FCPA Compliance and Ethics Blog

February 17, 2015

Gary Owens, Laugh-In and Accountability in Your Compliance Program

Gary OwensIf you were alive at all during the 1960s, you will recall that one of the cultural phenomenon’s was NBC’s television show Laugh-In. It was brought to you from the NBC studios in beautiful downtown Burbank and featured one very droll player, who always played himself, Gary Owens, as the show’s announcer – Gary Owens. Owens died last week and I was surprised but pleased to learn in reading his obituary in the New York Times (NYT) that he was also the voice for several cartoon characters in the Jay Ward stable (home of Rocky and Bullwinkle) and he was the voice of Space Ghost which had a renaissance during the early years of the Cartoon Network.

I thought about Owens’ role on Laugh-In not only as the straight man but also the character, who in many ways brought accountability to the manic show when I read this week’s article by Adam Bryant in his NYT Corner Office column, entitled “Making a Habit of Accountability”, which featured his interview of Natarajan Chandrasekaran, the Chief Executive Officer (CEO) of Tata Consulting Services. Chandrasekaran was raised on a farm and one of the things that he learned early on from his farmer father was “the value of money and the value of time. So he made us account for things. It wasn’t that there was a right or wrong way, but he wanted us to be accountable for what we did.”

I considered this concept of accountability in your best practices anti-corruption compliance program, whether based upon the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other program. With the Department of Justice’s (DOJ) recent pronouncements that it will more aggressively prosecute individuals for FCPA violations, perhaps companies should emphasize accountability more in their compliance programs. By doing so, perhaps employees might understand that there really is their personal liberty on the line when they engage in something which might even approach a FCPA violation. Further, by emphasizing personal accountability, companies could demonstrate more pro-active approaches to compliance that the DOJ wants to see going forward.

Chandrasekaran’s remarks went beyond simply emphasizing personal accountability. He also spoke about accountability in the context of a company’s overall culture. In particular I found his thoughts about accountability, learning and culture quite insightful. He said, “Learning cannot be achieved by mandate. It has to be achieved by culture.” He added, “In our executive team meetings, we share experiences and case studies about failures and successes.”

But beyond simply this insight there should also be accountability for helping others achieve the company’s overall goals. While he did not limit it to compliance, I still found it applicable to a best practice compliance regime when he said, “Everybody has to take some accountability for other people, and look for ways to make small contributions to help others. Looking after people has to become everybody’s responsibility. Innovation and caring for people are cultures; they are not departments.” He did admit that such a change would not happen overnight and indeed he has been emphasizing this message for five years at Tata because “It takes time to build that culture.”

Chandrasekaran also had an insight into compliance through his views on company structure. Tata is a flat organization, with multiple business units. He did this so the largest number of employees would feel empowered to make decisions and work collaboratively. While I recognize that such views might be antithetical to US based companies with a more ‘command and control’ approach, Chandrasekaran explained that the leaders of those units are expected “to work together. We said the power of our company will be driven by how well they work together. In some of our bigger monthly meetings, we will start with people presenting examples of their collaborations.”

I considered all of the above in the greater context of a best practices anti-corruption compliance program. One of the things that the FCPA Guidance emphasized was the inter-relatedness of each component of your compliance program. While you might have greater risk in the area of third parties or doing business in certain areas of the world where there are higher perceptions of corruption, you should not pick and choose what prongs of a compliance program you implement. Each step builds upon one another and should all point to accountability for your actions in decision-making calculus for business decisions and their implementations.

However the concept of accountability is not one that is spelled out in the FCPA Guidance or in any formulation of a best practices compliance regime. Yet it is clear that accountability is something that underlies what a compliance program is trying to achieve. Just as Chandrasekaran learned early on there is a value to things; there is a value to time and there is a value to money. So they should be accounted for in the way you do business.

This might best be described as oversight of your compliance program. The issue your company should focus on here is whether employees are accountable within the ambit of your compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are accountable to the compliance program.

