FCPA Guidance | FCPA Compliance and Ethics Blog

May 26, 2015

Economic Downturn Week, Part I – Mapping of Your Internal Compliance Controls

This week I will present a series on steps that you can take in your compliance program if you find yourself, your company or your industry in an economic downturn. All of the recommendations I will make are ideas that have been put into action by companies currently facing these issues. They are ideas that you can use if you have scarce or lessened economic resources for your compliance function. Today I will take my cue from the recent Securities and Exchange Commission (SEC) enforcement action against BHP Billiton (BHP) as a key indicator of where greater and more rigorous SEC enforcement is heading. That is in the area of the enforcement of internal controls and steps that you can take right now, even with reduced head count and budgetary resources, to improve your Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption compliance program.

However, before we get to that subject, I want to remember Marques Haynes, who died last week. Haynes was a basket baller extraordinaire who played with the Harlem Globetrotters off and on for 40 years. As was set out in his New York Times (NYT) obituary last week, Haynes “whose dazzling ball-handling skills, exhibited for more than 40 years as a member of the Harlem Globetrotters and other barnstorming black basketball teams, earned him a place in the Naismith Basketball Hall of Fame and an international reputation as the world’s greatest dribbler”. He was the first Globetrotter inducted into the Naismith Memorial Basketball Hall of Fame. I saw Haynes play in the later stages of his career with the Globetrotters; both on ABC’s Wide World of Sports and through their non-stop touring when they came to even my Podunk hometown. So here’s to you Marques and I am sure you have called ‘Next’ for that great pickup game in the sky several times now.

As they made clear with several FCPA enforcement actions from last fall, the SEC has placed a renewed interest in the accounting provisions of the FCPA, specifically the internal controls provisions. The BHP enforcement continued this trend, where there was no evidence that bribes were paid or offered in violation of the FCPA, tet the poor internal compliance controls at BHP led to a $25MM fine. Indeed Kara Brockmeyer, the Chief, FCPA Unit; Division of Enforcement of the SEC, who spoke at the recently concluded Compliance Week 2015, in a session entitled “A New Look at FCPA Enforcement”, reiterated that the SEC was committed to protecting investors in US public companies and those which list other securities in the US, through enforcement of the accounting provisions, including internal controls provisions of the FCPA. It would seem that the reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur.

So, in the midst of an economic downturn, what can you do around the FCPA’s requirements for internal controls and current SEC emphasis? I would suggest that you begin with an exercise where you map the internal controls your company has in place to the indicia of the Ten Hallmarks of an Effective Compliance Program, as set out in the FCPA Guidance. While most compliance practitioners are familiar with the Ten Hallmarks, you may not be as familiar with standards for internal controls. I would suggest that you begin with the COSO 2013 Framework as your starting point.

As a lawyer or compliance practitioner you may not be familiar with all the internal controls that you have in place. This exercise would give you a good opportunity to meet with the heads of Internal Audit, Finance and Accounting (F&A), Treasury or any other function in your company that deals with financial controls. Talk with them about the financial controls you may already have in place. An easy example is employee expense reports. Every company I have ever worked at or even heard about requires expenses for reimbursement to be presented, in documented form on some type of expense reimbursement form. This is mandatory for IRS reporting; so all entities perform this action. See how many controls are in place. Is the employee who submits the expense reimbursement required to sign it? Does his/her immediate supervisor review, approve and sign it? Does any party in the employee’s direct reporting chain review, approve and sign? Does anyone from accounts payable review and approve, both for accuracy and to make sure that all referenced expenses are properly receipted? Is there any other review in accounts payable? Is there any aggregate review of expense reports? Is there a monetary limit over which additional reviews and approvals occur?

Now if an employee has submitted expenses for activities that occurred outside the US are there are any foreign government officials involved? Were those employees identified on the expense reimbursement form? Was the business purpose of the meal, gift or other hospitality recorded? Can you aggregate the monies spent on any one foreign official or by a single employee in your expense reporting system? All of these are internal controls that can be mapped to the appropriate prong of the Ten Hallmarks or other indicia of your compliance program.

You can take this exercise through each of the five objectives under the COSO 2013 Framework and its attendant 17 Principles. From this mapping you can then perform a gap analysis to determine where you might need to implement internal compliance controls into your anti-corruption compliance program. This can lead to remedial steps that you can take. For example you can recommend procedures be written for all key compliance areas in which there are currently no procedures and your existing procedures can be updated to include compliance issues and clear definition how controls are to be evidenced. Through this you can move from having detect controls in place, to having prevent controls, whenever possible.

As a Chief Compliance Officer (CCO) or compliance practitioner, this is an exercise that you can engage in at no cost. You simply investigate and note what internal controls you have in place and how they may be a part of your anti-corruption efforts going forward. As I said last week, compliance is a straightforward exercise. This does not mean that it is easy; you do have to work at it so that you will simply not have a paper, “check the box”, program. But using the excuse that you have limited resources is simply an excuse and a rather poor one at that. While the clear lesson from the BHP enforcement action is that you are required to have effective internal controls in place, by engaging in this mapping exercise you can then figure out what you have and, more importantly, what internal compliance controls that you do not have and need to institute.

Finally, if you do have resources and need some help, you can reach me at the email below.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Leave a Comment

May 21, 2015

Compliance Week 2015 Wrap Up

Filed under: Administrative Proceedings,Compliance Week,Department of Justice,FCPA,Leslie Caldwell,SEC,Ten Hallmarks of an Effective Compliance Program — tfoxlaw @ 12:01 am
Tags: best practices, compliance programs, Department of Justice, DOJ, ethical leadership, ethics, FCPA, Foreign Corrupt Practices Act, Internal Controls, SEC

Compliance Week 2015 has ended. This year was the tenth anniversary of the annual conference and in many ways I found it to be the best one yet. Matt Kelly and his team put together a conference and experience, which was absolutely first-rate. If you were not able to make this year’s event, I hope you will join us for Compliance Week 2016, which Matt announced the dates for at the conclusion of this year’s event. The dates for 2016 are May 23-26, back of course in Washington DC to be held yet again at the Mayflower Hotel. I wanted to give you some of my thoughts on the highlights of this year’s event and what made it so unique.

At my age, I am somewhat loathe to channel my teenage daughter but the first thing that I noticed was a very different vibe this year over past year’s conferences. From the Cocktail Party reception held on Sunday night, all the way through the conclusion of the event, there seemed to be an air that I have not quite been able to put my finger on. It was more than an acknowledgement and perhaps even an excitement about how far the compliance profession has come in the past ten years. While I have written about the Chief Compliance Officer (CCO) and compliance profession as CCO 2.0, I had the feeling that we may be moving on to CCO 3.0, as that was even the title of a session.

But this vibe was more tangible than simply a feeling. One key ingredient for me was the use of social media into the conference experience. While many events have a conference app, which can provide you information on such things as the agenda, speakers and their presentations, room locations and the like; the Compliance Week 2015 app was fully interactive, allowing you to live tweet, send IM to fellow conference attendees and receive text messages when a room changed or other conference alteration occurred. It also provided a virtual help desk for all attendees.

Many of sessions were led by CCOs from major corporations and they were able to provide a strategic vision of where they were going at their organizations. This was kicked off from the start of the conference, from the first panel on the first day where the CCOs from Boeing, GE and the Director of Compliance for Wal-Mart began the event. Obviously these are three of the largest companies in the US and do business on a worldwide basis. Yet, while sharing their strategic visions, each one was able to provide a solid example from their respective organization that a CCO or compliance practitioner from any sized company could implement. From Wal-Mart with a workforce of 2.2 million employees, it was keep the message simple. From Boeing, it was incorporate any compliance failures as teaching moments or lessons learned into your internal compliance training going forward. From GE, it was how to inculcate and incorporate compliance into your everyday business planning.

