lying and cheating. But more than the rogue employee defense, she emphasized that she obtained results, the scores on the State of Georgia’s standardized tests for public schools improved dramatically under her watch. In the Foreign Corrupt Practices Act (FCPA) anti-corruption world that is the same as “we had to do it to compete” argument. It is equally as inane as the rogue employee defense.

Moreover, a State of Georgia investigation “completed in 2011, led to findings that were startling and unsparing: Investigators concluded that cheating had occurred in at least 44 schools and that the district had been troubled by “organized and systemic misconduct.” Nearly 180 employees, including 38 principals, were accused of wrongdoing as part of an effort to inflate test scores and misrepresent the achievement of Atlanta’s students and schools. Investigators wrote in the report that Dr. Hall and her aides had “created a culture of fear, intimidation and retaliation” that had permitted “cheating — at all levels — to go unchecked for years.” How is that for tone from the very top?

I bring you another example from a company I once worked at whose management locked themselves behind bolted doors on a floor in the building not accessible by any employees. And just in case someone did make onto this executive floor, there was an armed police presence as a last ditch security measure. The locked down top floor was after the following security measures were already in place: (1) you had to badge in to get into the parking garage, (2) building access was by card entry, (3) elevator access was by card entry, and (4) floor access was by card entry.

Why would senior executives barricade themselves behind such massive physical protection? Did they do this because crazed competitors were sending in assassins, because the company was so profitable and hence unassailable as a competitor? How about something more nefarious such as international hit squads roaming through international businesses in Houston, picking off key executives? Alas the explanation was not anything so exotic. With all of these security measures in place the reason was to keep mere mortal employees away from senior management. What type of message that does send to employee? Much like the one I had growing up, speak only when spoken to.

The point of all this is that tone does matter. Senior management must be committed and communicate its commitment to not only obeying laws but also complying with laws. In the FCPA world, that means you must have a compliance program in place that meets the Ten Hallmarks of an Effective Compliance Program as set out in the FCPA Guidance.

On a completely different note as a compliance practitioner, if you want to have a shot at some serious professional growth and you are in the Houston area, somewhere else in Texas or anywhere else in the South, I suggest you consider attending the FCPA Professor’s FCPA Institute, which will be held in Houston on Monday, May 4 and Tuesday, May 5. The Professor’s goal in leading this first Texas FCPA Institute is “to develop and enhance fundamental skills relevant to the FCPA and FCPA compliance in a stimulating and professional environment with a focus on learning. Information at the FCPA Institute is presented in an integrated and cohesive way by an expert instructor with FCPA practice and teaching experience.” Some of the topics, which will be covered, include the following:

  • An informed understanding of why the FCPA became a law and what it seeks to accomplish;
  • A comprehensive understanding of the FCPA’s anti-bribery and books and records and internal controls provisions and related enforcement theories;
  • Various realties of the global marketplace which often give rise to FCPA scrutiny;
  • The typical origins of FCPA enforcement actions including the prominence of corporate voluntary disclosures;
  • The “three buckets” of FCPA financial exposure and how settlement amounts in an actual FCPA enforcement action are typically not the most expensive aspect of FCPA scrutiny and enforcement;
  • Facts and figures relevant to corporate and individual FCPA enforcement actions including how corporate settlement amounts are calculated;
  • How FCPA scrutiny and enforcement can result in related foreign law enforcement investigations as well as other negative business effects from market capitalization issues, to merger and acquisition activity, to FCPA related civil suits; and
  • Practical and provocative reasons for the general increase in FCPA enforcement.

In other words, it is what you have come to expect from the FCPA Professor; well-thought out reasoned analysis, practical knowledge and learning, and provocative thinking and assessment. But this is also your chance to attend a two-day Institute with one of the most original thinkers in the FCPA space. The FCPA Institute will provide insights into the topics more near and dear to my heart as a ‘nuts and bolts guy’. In addition to the above substantive knowledge, FCPA Institute participants will gain in-demand, practical skills to best manage and minimize FCPA risk by:

  • Practicing FCPA issue-spotting through video exercises;
  • Conducting a FCPA risk assessment;
  • Learning FCPA compliance best practices, including as to third parties;
  • Learning how to effectively communicate FCPA compliance expectations; and
  • Grading a FCPA code of conduct.

In addition, attorneys who complete the FCPA Institute may be eligible to receive those all-important Continuing Legal Education (CLE) credits. The sponsors, King & Spalding, will be seeking CLE credit in CA, GA, NY, TX and if needed in NC and VA. Actual CLE credit will be determined at the end of the program based on actual program time. Attorneys may be eligible to receive CLE credit through reciprocity or attorney self-submission in other states as well.

I hope that you can join the FCPA Professor for this FCPA Institute. I have previously said, “if the FCPA Professor writes about it you need to read it. While you may disagree with him, your FCPA perspective and experience will be enriched by the exercise.” I would now add to this statement that if the FCPA Professor puts on his FCPA Institute you should attend. Not only will you garner a better understanding of the theoretical underpinnings of the law and the plain words of its text; you will also be able to articulate many of the issues which befall companies caught up in a FCPA investigation to your senior management in a way that will help them understand the need for a robust compliance program.

To register for the FCPA Institute, or for more information, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 5,243 other followers