Two mechanisms to do so are through the techniques of monitoring, which is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. A second tool is auditing, which is generally viewed as a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to hold employees accountable to doing business under your compliance regime and Code of Conduct. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. While it may seem that accountability means looking over every employees shoulder, it should not simply be seen as the workplace equivalent of parental oversight. Chandrasekaran explained that how you conduct yourself at work can have a huge impact on other employees. He said, “it’s sometimes very hard to imagine, early in your career, how much impact you can have. If you’re in a job and in an organization, the impact you can make is huge, because it’s all about being part of a group that’s driving impact. So look for those opportunities.” If you look for ways to demonstrate accountability you can influence a wide variety of others going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 16, 2015

Economic Downturns and Increased Compliance Risk

Oil PricesOil is hovering around $50 per barrel. For most of the US economy this drop in oil price has provided a much-needed economic boost. One piece on the NPR website, entitled “Oil Price Dip, Global Slowdown Create Crosscurrents For U.S.”, said “economists have suggested the big drop in oil prices is a gift to consumers that will propel the economy.” Liz Ann Sonders, who is the chief investment strategist at Charles Schwab, was quoted as saying “The U.S. economy is 68 percent consumer spending, so right there you know that falling oil prices is a benefit.” Another economist said the positive effects could be “worth $400 billion” for the US economy as a whole.

But in the energy space, particularly in the city of Houston, Texas, this plunge has been devastating. It is so bad that in this past week’s issue of the Houston Business Journal (HBJ), it provided a ‘Box Score’ for energy company lay-offs. And that was before Halliburton announced a 10%-15% reduction and Hercules Offshore announced that it had laid off some 30% of its work force since last October. Nationally, for the energy industry, it will be just as bad. In the NPR piece, David R. Kotok, of Cumberland Advisors, said, “cuts in production and energy company payrolls will cost the U.S. economy up to $150 billion.” The Houston Chronicle headlined it was a “Bloodbath”.

I thought about what this plunge in the price of oil could mean for the compliance function in energy and energy related companies going forward. Many Chief Compliance Officers (CCOs) and compliance practitioners struggle with metrics to demonstrate revenue generation. Most of the time, such functions are simply viewed as non-revenue generating cost drags on business. This may lead to compliance functions being severely reduced in this downturn. However I believe such cuts would be far from short-sighted; they would actually cost energy companies far more in the short and long term.

Almost any energy company of any size has gone through a Foreign Corrupt Practices Act (FCPA) investigation, whether internal or formal by the Department of Justice (DOJ) or Securities and Exchange Commission (SEC). Many had gone through enforcement actions. The risk profiles of these companies did not change because of the drop in oil prices. Extractive resources are still located largely in countries with a high perception of corruption. In others, the inherent compliance risks that currently exist for energy companies will certainly not lessen. Unfortunately they may well increase.

At this point I see two increasing compliance risks for energy companies. The first is that companies will attempt to reduce their costs by cutting their compliance personnel. A tangent but equally important component of this will be that companies that do not invest the monies needed to beef up their oversight through monitoring or other mechanisms are setting themselves up for serious compliance failures.

Moreover, what will be the pressure on the business folks of such companies to ‘get the deal done’ with this slashing of oil prices? Further, if there is a 10% to 30% overall employee reduction, what additional pressures will be on those employees remaining to make their numbers or face the same consequences as their former co-workers?

I think both of these scenarios are fraught with increased compliance risks. For companies to engage in behaviors as I have outlined above would certainly bring them into conflict with the Ten Hallmarks of an effective compliance program as set out in the FCPA Guidance. For instance on resources, the FCPA Guidance does not say in a time of less income, when your compliance risk remains the same or increases, you should cut your compliance function or the resources to support it. Indeed it intones the opposite, when stating, “Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.” Moreover, the FCPA Guidance adds, “Moreover, the amount of resources devoted to compliance will depend on the company’s size, complex­ity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk pro­file of the business.” So the resource issues is stated in reference to the risk profile of the business and not the current or fleeting economic issues of the day.