The conversations were excellent as usual. I led the FCPA conversation and there were several alumni present, who told me they look forward to attending each year. One of the reasons is that there is no avenue in their hometowns to get together in an environment to discuss issues of mutual concern. It is concept that Mike Snyder and I used in founding the Houston Compliance Roundtable. A place where you can ask any question and have it answered by another compliance professional in an environment where Chatham House rules apply. While I certainly started the discussion, it quickly became fully interactive with all participants sharing their views on a variety of topics. While we have some great compliance talent in Houston at our Roundtable, it cannot top the level of maturity and sophistication present at the Compliance Week annual conference. We all benefited from the experience.

This experience was doubled when I led a breakfast event on Tuesday. While an inducement to attend was a complimentary copy of my book Doing Compliance, there were 25 attendees who joined me for a very engaging and free-flowing conversation about the state of compliance, we practitioners and where enforcement may be heading. Compliance Week treated us all to breakfast and, once again, I probably learned as much as any one. But since Chatham House rules were in effect, I cannot report on any of the substantive things that were discussed. I will share with you that I am excited to lead such a breakfast again next year and I hope you will be one of the 25 to sign up.

As always there were a number of government representatives who spoke at Compliance Week again this year. For me, the parade was led by Department of Justice (DOJ) Assistant Attorney General Leslie Caldwell. While I will be writing further, and in more detail, about Caldwell’s remarks, she said a few things that I think bear emphasis. One was that compliance professionals need to work towards more data analytics in the form of transaction monitoring to assist in moving to a prevent and even predictive and prescriptive mode for your best practice compliance program. Next she emphasized that your compliance program must not be static but must evolve as your business risks evolve. Finally, and much closer to my heart, were her remarks that you need to “sensitize your business partners to compliance.” It was if she was channeling her inner Scott Killingsworth with his groundbreaking work on ‘Private-to-Private’ or P2P compliance solutions. Or, as I might say, she was advocating a business solution to the legal problem of bribery and corruption across the globe.

But Caldwell was not the only DOJ representative as we had Laurie Perkins, Assistant Chief, Foreign Corrupt Practices Act (FCPA) Unit and Kara Brockmeyer, Chief, FCPA Unit; Division of Enforcement from Securities and Exchange Commission (SEC), on a panel moderated by yours truly. First I would urge that if you are ever asked to moderate a panel with FCPA enforcers and regulators, jump at the chance. The reason is that you get to ask the questions you want answers to; even if you get past your prepared questions, when there is a lull in questions from the audience, you can follow up with something you want to know or in my case always wanted to know. So I asked some basic questions like: What is Criminal Information? (to Perkins) and Could you explain the process for the SEC’s Administrative Procedure? (to Brockmeyer). I was certainly enlightened by their answers to both questions.

The event sponsors were of course there to provide information on their solutions to assist any compliance practitioner. If you have never been to an event at the Mayflower Hotel in Washington, the conference rooms are along a wide hall that allows good people flow and adequate room for the sponsors and others to set up, meet attendees and discuss their products and services. I view the sponsors and vendors as a part of the compliance solution going forward and while they are clearly there to sell; they also engage in a fair amount of education. But the education runs both ways with many compliance practitioners communicating needs they have which can be incorporated into new product developments.

Unfortunately Compliance Week 2015 had to come to an end. But the feeling, information and new friends I met will last with me until Compliance Week 2016 next year. I hope you will plan to join me.

© Thomas R. Fox, 2015

Leave a Comment

May 13, 2015

Senn Interview, Part III – Post Incident Remediation

Filed under: Deferred Prosecution Agreement,Department of Justice,FCPA,FCPA Guidance,Mara Senn,Non-Prosecution Agreements,Ten Hallmarks of an Effective Compliance Program — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act

I conclude my three-part series based upon my podcast interview of noted white-collar defense lawyer and Foreign Corrupt Practices Act (FCPA) practitioner Mara Senn, a partner at Arnold & Porter LLP. In Part I, I considered Senn’s thoughts on conducting internal investigations. In Part II, I looked at Senn’s decision-making calculus around the decision to self-disclose if you have determined that a potential FCPA violation existed. Today, I consider her thoughts on what steps a company should take if it comes to the decision not to self-report a potential FCPA violation. These include the remediation of potential or actual conduct that might arguably violate the FCPA and the actions you should take on an ongoing basis.

One of the things Senn made clear is that whether you decide to self-disclose or not, your company must fully remediate the issue which led to that. She suggested that a company should act as if they will draw government scrutiny. She said, “the best way to go about it is to assume, act as if, the government is breathing down their necks on this very issue and fully remediate. The nice thing is they can decide what that means, fully remediate.”

I inquired as to whether that meant a systemic look at the company’s operations on a global, worldwide basis, particularly in view of Assistant Attorney General Leslie Caldwell’s recent admonition not to ‘boil the ocean’ in the context of your FCPA internal investigation. Senn replied, “It used to be that in the government’s view, fully remediating meant go to 10 different countries, even if there’s no suspicion of any activity going on, just to make sure that everything’s okay. They’re now backing away from that, and in fact, they’re saying that the private sector is the one who started that whole trend, which is not quite consistent with history.”

Recognizing that there is always a risk that the government will come knocking, either via a whistleblower or other mechanism, Senn replied, “you want to be squeaky clean, so that when the government comes to you, if in the future, like a year down the line, you have another problem or the government has a whistleblower or whatever, that you can say, look, in our opinion, we did an analysis, and we thought it was not necessary to self-disclose. On the other hand, we were horrified and very upset by the fact that this potential infraction happened on our watch, and we’ve done the following 5 things, and we’ve remediated.”

She went on to explain, “What you want to do is show to the government, “We understand the problems that caused this, and we got to the root of it. Either it’s a bad apple, and we got rid of that bad apple, or it was really a failure of compliance structures, and we’ve fixed that part of the compliance structures. In fact, we’ve added more, just to double check and make sure that in this particular area or similar areas, depending on what it is, we will detect, prevent, and if we detect something, we will remediate.” They, the government, can feel comfortable that you did what they would have asked you to do anyways. That doesn’t always have to be onerous, sometimes it is depending on the scope of the issue, but that’s what I would say about that.”

Senn listed several actions that a company could engage in to demonstrate that it had taken solid remediation steps. Obviously, a company can “bulk up its compliance program.” But she added that it is important that a company demonstrate action taken against the nefarious party or parties. A company can discipline up to and including discharge. But do not forget lesser forms of discipline including docking pay or suspension without pay or other steps short of termination. I would add that you should consider the FCPA Guidance on this final point where it notes, “A compliance program should apply from the board room to the supply room—no one should be beyond its reach. DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation.” [emphasis supplied]

Yet more than simply remediating an issue or even violation, Senn believes that a company should work to stay on top of its program thereafter. Certainly if you agree to a Deferred Prosecution Agreement (DPA) or Non-Prosecution Agreement (NPA), your company will either have an external monitor or reporting obligation to the Department of Justice (DOJ) going forward.