Also note that the FCPA Guidance speaks to an analysis from the DOJ side, which would presumably be a criminal side review. For instance, if a company cuts its compliance staff while its risk profile has not decreased, does this provide the required intent to commit a criminal act under the FCPA? Moreover, who would be the guilty party under such an analysis? Would it be the Chief Executive Officer (CEO) who ultimately decides we need a fixed percentage cut of employees or simply a raw number to be laid off? How about the department head (as in the CCO) who is told to cut your staff 10% or we will make the cuts for you? Or is it a company’s Human Resources (HR) department who delivers the dreaded knock on a compliance practitioner’s door (I’m from HR and could you come with me). What if a company’s decision-making authority is so decentralized that there is no one person who can be held accountable?

You should also note the SEC role in FCPA enforcement, as alluded to in the quote from the FCPA Guidance. There will be an assessment of internal controls. Now that the COSO 2013 Framework has become effective, will companies delay plans to implement the new Framework and to begin to audit against it? If so, would that be a per se FCPA violation?

But there is a second reason that I believe that energy companies risk profiles will increase in this industry-specific downturn. Unfortunately it will come from those employees who survive the lay offs. They will be under increased pressure to do the jobs of the laid-off folks so there will be a greater chance that something could slip through the cracks. If you are already working full time at one job and one, two or three other employees in your department are laid-off, which job is going to get priority? Will you only be able to put out fires or will you be able to accomplish what most business folks think is an administrative task?

But more than the extra work the survivors will have laid upon them will be the implicit message that some companies senior management may well lay down, that being Get the Deal Done. If economic times are tough, senior management will be looking even more closely at the sales numbers of employees. The sales incentives could very well move from a question of what will my bonus be if I close this transaction to one of will I be fired if I do not close this transaction. If senior management makes clear that it is bring in more business or the highway, employees will get that message.

Once again, where would the DOJ look for to find intent? Would it be the person out in the field who believed he was told that he or she either brought in twice as much work since there were half as many employees left after lay-offs? Would it be the middle manager who is more closely reviewing the sales numbers and sending out email reminders that if sales do not increase, there may well have to be more cuts? What about the CEO who simply raises one eyebrow and says we need to hunker down and get the job done?

What might be the DOJ or SEC reaction to the downsizing of compliance in the face of such increased compliance risk? The energy industry has not gone through this type of economic downsizing in the new age of FCPA prosecutions, largely since 2004, so there is no relevant time frame of FCPA enforcement to reflect from. However, the financial industry did go through such a contraction in the 2007-2010 time frame. We have seen the DOJ and other financial industry regulators draw huge penalties for a series of anti-money laundering (AML) and LIBOR scandals. My guess is that the DOJ and SEC will not allow companies to use economic arguments in the face of known and recognized increase in compliance risks. Indeed they may focus on some of these points as reasons for increased compliance vigilance in an energy company’s compliance function going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 6, 2015

Arsenale and Incentivizing Compliance

ArsenaleI continue with a Venice themed blog post today by focusing on the Arsenale. No this is no a precursor to that famous north London football club, the Arsenal Gunners, but the district in Venice where one of the main commercial enterprises of the city took place, that being ship building and ship repair. At one point, the Arsenale employed almost 10% of the city’s workforce or 12,000 people. This was in the mid 1200s to the 1400s when Venice was at or near the height of its trading and financial power. The Arsenale developed the first production line for the building of ships, when, of course, it was all done by hand. The equipment developed to drag ships up on shore and repair was simply amazing. Appropriately, the Arsenale is now an Italian naval facility.

But I also picked up some interesting compliance insights in learning more about the Arsenale. The ship building techniques were of such a high level and importance to the city that they were viewed as state secrets. To protect against the loss of such valuable intellectual property, the Venetian city fathers put in a series of incentives and punishments that can help inform your best practices compliance program up to this day. First, and foremost, Venice forbade any skilled worker from leaving the city to go to work at a neighboring or rival city; the first non-compete and still widely used by corporate America today. Second was the punishment that if you were caught passing secret, you were summarily executed only after excruciating torture; while these techniques are not as widely used by corporate America today I am sure there are some non-enlightened corporate leaders who might like to re-institute one or both practices.

However over on the incentive side there were several mechanisms the City of Venice used to help make the Arsenale work force more loyal and desirous to stay in their jobs, all for the betterment of themselves and their city. The first was job security. The Arsenale was so busy for so many years that lay-offs were unheard of. Even if someone lost their job, through injury, mishap or worse; they received enough of compensation that they could live in the city. Finally, when a worker died, the company provided not only funeral expenses but would assist in taking care of the family through stipends or finding other work for family members.