I asked her about ongoing monitoring of your compliance program; both the enhancements you might put in place to remedy generally and the specific issues that caused the problem initially. Senn agreed that is an important step going forward, she stated, “Absolutely, but I think that the monitoring requirement has now essentially expanded to the whole program. The government really expects you now to be having ongoing improvement and ongoing monitoring, so it’s not like you put in a policy 3 years ago and don’t do anything and then assume it’s okay. I think maybe you would put in a special extra audit or something like that on that particular situation, but really you should have in your compliance program an overall monitoring function that allows you to do that for all of your programs to various levels and various degrees. Yes, I think so, but it may not be as intensive as your typical external monitor, because you’re going to be integrating that into a program that’s really more holistic than just checking on that one thing. You’re going to be checking on a system-wide basis.”

Clearly this position was articulated in the FCPA Guidance as Hallmark Nine of an Effective Compliance Program. The Guidance states, “An organization should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas.” The Guidance ended this Hallmark by stating, “Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”

To listen to the full Mara Senn interview, go to the FCPA Compliance and Ethics Report, by clicking here, or download it from iTunes.

© Thomas R. Fox, 2015

Leave a Comment

May 1, 2015

King Arthur Week – The Quest for the Holy Grail and Compliance Defense – Part V

Filed under: Best Practices,Compliance Defense,Department of Justice,FCPA,FCPA Guidance,FCPA Professor,Ten Hallmarks of an Effective Compliance Program — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, FCPA Professor, Foreign Corrupt Practices Act, GAB

We conclude our Arthurian themed week with the Holy Grail, which has fired the imagination of artists for millennia. What was the Holy Grail? According to Professor Dorsey Armstrong in her Teaching Company lecture series, entitled “King Arthur: History and Legend”, the Holy Grail has taken various forms over the years. For Chrétien de Troyes, it was a fancy serving dish; for Wolfram von Eschenbach, it is a magical stone; for Robert de Boron, it is the cup that Christ drank from at the Last Supper; for the comedy troupe Monty Python, it is a cartoon sketch that no one ever finds; and for the modern day author Dan Brown, it is both a person, who is a descendant of Mary Magdalene, and a bloodline which leads to the Merovingian kings of France. In other words, it means many things to many people.

One of the articulated reasons for the creation of King Arthur’s Round Table was tied to the Holy Grail, since it was allegedly used at the Last Supper, it seems only natural that Arthur would seek it from his table as well. Indeed in Robert de Boron’s account of Arthur, the wizard Merlin tells Arthur the Round Table was established to identify the one Knight, who was pure of heart, who could find the Holy Grail. Only after the great quest for and locating of the Holy Grail was achieved could Arthur’s other ambitions come to pass.

Another interesting twist on the Grail legend is that it was in Britain. Curiously it was first ‘discovered’ by some enterprising Monks in Glastonbury, England in the late 12^th century. They just happened to come across a well that ‘bled’ water around the time of an annual pilgrimage. Going viral in the Middle Ages was tough but the Monks built upon their initial find by claiming that both King Arthur and his Queen Guinevere were also buried at their abbey. Do you believe any of the above? Are you on your own Grail Quest, however dreamy that quest might be?

I thought about the quest for the Holy Grail in the context of the renewed call for a compliance defense addition to the Foreign Corrupt Practices Act (FCPA), which would give companies a pass if they had sustained a FCPA violation. In a recent blog post, entitled “Wal-Mart’s Recent Disclosures”, the FCPA Professor renewed his clarion call for a compliance defense for FCPA violators, using Wal-Mart’s last three-year spend on compliance resources as a starting point. He wrote, “Wal-Mart disclosed spending approximately $220 million over the past three years in global compliance program and organizational enhancements.” He went on to note, “The key policy issue is this. Wal-Mart has engaged in FCPA compliance enhancements in reaction to its high-profile FCPA scrutiny. Perhaps if there was a compliance defense more companies would be incentivized to engage in compliance enhancements pro-actively. A compliance defense is thus not a “race to the bottom” it is a “race to the top” (see here for the prior post) and it is surprising how compliance defense detractors are unable or incapable of grasping this point.”

Leaving aside the issue of whether I am “unable or incapable” to grasp these issues I raised, I see this quest for (or ‘race’ as the FCPA Professor calls it) for a compliance defense for companies that violate the FCPA to be as quixotic as the quest for the Holy Grail. As there were two requirements for the Knight who was destined to find the Grail, we will begin pureness of heart. Recognizing that it might be difficult to find a corporation that is ‘pure of heart’, the appropriate analogy might be more than simply spending what may appear to be a large dollar amount on a compliance program. This is because it is not the amount of money you spend that informs the effectiveness of your compliance program. In three years Wal-Mart has reported it spent $220MM. The FCPA was enacted into existence in 1977. What do you get if you divide $220MM total spend into 38 years? My (recovering) trial lawyer math shows that to be approximately $5.78MM per year. How many billions of dollars per year was the annual revenue of Wal-Mart during that time? (Hint – a lot)

Moving our quest time frame to the modern era of FCPA enforcement, to say 2005. That would give an annual compliance spend of $20MM per year. If one looks at the company’s revenue from the middle of the last 10 years, for the fiscal year ending January 31, 2011, Wal-Mart reported net income of $15.4 billion on $422 billion in gross sales. Now what do you think about Wal-Mart’s quest for an effective compliance program based upon three year’s spending of $220 being significant? Indeed what is the percent of its revenues over the past three years that Wal-Mart spent creating its compliance program? Alas my trial lawyer math skills do not allow me to calculate a number so small.

How about the second part of the Grail quest that requires a ‘chaste’ Knight? Once again it is somewhat difficult to understand how a corporation could be chaste but I think the appropriate analogy is the doing of compliance. Put another way, it is not having a compliance program in place but having an effective compliance program. So not only does the amount of money a company spends become immaterial to our quest but also the same can be said to the claim that having a written program should entitle you some type of defense to any FCPA violations. Just as questing for the Holy Grail is seeking something that does not exist, affording companies a defense from their own FCPA violations by having a written program in place is not a temporal reality.

Under the FCPA Ten Hallmarks of an Effective Compliance Program, that it is an interplay of the right compliance message, tools in place to communicate and enforce the compliance message and then oversight to ensure compliance with the entire compliance regime. Such things as monitoring are recognized as a key element so your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with the finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally, the global compliance committee should meet or communicate as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.

In addition to monitoring, structural controls are recognized as an important element. It has been said that large companies “must use structural means to maintain control.” One of the best explanations of the use of internal controls as a structural component of any best practices compliance program comes from Aaron Murphy, a partner at Foley and Lardner in San Francisco, in his book entitled “Foreign Corrupt Practices Act”, where he said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.” These two parts are but a sampling but it is in the doing of compliance that any anti-corruption compliance program becomes effective; it is not simply having one in place.

Finally, as with all quests, what will it bring you if you actually achieve it? As with the Holy Grail, it is a good story but that is about it. I find this view best articulated by Matthew Stephenson, in a blog post entitled “The Irrelevance of an FCPA Compliance Defense”, where he gave three reasons why a compliance defense is not warranted. First (and perhaps almost too obvious to state) is that if your company is invoking a compliance defense, there has been a FCPA violation. The second is “The U.S. Department of Justice (DOJ) already takes into account a corporation’s good-faith efforts to implement a meaningful compliance program when the DOJ decides whether to pursue an FCPA action against the corporation, and what penalties or other remedies to impose. Indeed, the adequacy of the corporation’s compliance program is a standard subject of negotiation between the DOJ and corporate defendants.” Third is that “An FCPA compliance defense would only alter the DOJ’s bargaining position if a corporation unhappy with the DOJ’s position could either (1) convince the DOJ lawyers that the DOJ’s position is unreasonable in light of the corporation’s compliance program, or (2) credibly threaten to go to court and defeat the DOJ’s enforcement action altogether by successfully invoking the compliance defense before a federal judge.” Stephenson discounts subpart 1 because DOJ lawyers already take a company’s compliance program into account. But his second subpart is even more important because no company will go to trial against the government using a compliance defense to a demonstrable FCPA violation. Leaving aside the Arthur Anderson effect, no company is going to risk losing at trial when they can control their own fate through settlement. The modern day Knights seeking the Holy Grail of a compliance defense will never find it because of this last fact. Moreover, just as there were no real Knights who could meet the requirements to actually find the Holy Grail after their quest, there are no companies which can meet the same criteria; that being that a compliance defense could or even should trump a FCPA violation.

So we leave our King Arthur themed week with our quest intact, bringing message I hope that you have ascertained in these five posts about some of the things you need to do around the ‘nuts and bolts’ of anti-corruption compliance. I also hope that you might be able to look at the tales surrounding the King Arthur myth for your own inspiration.

© Thomas R. Fox, 2015

Leave a Comment

April 28, 2015

King Arthur Week – the Pentecostal Oath and Code of Conduct – Part II

One thing for which King Arthur is remembered are his chivalric knights. He helped create this legend, in large part, by establishing a Code of Conduct for the Knights of the Round Table. The King required each one of them to swear an oath, called the Pentecostal Oath, which was Arthur’s ideal for a chivalric knight. The Oath stated, “The king established all his knights, and gave them that were of lands not rich, he gave them lands, and charged them never to do outrageousity nor murder, and always to flee treason; also, by no mean to be cruel, but to give mercy unto him that asketh mercy, upon pain of forfeiture of their worship and lordship of King Arthur for evermore; and always to do ladies, damosels, and gentlewomen succor upon pain of death. Also, that no man take no battles in a wrongful quarrel for no law, ne for no world’s goods. Unto this were all the knights sworn of the Table Round, both old and young. And every year were they sworn at the high feast of Pentecost.” (Le Morte d’Arthur, pp 115-116)

Interestingly, the Oath first appeared in Sir Thomas Malory’s Le Morte d’Arthur and in none of the prior incarnations of the legend. In Malory’s telling, after the Knights swore the Oath, they were provided titles and lands by the King. The Oath specifies both positive and negative conduct; that is, what a Knight might do but also what conduct he should not engage in. The Pentecostal Oath formed the basis for the Knight’s conduct at Camelot and beyond. It was clearly a forerunner of today’s corporate Code of Conduct.

The foundational document of any Foreign Corrupt Practices Act (FCPA) compliance program is its Code of Conduct. This requirement has long been memorialized in the US Sentencing Guidelines, which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). These requirements were incorporated into the 2012 FCPA Guidance. The US Sentencing Guidelines assume that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct”.

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)

An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws.

In the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) state, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program the DOJ and SEC will review whether the company chapter has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.

In each DPA and NPA over the past 36 months the DOJ has stated the following as item No. 1 for a minimum best practices compliance program.

Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors that should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed their Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Just as the Pentecostal Oath was required to be sworn out each year, you should have your employees recertify their adherence to your Code of Conduct. Moreover, just as King Arthur set his expectations for behavior your company should do so as well.

© Thomas R. Fox, 2015

Comments (1)

April 27, 2015

King Arthur Week, King Arthur and Leadership – Part I

Filed under: Bribery Act,Chief Compliance Officer,Compliance,Compliance and Ethics,Ethical Leadership,FCPA,FCPA Guidance,Top Level Commitment — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, ethical leadership

I have been studying the legend of King Arthur and thought it would be good idea to have a week of blog posts around the legend of King Arthur, the Roundtable and his knights. Today I begin with King Arthur and some leadership lessons that might apply to a Chief Compliance Officer (CCO), compliance practitioner or others who might be responsible for an anti-corruption compliance program based on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or similar anti-bribery law.

According to the legends, King Arthur achieved quite a bit in one lifetime. He, established a kingdom, ruled his castle, Camelot and brought peace and order to the land based on law, justice, and morality. He founded an order known as the Knights of the Round Table where in all knights are seated as equals around the table, symbolizing equality, unity, and oneness. Nicole Lastimado, in a blog post entitled “Characteristics of a Good Leader 🙂”, identified five characteristics that she believed made Arthur a good leader.

Adapting Lastimado King Arthur was (1) Honest, in that he displayed sincerity, integrity, and candor in his actions. (2) Intelligent, because he read and studied. (3) Courageous, because he had the perseverance to accomplish a goal, regardless of the seemingly insurmountable obstacles. (4) Imaginative because he adapted by making timely and appropriate changes in his thinking, plans, and methods. Finally, (5) Inspiring, because through demonstrating confidence, he inspired his knights and those in his Kingdom to reach for new heights. I would add as a separate category that Arthur led from the front.

I thought about those qualities when I read a couple of recent articles in the Houston Chronicle. The first was by the Chronicle Business Columnist, L. M. Sixel, entitled “Leaders possess the keys to safety”, and the second was an Op-Ed entitled “Trust Shaken”. Both articles discussed corporate issues that have led to catastrophic injuries or even deaths and more importantly how the entities involved reacted. The first article discussed safety at the workplace and the second health issues in the processing of food products.

In her article Sixel, wrote, “A company truly interesting in making sure its workers are safe has to come up with ways to make it easy and risk-free to bring up potential safety problems.” Moreover, the corporate attitude which fosters this “starts with leadership.” She cited to Frank Reiner, the president of the Chlorine Institute, who recently said in a speech to the group’s annual conference in Houston “You have to eliminate the fear.” Additionally, “Once the cause is identified, similar accidents can be prevented, he said. The message that people are free to come forward to talk about what went wrong and why has to come from the top down. Identifying problems not only is everyone’s responsibility but also a companywide expectation.”

Equally important is for a company to learn from its mistakes. Obviously there should be a root cause analysis after a disaster. At the same conference, the Keynote Speaker, John E. Michel, a retired U.S. Air Force brigadier general and author of The Art of Positive Leadership: Becoming a Person Worth Following, said “After a disaster, there is a big investigation to find out why it happened and fix the problem before it can happen again. Sometimes, whole fleets are grounded after an airline crash.” However Michel noted that it is important to keep learning even if there is no disaster. Michel “likes to pay attention to “near misses” and learn from the times things could have gone horribly wrong but didn’t” and that “There are debriefing sessions even when things go well on a flight mission and there are always tweaks to be made.”

Another speaker at the conference Mark Briggs, area director of the Houston South office for OSHA, noted it was important for employees to feel their suggestions and comments around safety are considered by management, saying “You have to show you care and that’s its not just a one-month project.” If management shows that it takes employee recommendations around safety seriously, it will help employees down the chain feel more secure about bringing them to management’s attention.

The Chronicle Op-Ed piece focused on one of the most beloved institutions in the great state of Texas – Blue Bell Ice Cream. Unfortunately for Blue Bell, in March there were five cases of listeria in Kansas, linked to a Blue Bell plant. Three of those persons died, “although a Kansas health official stated that the listeriosis was not the cause of death.” The Chronicle piece noted that after that initial discovery, “multiple strains of listeria have been found in its Brenham and Oklahoma plants, almost 500 miles apart, according to the CDC [Center for Disease Control and Prevention]. Possible explanations include lax safety standards, extremely bad luck striking twice or some undisclosed manufacturing issue.”