This dual focus on keeping the state secrets of ship building and repair within the City of Venice reminded me of one of the points that representatives of the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) continually remind compliance practitioners about when discussing any best practices compliance program; whether based on the Ten Hallmarks of an Effective Compliance Program, as articulated in their jointly released FCPA Guidance, or some other articulation such as in a Deferred Prosecution Agreement (DPA) Attachment C. They continually remind Chief Compliance Officers (CCOs) and compliance practitioners that any best practices compliance program should have both incentives and discipline as a part of the program.

Regarding disincentives for violating the Foreign Corruption Practices Act (FCPA), the Guidance is clear in stating, “DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropri­ate and clear disciplinary procedures, whether those proce­dures are applied reliably and promptly, and whether they are commensurate with the violation. Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences.”

However, the Guidance is equally clear that there should be incentives for not only following your own company’s internal Code of Conduct but also doing business the right way, i.e. not engaging in bribery and corruption. On incentives, the Guidance says, “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance pro­gram, and rewards for ethics and compliance leadership. Some organizations, for example, have made adherence to compliance a significant metric for management’s bonuses so that compliance becomes an integral part of management’s everyday concern.” But the Guidance also recognizes that incentives need not only be limited to financial rewards as sometime simply acknowledging employees for doing the right thing can be a powerful tool as well.

All of this was neatly summed up in the Guidance with a quote from a speech given in 2004 by Stephen M. Cutler, the then Director, Division of Enforcement, SEC, entitled, “Tone at the Top: Getting It Right”, to the Second Annual General Counsel Roundtable, where Director Cutler said the following:

[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it. Conversely, if employees are led to believe that, when it comes to compensation and career advancement, all that counts is short-term profitability, and that cutting ethical corners is an ac­ceptable way of getting there, they’ll perform to that measure. To cite an example from a different walk of life: a college football coach can be told that the graduation rates of his players are what matters, but he’ll know differently if the sole focus of his contract extension talks or the decision to fire him is his win-loss record.

All of this demonstrates that incentives can take a wide range of avenues. At the recently held ACI FCPA Bootcamp in Houston, TX, one of the speakers said that the Houston based company Weatherford, annually awards cash bonuses of $10,000 for employees who go above and beyond in the area of ethics and compliance for the company. While some might intone that is to be expected from a company that only recently concluded a multi-year and multi-million dollar enforcement action; as the speaker said if you want emphasize a change on culture, not much says so more loudly than awarding that kind of money to an employee.

While I am sure that being handed a check for $10,000 is quite a nice prize, you can also consider much more mundane methods to incentivize compliance. You can make a compliance evaluation a part of any employee’s overall evaluation for some type of year end discretionary bonus payment. It can be 5%, 10% or even up to 20%. But once you put it in writing, you need to actually follow it.

But incentives can be burned into the DNA of a company through the hiring and promotion processes. There should be a compliance component to all senior management hires and promotions up to those august ranks within a company. Your Human Resources (HR) function can be a great aid to your cause in driving the right type of behavior through the design and implementation of such structures. Employees know who gets promoted and why. If someone who is only known for hitting their numbers continually is promoted, however they accomplished this feat will certainly be observed by his or her co-workers.

Just as the fathers of Venice viewed the workers of the Arsenale as critical to the well-being of their city, senior managers need to understand the same about their work force. In places like Texas, employees typically are incentivized with some enlightened remark along the lines of “You should just be happy you even have a job.” Fortunately there are real world examples of how corporate incentives can work into a compliance regime. The City of Venice long ago showed how such incentives could help it maintain a commercial advantage. Fortunately the DOJ and SEC still understand those valuable lessons and continue to talk about them as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

January 5, 2015

Germany in the World Cup and the Alstom FCPA Enforcement Action – Part II

Brazil-Germany Score“It was important that we played our game for 90 minutes.” That line was found in a The Daily Telegraph article entitled “The unthinkable scoreline: Brazil 1, Germany 7” by Jeremy Wilson. It was a quote from Mats Hummels, German World Cup starter, who participated in the single most memorable soccer game that I have witnessed, Germany’s win over Brazil in last year’s World Cup. As Wilson wrote, “It was the game for which the 2014 World Cup will be forever remembered but even now, almost six months on, just the scoreline retains its capacity to shock.” I would only add that the game will most probably be remembered for as long as soccer is played. Wilson ended his piece with “It was a sporting earthquake, and the aftershocks are still being felt.”