A The Texas Tribune article by Terri Langford, entitled “State Health Tests Prodded Blue Bell Recall”, said, “The crisis for Blue Bell began on March 13, when Kansas officials determined that Listeria-tainted portions of the company’s ice cream made it into products served to five hospital patients between January 2014 and January 2015. Of the five who became ill, three died. By March 24, Kansas officials traced the source of the listeria to Blue Bell’s plant in Broken Arrow, Okla., built by the Texas company in 1992. On April 3, the Centers for Disease Control had traced Blue Bell’s Listeria strain to six other patients going back to 2010. Four had been hospitalized in Texas for unrelated problems when they became sick from listeria. Five days later, on April 8, the CDC had identified two clusters of Blue Bell listeria victims. The strains were traced to the plants in Oklahoma and Texas.”

Yet it was not until Blue Bell was notified by a representative from the Texas Department of State Health Services, that “lab tests on two Blue Bell ice cream flavors — Mint Chocolate Chip and Chocolate Chip Cookie Dough — came back “presumptive positive” for the deadly bacteria Listeria monocytogenes” that the company announced it was pulling product from its shelves for testing.

What are the lessons from for the CCO or compliance practitioner? You should channel your inner King Arthur and lead. You have to lead management to understand that one of the best sources of information on your own business is your employees. There is a reason the FCPA Guidance lists internal reporting as one of the Ten Hallmarks of an Effective Compliance Program. You must give employees a way to report misconduct and then you must use that information to investigate and communicate to employees going forward. If there are lessons to be learned use those lessons for in-house compliance training. If a true catastrophe or disaster befalls the company, do not wait to remediate. Do so as soon as is practicable, not when the government calls.

© Thomas R. Fox, 2015

Leave a Comment

April 10, 2015

International Anti-Corruption Enforcement Efforts

Filed under: Best Practices,Brazil,Clean Companies Act,Compliance,Compliance and Ethics,Corruption in Brazil,Corruption in China,Department of Justice,FCPA,FCPA Guidance,GlaxoSmithKline,Ten Hallmarks of an Effective Compliance Program — tfoxlaw @ 12:01 am

While the US Foreign Corrupt Practices Act (FCPA) is still the most widely recognized and enforcement anti-bribery and anti-corruption law across the globe, there have been a number of initiatives which will lead directly to greater anti-bribery and anti-corruption enforcement. This increased enforcement will lead to increased risks for companies that do not have anti-bribery and anti-corruption compliance programs in place. This post discusses the efforts of other countries to enact and enforce legislation to curb bribery and corrupt across the globe.

China

Over the past 18 months, GlaxoSmithKline PLC (GSK) was embroiled in a very public, very nasty bribery and corruption investigation. It culminated in the conviction of GSK and the assessment of a $491 million fine, criminal conviction of four senior GSK China subsidiary managers and the criminal convictions of two ancillary GSK-hired investigators. The entry of the Chinese government into the international fight against corruption and bribery is truly a game-changer. While there may be many reasons for this very public move by the Chinese government, it is clear that foreign companies are now on notice. Doing business the old fashioned way will no longer be tolerated. This means that international (read: western) companies operating in China have a fresh and important risk to consider; that being that they could well be subject to prosecution under domestic Chinese law.

The international component of this investigation may well increase anti-corruption enforcement across the globe. First of all, when other countries notorious for their endemic corruptions, for example India, see that they can attack their domestic corruption by blaming it on international businesses operating in their country, what lesson do you think they will draw? Most probably that all politics are local and when the localities can blame the outsiders for their own problems they will do so. But when that blame is coupled with violations of local law, whether that is anti-bribery or anti-price fixing, there is a potent opportunity for prosecutions.

One of the audit failures of GSK was around well known compliance risks in China, including (1) event abuse planning; (2) mixture of legitimate and illegitimate travel; (3) other collusion with travel agencies; and (4) parallel itineraries. So those risks are well known and have been documented. While the cost of monitoring is high and would involve the tedious work of verifying millions of receipts by calling hotels, airlines and office supply stores and scrutinizing countless transactions for signs of fraud; if your compliance risks are known for a certain profile, then you should devote the necessary resources to making sure you are in compliance in that area.

Brazil

While GSK was a harbinger of international anti-corruption investigations and enforcement actions based on domestic anti-bribery laws; Brazil and its state-owned energy company Petrobras may become the world’s largest corruption investigation. In a New York Times (NYT) article, entitled “Scandal Over Brazilian Oil Company Adds Turmoil to the Presidential Race”, the scandal was detailed by a former Petrobras official, Paulo Roberto Costa. Mr. Costa was the person who oversaw the company’s refining operations. He has admitted to having engaged in the receipt of bribes for at least a 10 year period “equivalent to 3 percent of the value of the deals from the Brazilian construction companies that obtained the contracts” to build refineries. This amounted to literally millions being “stashed in bank accounts in Switzerland and the Cayman Islands.” He “inflated budgets for new projects” by 3% and then had that amount kicked back to him as bribes. The allegations were verified “through an associate, Alberto Youssef, a black-market money dealer who testified that he helped launder funds in the scheme. Mr. Youssef, who has also accepted a plea deal, testified that more than a dozen of Brazil’s largest construction companies had paid hefty bribes to obtain lucrative Petrobras contracts.” Interestingly, Brazilian President Rousseff “has also effectively acknowledged the prevalence of corruption inside the executive suites of Petrobras, while denying that she had known about the kickbacks when they were taking place.”

The scandal has not only engulfed suppliers to Petrobras in Brazil. It has now moved to the international stage. From shipyards in Singapore, which have been alleged to have paid bribes to Petrobras, to Rolls Royce in Great Britain which has been alleged to have paid bribes for the sale of turbine engines; this scandal truly is international in scope and may engulf more companies going forward. In addition to violations of Brazilian law, the US government has reportedly opened an investigation, as Petrobras USA is a US stock-exchange issuing entity and subject to the FCPA. Indeed, in the US there are already multiple shareholder derivative lawsuits against the US entity for mis-representing its true value because of the corruption allegations against the company in Brazil.

The Petrobras scandal continues to make news almost daily and its repercussions continue to reverberate across the globe. The FCPA Blog, in an article entitled “Swiss AG freezes $400 million in Petrobras bribe probe”, stated that in Switzerland alone there are nine open investigations into alleged money laundering tied to Petrobras. In mid-March the Office of the Attorney General of Switzerland (OAG) announced that they had issued an order to freeze $400 million of assets allegedly tied to a Petrobras corruption scheme. The FCPA Blog further stated the OAG announced “The release of over $120 million reflects Switzerland’s clear intention to take a stand against the misuse of its financial center for criminal purposes and to return funds of criminal origin to their rightful owners.”

The domestic Brazilian Anti-Bribery Law, the Clean Company Act, enacted into law in 2014, is uniquely designed for oversight by internal audit. Compliance programs will be evaluated on three prongs: the structure of the program; specifics about the legal entity; and an evaluation of the program’s efficiency. The first prong will include consideration of the existence of mechanisms for reporting suspected or actual misconduct, training, code of conduct, policies and procedures, periodic risk assessments, and application of disciplinary measures against employees (including senior management too) involved in wrongdoing. Under the second prong, the compliance risks associated will be considered. Compliance programs should be tailored to the company’s risks; “one-size-fits-all” programs will not be accepted. The third prong will consist of a case-by-case verification, that it is not simply a paper program.

Finally, and no doubt spurred by the Petrobras corruption scandal, the FCPA Blog also reported, in another article entitled “After protests, Brazil president issues anti-graft regulations”, that Brazilian President Dilma Roussef issued a presidential decree with regulations under the Clean Company Act. The new regulations issued address some of the crucial questions concerning the administrative procedure for imposing corporate liability and assessing fines. It also set out the criteria for determining fines, evaluating compliance programs, and entering into leniency agreements. Finally, the decree also provides that books and records accuracy and completeness will be a key criterion for evaluating compliance programs, no doubt inspired by the FCPA accounting provisions. As the FCPA Blog said, “The regulations under the Clean Company Act are a critical milestone in the effort to restore credibility to Brazil’s federal government, in light of its past commitments to fighting corruption in the corporate world.”

Conclusion

What does all of the above mean for a global company? It means that some law that prohibits bribery and corruption will cover your business. It will not and does not matter if you are a US, UK or Brazilian company doing business outside of your home country, somewhere a law prohibiting bribery and corruption will cover your actions. Even if you are not covered by the FCPA, the UK Bribery Act or the Clean Company Act, if you are doing business in a local country you can still be subject to prosecution under its domestic anti-bribery laws. This means that there will be greater enforcement going forward and greater cooperation between enforcement agencies.

For businesses the only response to this plethora of new laws is to implement and enhance a best practices anti-bribery/anti-corruption compliance program and there are several examples that companies can follow to do so. In the US, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) provided their suggestions with their Ten Hallmarks of an Effective Compliance Program; the UK Ministry of Justice (MOJ) has provided commentary on the Six Principles of an Adequate Procedures compliance program and the Organization of Economic Cooperation and Development (OECD) has put forth its Good Practice Guidance on Internal Controls, Ethics, and Compliance.

All of these anti-bribery/anti-corruption regimes set forth easily digested concepts that a company could implement. However, there must be more than simply a paper program in place. A company must actually do compliance for it to be effective. By making compliance a part of normal business practices, it will be possible to prevent, detect and then remediate any bribery or corruption issues that may arise.

© Thomas R. Fox, 2015

Leave a Comment

March 30, 2015

Compensation Incentives in a Best Practices Compliance Program

Filed under: Best Practices,Compliance,Compliance and Ethics,compliance programs,Department of Justice,FCPA,FCPA Guidance,Incentives In Compliance Program — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA

One of the areas that many companies have not paid as much attention to in their Foreign Corrupt Practices Act (FCPA) anti-corruption compliance programs is compensation. However the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have long made clear that they view incentives, rewarding those employees who do business in compliance with their employer’s compliance program, as one of the ways to reinforce the compliance program and the message of compliance. As far back as 2004, the then SEC Director of Enforcement, Stephen M. Cutler, said “[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it.” The FCPA Guidance states the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.”

In a Harvard Business Review (HBR) article, entitled “The Right Way to Use Compensation”, Mark Roberge, Chief Revenue Officer of HubSpot, wrote about his company’s design and redesign of its employee’s compensation system to help drive certain behaviors. The piece’s subtitle indicated how the company fared in this technique as it read, “To shift strategy, change how you pay your team.” Several interesting ideas were presented, which I thought could be applicable for the Chief Compliance Officer (CCO) or compliance practitioner when thinking about compensation as a mechanism in a best practices compliance program.

Obviously Roberge and HubSpot were focused on creating and retaining a customer base for a start-up company. However because the company was a start-up, I found many of their lessons to be applicable for the compliance practitioner. As your compliance program matures and your strategy shifts, “it’s critical that the employees who bring in the revenue-the sales force-understand and behave in ways that support the new strategy. The sales compensation system can help ventures achieve that compliance.” The prescription for you as the compliance practitioner is to revise the incentive system to focus your employees on the goals of your compliance program. This may mean that you need to change the incentives as the compliance programs matures; from installing the building blocks of compliance to burning anti-corruption compliance into the DNA of your company.

Roberge wrote that there were three key questions you should ask yourself in modifying your compensation incentive structure. First, is the change simple? Second, is the changed aligned with your company values? Third, is the effective on behavior immediate due to the change?

Simplicity

Your employees should not need “a spreadsheet to calculate their earnings.” This is because if “too many variables are included, they may become confused about which behaviors” you are rewarding. Keep the plan simple and even employee KISS, Keep it simple sir, when designing your program. If you do not do so, your employees might fall back on old behaviors that worked in the past. Roberge notes, “It should be extraordinarily clear which outcomes you are rewarding.”

The simplest way to incentive employees is to create metrics that they readily understand and are achievable in the context of the compliance program that you are trying to implement or enhance. This can start with attending Code of Conduct and compliance program training. Next might be a test to determine how much of that training was retained. It could be follow up, online training. It could mean instances of being a compliance champion in certain areas, whether with your employee base or third party sales force.

Alignment

As the CCO or compliance practitioner, you need to posit the most important compliance goal your entity needs to achieve. From there you should determine how your compensation program can be aligned with that goal. Roberge cautions what the DOJ and SEC both seem to understand, that you should not “underestimate the power of your compensation plan.” You can tweak your compliance communication, be it training, compliance videos, compliance reminders or other forms of compliance messaging but it is incumbent to remember that “if the majority of your company’s revenue is generated by salespeople, properly aligning their compensation plan will have greater impact than anything else.”

The beauty of this alignment prong is that it works with your sales force throughout the entire sales channel. So if your sales channel is employee based then their direct compensation can be used for alignment. However such alignment also works with a third party sales force such as agents, representatives, channel ops partners and even distributors. Here Roberge had another suggestion regarding compensation that I thought had interesting concepts for third parties, the holdback or even clawback. This would come into place at some point in the future for these third parties who might meet certain compliance metrics that you design into your third party management program.

Immediacy

Finally, under immediacy, it is important that such structures be put in place “immediately” but in a way that incentives employees. Roberge believes that “any delay in the good (or bad) behavior and the related financial outcome will decrease the impact of the plan.” As a part of immediacy, I would add there must be sufficient communication with your employee or other third party sales base. Roberge suggested a town hall meeting or other similar event where you can communicate to a large number of people.

Even in the world of employee compensation incentives, there should be transparency. He cautioned that transparency does not mean the design of the incentive system is a “democratic process. It was critical that the salespeople did not confuse transparency and involvement with an invitation to selfishly design the plan around their own needs.” However, he did believe that the employee base “appreciated the openness, even when the changes were not favorable to their individual situations.” Finally, he concluded, “Because of this involvement, when a new plan was rolled out, the sales team would understand why the final structure was chosen.”

So just as Roberge, working with HubSpot as a start-up, learned through this experience “the power of a compensation plan to motivate salespeople not only to sell more but to act in ways that support a start-up’s evolving business model and overall strategy”; you can also use your compensation program as such an incentive. For the compliance practitioner one of the biggest reasons is to first change a company’s culture to make compliance more important but to then burn it into the fabric of your organization. But you must be able to evolve in your thinking and professionalism as a compliance practitioner to recognize the opportunities to change and then adapt your incentive program to make the doing of compliance part of your company’s everyday business process.

Leave a Comment

March 18, 2015

The Blue Geranium – SEC Enforcement of the FCPA – Part III

Filed under: Department of Justice,Enforcement Actions,FCPA,FCPA Guidance,FCPA Professor,Profit Disgorgement,Remedies,SEC — tfoxlaw @ 12:01 am
Tags: Department of Justice, DOJ, FCPA, FCPA Professor, Foreign Corrupt Practices Act, SEC

In Christie’s The Blue Geranium a difficult and cantankerous semi-invalid wife is looked after by a succession of nurses. They changed regularly, unable to cope with their patient, with one exception Nurse Copling who somehow managed the tantrums and complaints better than others of her calling. The wife had a predilection for fortunetellers and one announced that the wallpaper in the wife’s room was evil; pronouncing she should “Beware of the Full Moon. The Blue Primrose means warning; the Blue Hollyhock means danger; the Blue Geranium means death.” Four days later, one of the primroses in the pattern of the wallpaper in the wife’s room changed color to blue in the middle of the night, when there had been a full moon.