Somehow Wilson’s article seemed also an appropriate reflection on the Alstom Foreign Corrupt Practices Act (FCPA) enforcement action. While it is more recent in the minds of many Chief Compliance Officers (CCOs) and compliance practitioners, it is still reverberating and will continue to do so for the foreseeable future. I am in the middle of a three part blog post series exploring facets of the Alstom matter. In my first blog post, I explored the specifics of the settlement documents, the stunning criminal fine of over $772MM and the over 10 year bribery scheme involving multiple countries. Today I want to look at the ongoing obligations which Alstom has agreed to in the Deferred Prosecutions Agreements (DPAs) for the entities involved; Alstom Network Schweiz AG, Alstom Power Inc. and Alstom Grid Inc. (collectively herein “Alstom”). All the DPAs are identical in their Attachment C’s and all quotes below are from the DPAs.

For the CCO or compliance practitioner, one of the first stops in reviewing any DPA is always Attachment C, which lays out the Corporate Compliance Program that each settling party agrees to in any FCPA enforcement action. It provides the Department of Justice’s (DOJ) most current thinking on what constitutes a minimum best practices compliance program which is generally described as “(a) a system of internal accounting controls designed to ensure that the Company makes and keeps fair and accurate books, records and accounts; and (b) a rigorous anti-corruption compliance program that includes policies and procedures designed to detect and deter violations of the FCPA and other relevant anti-corruption laws.” The Alstom DPAs set the following requirements:

  1. High-level commitment. A company must ensure that its directors and senior management provide strong, explicit, and visible commitment to its corporate compliance policy. Stated differently, and again, “tone from the top.”
  2. Code of Conduct, Policies and Procedures and Internal Controls. A company should have a clearly articulated and visible corporate compliance policy memorialized in a written compliance code. The policies and procedures will address the following areas; (a) gifts, (b) hospitality, entertainment and expenses, (c) customer travel, (d) political contributions, (e) charitable donations and sponsorships, (f) facilitation payments and (g) solicitation and extortion payments. Finally, there should be a system of financial and accounting procedures, “designed to provide reasonable assurance: (a) transactions are executed with management’s general or specific authorization”; (b) transactions are “recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principals” and to maintain accountability for the assets; (c) access to company assets is permitted only with management general or specific authorization; and (d) there is testing of assets at regular intervals.
  3. Periodic Risk-Based Review. The company should periodically evaluate no less than annually, these compliance codes on the basis of a risk assessment addressing the individual circumstances of the company, including “geographic organization, interactions with various types and levels of government officials, industrial sectors of operation, involvement in joint venture arrangements, importance of licenses and permits in the Company’s operations, degree of government oversight and inspection and volume and importance of goods and personnel clearing through customs and immigration. It also requires the company to update its compliance program “taking into account relevant developments in the field and evolving international and industry standards.”
  4. Proper Oversight and Independence. The company should assign responsibility to senior executives for the implementation and oversight of the compliance program. Those executives should have the authority to report directly to independent monitoring bodies, including internal audit and the Board of Directors, and should have autonomy from management. Compliance programs needed to be funded; they need to have an appropriate level of resources.
  5. Training and Guidance. The company should implement mechanisms designed to ensure that its compliance code is effectively communicated to all directors, officers and employees. This means repeated communication, frequent and effective training, and an ability to provide guidance when issues arise.
  6. Internal Reporting and Investigation. Alstom should have an effective system for confidential, internal reporting of compliance violations. It must also establish an effective process with sufficient resources for responding to, investigating, and documenting allegations of violations.
  7. Enforcement and Discipline. The company should implement mechanisms designed to enforce its compliance code, including appropriately incentivizing compliance and disciplining violations. The prong also includes the requirement that Alstom remedy the misconduct and take steps to ensure no recidivism.
  8. Third-Party Relationships. Alstom should institute compliance requirements pertaining to the oversight of all agents and business partners. This includes the full five steps in the lifecycle management of third parties going forward.
  9. Mergers and Acquisitions. Under this requirement, Alstom must perform pre-acquisition due diligence on any target companies it is looking at and engage in an appropriate risk assessment and due diligence by its legal, compliance and accounting functions. If an acquisition is made, the company integrate its compliance program into the newly acquired entity as soon as is practicable, put on an appropriate level of training and “when-warranted, conduct an FCPA-specific audit of newly acquired or merged businesses.”
  10. Monitoring and Testing. A company should conduct periodic reviews and testing of its compliance code to improve its effectiveness in preventing and detecting violations. Kick the tires regularly. As I said, compliance programs must evolve with changes in the law, business practices, technology and culture.