On the morning after the next full moon, the wife was found dead in her bed with only her smelling salts beside her. Once again Miss Marple has the solution remembering that potassium cyanide resembled smelling salts in odor. The wife took what she thought were smelling salts but was in reality potassium cyanide. The flowers on the wallpaper had been treated with litmus paper which the turned the geranium in question blue, which unmasked the killer.

I found this story to be an interesting way to introduce the topic of the Securities and Exchange Commission’s (SEC’s) damage remedies. While some are obvious, such as the fines and penalties which are listed in the text of the Foreign Corrupt Practices Act (FCPA), another one, that being profit disgorgement must be seen through the lens of multiple legislations.

Monetary Fines

The damages that are available to the SEC differ in some significant aspects from those available to the Department of Justice (DOJ) in its enforcement of the criminal side of the FCPA. According to the FCPA Guidance, “For violations of the anti-bribery provisions, corporations and other business entities are subject to a civil penalty of up to $16,000 per violation. Individuals, including officers, directors, stockholders, and agents of companies, are similarly subject to a civil penalty of up to $16,000 per violation, which may not be paid by their employer or principal. For violations of the accounting provisions, SEC may obtain a civil penalty not to exceed the greater of (a) the gross amount of the pecuniary gain to the defendant as a result of the violations or (b) a specified dollar limitation. The specified dollar limitations are based on the egregiousness of the violation, ranging from $7,500 to $150,000 for an individual and $75,000 to $725,000 for a company.”

As straightforward as these monetary amounts may seem, the totals can become very large very quickly. As noted by Russ Ryan in a guest post on the FCPA Professor’s blog, entitled “Former SEC Enforcement Official Throws The Red Challenge Flag”, the SEC significantly multiplied those amounts in a default judgment context against former Siemens executives by claiming that “four alleged bribes should be triple-counted as three separate securities law violations – once as a bribe, again as a books-and-records violation, and yet again as an internal-controls violation – thus artificially multiplying four violations to create twelve.” Further, under the specific books-and-records and internal-controls allegations “the SEC was super aggressive, taking the position that these classically non-fraud violations involved “reckless disregard” of a regulatory requirement, thus allowing the SEC to demand the maximum $60,000 per violation in “second-tier” penalties rather than the $6,000 per violation in the “first-tier” penalties ordinarily associated with non-fraud violations.”

Profit Disgorgement

In addition to the above statutory fines and penalties, “SEC can obtain the equitable relief of disgorgement of ill-gotten gains and pre-judgment interest and can also obtain civil money penalties pursuant to Sections 21(d)(3) and 32(c) of the Exchange Act. SEC may also seek ancillary relief (such as an accounting from a defendant). Pursuant to Section 21(d)(5), SEC also may seek, and any federal court may grant, any other equitable relief that may be appropriate or necessary for the benefit of investors, such as enhanced remedial measures or the retention of an independent compliance consultant or monitor.” These remedies can be sought in a federal district court of through the SEC administrative process.

As explained by Marc Alain Bohn, in a blog post on the FCPA Blog entitled “What Exactly is Disgorgement?” profit “Disgorgement is an equitable remedy authorized by the Securities Exchange Act of 1934 that is used to deprive wrong-doers of their ill-gotten gains and deter violations of federal securities law. The Act gives the SEC the authority to enter an order “requiring accounting and disgorgement,” including reasonable interest, as part of administrative or cease and desist proceedings”. In another article Bohn co-authored with Sasha Kalb, entitled “Disgorgement – the Devil You Don’t Know” published in Corporate Compliance Insights (CCI), they set out how such damages are calculated. They said, “In calculating disgorgement, the SEC is required to distinguish between legally and illegally obtained profits. The first step in such calculations is to identify the causal link between the unlawful activity and the profit to be disgorged. Once this causal link is established, the SEC may assert its right to disgorge illicit profits that stem from this wrong-doing. Because calculations like these often prove difficult, courts tend to give the SEC considerable discretion in determining what constitutes an ill-gotten gain by requiring only a reasonable approximation of the profits which are causally connected to the violation.”

However if you read the FCPA quite closely you will not find any language regarding profit disgorgement as a remedy. Nevertheless a simple reading of the statute does not limit our inquiry as to this remedy. In a Note, published in the University of Michigan Journal of International Law, entitled “The Foreign Corrupt Practices Act, SEC Disgorgement of Profits and the Evolving International Bribery Regime: Weighing Proportionality, Retribution and Deterrence”, author David C. Weiss explained the development of the remedy of profit disgorgement. As noted by Bohn, profit disgorgement was always available to the SEC from the very beginning of its existence, through the enabling legislation of 1934. But as explained by Weiss, in the completely unrelated legislation entitled The Penny Stock Reform Act of 1990, profit disgorgement was “authorized by statute [as a remedy to the SEC] without a limitation to the FCPA.”

Finally, and what many compliance practitioners do not focus on for SEC enforcement of the FCPA, was the enactment of Sarbanes-Oxley Act of 2002 (SOX). Weiss said, “The most recent change to the way in which the SEC enforces the FCPA—and a critical development to consider—is SOX, which affects virtually all of the SEC’s prosecutions, including those under the FCPA. When assessing penalties, the SEC draws on SOX to provide great latitude in determining the types of penalties it enforces. While SOX did not amend the FCPA itself, it did amend both civil and criminal securities laws relating to compliance, internal controls, and penalties for violations of the Exchange Act. Since the enactment of SOX, the SEC has possessed the power to designate how a particular penalty that it assesses will be classified.” [citations omitted]

There has been criticism of the SEC using profit disgorgement as a remedy. As far back as 2010, the FCPA Professor criticized this development in his article “The Façade of FCPA Enforcement” where he found fault with the remedy of profit disgorgement for books and records violations or internal controls violations only, where there is no corresponding “enforcement action charging violations of the anti-bribery provisions.” He wrote “It is difficult to see how a disgorgement remedy premised solely on an FCPA books and records and internal controls case is not punitive. It is further difficult to see how the mis-recording of a payment (a payment that the SEC does not allege violated the FCPA’s anti-bribery provisions) can properly give rise to a disgorgement remedy.”

Bohn and Kalb said, “Over the last six years, disgorgement has served to significantly increase the financial loss that companies are exposed to in FCPA enforcement matters. In addition to the considerable civil penalties often imposed by the SEC as part of FCPA settlements, the SEC has made clear that it will not hesitate to seek recovery of large sums through disgorgement provided they are reasonably related to the alleged misconduct. Yet the methodology used by the SEC to support the amounts it seeks to disgorge has not been much discussed. In the absence of adequate guidance as to how these sums are calculated, disgorgement poses an even greater risk in the current aggressive FCPA enforcement climate.” I would only add to their conclusion that profit disgorgement is here to stay.

Leave a Comment

March 17, 2015

The Companion and SEC Enforcement of the FCPA – Part II

Filed under: Administrative Proceedings,Department of Justice,FCPA,FCPA Guidance,FCPABlog,No-Admission Settlements,SEC,Wall Street Journal — tfoxlaw @ 12:01 am

I will use Agatha Christie’s short story The Companion as the introduction to today’s blog post. This story, related by one of the Tuesday story-telling group of detective aficionados, Dr. Lloyd, and is about two people who are related yet take different paths. It involves the death of a woman while on vacation on the Island of Gran Canaria. The deceased was named Mary Barton and she died while trying to save her companion, one Amy Durrant, from drowning. Sometime later Miss Durrant was deemed missing and presumed drowned off the coast of Cornwall. However there was a double crime as Durrant had actually drowned Barton in Gran Canaria and then faked her own death in Cornwall, however she had returned home to Australia where she actually died within a month of returning. It turned out that Durrant was a cousin to Barton and her only living relation. Since both women were now dead, Barton’s not inconsiderable estate passed on to Durrant’s children, which was her plan all along.

All of which informs today’s topic that being the difference in Securities and Exchange Commission (SEC) Foreign Corrupt Practices Act (FCPA) enforcement resolution tools from those used by the Department of Justice (DOJ). While both the SEC and DOJ use Deferred Prosecution Agreements (DPAs) and Non-Prosecution Agreements (NPAs); there are other tools in the SEC arsenal, which the DOJ does not use. These revolve around the fact that in FCPA enforcement, the DOJ handles criminal prosecution and the SEC handles things on the civil side of FCPA enforcement.

Traditionally the SEC obtains a Cease and Desist order by going to a federal district court. The FCPA Guidance states, “In a civil injunctive action, SEC seeks a court order compelling the defendant to obey the law in the future. Violating such an order can result in civil or criminal contempt proceedings. Civil contempt sanctions, brought by SEC, are remedial rather than punitive in nature and serve one of two purposes: to compensate the party injured as a result of the violation of the injunction or force compliance with the terms of the injunction.”

In most cases the defendant does not contest these Orders and there are no admissions made by the defendant regarding conduct that may have violated the FCPA. While there has been significant criticism of ‘No Admission’ settlements entered into by the SEC, these types of settlements are not expected to change where there is no corresponding criminal action. In a 2013 speech, SEC Chair Mary Jo White announced an expansion of the “admit” policy, and explained that while “neither admit nor deny” settlements would remain the norm, the SEC would now require defendants to admit wrongdoing “in certain cases where heightened accountability or acceptance of responsibility through the defendant’s admission of misconduct may be appropriate”. SEC enforcement chief, Andrew Ceresney, has added that defendants may be required to admit violations in cases of “egregious misconduct,” such as cases involving obstruction of the SEC’s investigation or harm to large numbers of investors.

However the past year or so, the SEC has moved to handle FCPA enforcement actions through an administrative process. As explained in the FCPA Guidance, “SEC has the ability to institute various types of administrative proceedings against a person or an entity that it believes has violated the law. This type of enforcement action is brought by SEC’s Enforcement Division and is litigated before an SEC administrative law judge (ALJ). The ALJ’s decision is subject to appeal directly to the Securities and Exchange Commission itself, and the Commission’s decision is in turn subject to review by a U.S. Court of Appeals.”

In a post on the FCPA Blog, entitled “Are Administrative Proceedings the New Civil Complaints?” Marc Alain Bohn explored this expanded use of administrative law proceedings in SEC enforcement of the FCPA, by noting, “which was facilitated in part by a 2010 Dodd-Frank amendment to the Securities and Exchange Act of 1934 that enables the SEC to collect civil penalties through administrative proceedings.” Moreover, Bohn noted a couple of significant differences in going through a federal district court to obtain a Cease and Desist Order and going through the SEC administrative process. He said, “FCPA cases resolved via administrative proceeding require no judicial approval, as opposed to the settlement of formal civil complaints. This distinction is important because district court judges have complicated several SEC prosecutions in recent years by demanding changes to negotiated settlements or dismissing charges or otherwise limiting claims. In addition, the imposition of a cease-and-desist order under an administrative proceeding requires only that the SEC establish a likelihood that a defendant will violate federal securities law, in contrast with the “reasonable likelihood” required by a court-ordered injunction.” [citations omitted]

The FCPA Professor has been unremitting in his criticism of this administrative settlement process, citing a complete lack of transparency in the process, among other criticisms. Mike Volkov, perhaps more charitably, wrote, “The SEC’s “new” use of administrative proceedings for FCPA cases demonstrates its unwillingness to face judicial scrutiny and undermines the effectiveness of its enforcement program. The SEC likes to play on its home turf and for some reason feels that going to court is not as important.” Whatever your view on the use of the administrative process might be I would only say that it is here to stay so you had better be ready to participate in it if you find yourself in a SEC FCPA enforcement action.

Another criticism of this process is what might be called the home court advantage. In an article in the Wall Street Journal (WSJ), entitled “Firms oppose SEC’s internal enforcement process”, reporter Hazel Bradford quoted Terry Weiss, an attorney with Greenberg Traurig LLP in Atlanta, for the following “I have no problem with fairness when (a case) is brought in a federal District Court and when it is overseen by a federal District Court judge who is appointed by the president of the United States and approved by the U.S. Senate. I have a significant problem when you have (administrative law judges) who are picked by the SEC.” The problem with this argument is that ALJ’s have been a part of the federal enforcement process for a wide variety of agencies, department and issues since the 1930s. To say the SEC is using an approved administrative process that violates the Constitution seems to me to be a stretch.

Another area the SEC has in common with the DOJ in FCPA enforcement is that they both sometimes decline to bring enforcement actions. The FCPA Guidance cites back to the SEC Enforcement Manual for the “guiding principles” in determining whether the Commission will bring a FCPA enforcement action. The factors the SEC will determine, which are the same for enforcement actions against entities or individuals., are listed as follows:

the seriousness of the conduct and potential violations;
the resources available to SEC staff to pursue the investigation;
the sufficiency and strength of the evidence;
the extent of potential investor harm if an action is not commenced; and
the age of the conduct underlying the potential violations.

It is important to understand these differences in resolution vehicles and tactics used by the SEC, separate and apart from the DOJ. The civil jurisdiction of FCPA enforcement entails some differences in approach by the SEC. It is important that any Chief Compliance Officer (CCO) or compliance practitioner understand these differences in the event their company goes through a FCPA investigation or enforcement action. We saw three significant FCPA enforcement actions last fall, Smith & Wesson, Layne Christensen and Bio-Rad, where there was no corresponding DOJ FPCA enforcement action brought jointly with the SEC enforcement action. As anti-corruption compliance programs mature, it may well be that this could portend the future. Just as with The Companion simply because it appears that two are together, they may have their own separate callings. Tomorrow I review some of the unique damages available to the SEC in a FCPA enforcement action.

Leave a Comment

« Previous Page — Next Page »

FCPA Compliance and Ethics Blog

May 26, 2015

Economic Downturn Week, Part I – Mapping of Your Internal Compliance Controls

May 21, 2015

Compliance Week 2015 Wrap Up

May 13, 2015

Senn Interview, Part III – Post Incident Remediation

May 1, 2015

King Arthur Week – The Quest for the Holy Grail and Compliance Defense – Part V

April 28, 2015

King Arthur Week – the Pentecostal Oath and Code of Conduct – Part II

April 27, 2015

King Arthur Week, King Arthur and Leadership – Part I

April 10, 2015

International Anti-Corruption Enforcement Efforts

March 30, 2015

Compensation Incentives in a Best Practices Compliance Program

March 18, 2015

The Blue Geranium – SEC Enforcement of the FCPA – Part III

March 17, 2015

The Companion and SEC Enforcement of the FCPA – Part II

January

Blogroll

Pages

Admin

Read by Email

Recent Posts from FCPA Compliance and Ethics Report: FCPA Compliance and Ethics Report

Episode 240-Bill Coffin on Compliance Week 2016

Episode 239-Jonathan Armstong On EU Privacy Shield

Episode 238-John Allen on HR Touch Points in Compliance

Episode 237-Steve McCalmont on the Avior Risk Management Platform

Episode 236-Adam Turteltaub and SCCE CCO Survey