The company also has an ongoing reporting requirement that it promptly report to the DOJ any “possible corrupt payments or possible corrupt transfers of property or interests…for any person or entity working directly for the Company (including its affiliates and any agent) or that related false books and records have been maintained”.

Finally, Alstom will report to the DOJ annually and for a period of three years “regarding the remediation and implementation of the compliance program and internal controls, policies and procedures”. However, in a twist we have not seen previously, as long as Alstom “satisfies the monitoring requirements contained in the Negotiated Resolution Agreement between the Company and the World Bank Group”, it will not be required to sustain an external monitor. If Alstom fails to meet this burden, then “it will be required to retain an Independent Monitor.”

What does this mean for the compliance practitioner? I think the key is to do as Mats Hummels suggested and play your game for the full match. The DOJ has laid out what it expects to see in a best practices compliance program going forward. Although clearly related to the Ten Hallmarks of an Effective Compliance Program, found in the FPCA Guidance, there are some subtle differences and perhaps even shifts in emphasis. I think the two keys ones are found in No. 3 where the DOJ lays out not only the specific areas you need to assess your risk around but also mandates that evolving technological and industry standards be taken into account when upgrading or enhancing your compliance regime. Finally in No. 7, I think the DOJ comes as close as it can to mandating that the CCO position and compliance function be separate and apart from the General Counsel (GC) and company’s legal function.

Tomorrow some concluding thought on Alstom.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

December 18, 2014

Ty Cobb and the Compliance Performance Appraisal Review

Ty CobbToday we celebrate greatness, in the form of one of the greatest baseball players ever, with the anniversary of the birthday of Ty Cobb. Coming up to the majors as a center fielder for the Detroit Tigers in 1905, he emerged in 1907 to hit .350 and win the first of nine consecutive league batting titles. He also led the league that year with 212 hits, 49 steals and 116 RBIs. In 1909 he won the league’s Triple Crown for the most home runs (9), most runs batted in (107), and best batting average (.377). In 1911, he led the league in eight offensive categories, including batting (.420), slugging percentage (.621), hits (248), doubles (47), triples (24), runs (147), RBI (144) and steals (83), and won the first American League MVP award. He batted .410 the following season, becoming the first player in the history of baseball to bat better than .400 in two consecutive seasons.

Cobb set a record for stolen bases (96) and won his ninth straight batting title in the 1915 season. He faltered the next year, but came back to win another three straight titles from 1917 to 1919. He left the team in 1926 and signed with the Oakland Athletics, hitting .357 and becoming the first-ever player to reach 4,000 total career hits before retiring after the 1928 season. His record of nine consecutive batting titles as well as his overall number of 12 will never be succeeded.

While Cobb certainly had quite a bit of natural ability, he was also a very dedicated baseball player, forever working to improve his craft. He might not have taken well to criticism but he did work to improve all aspects of his game. One of the modern ways to improve employee performance is through an annual employee performance review. Recently I read an article in the Houston Business Journal entitled “6 Ways To Make Performance Reviews More Productive” by Janet Flewelling. I found her article provided some interesting perspectives on some of the ‘nuts and bolts’ work that you can put into your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act anti-corruption program that can be relatively low-cost but can add potentially high benefits.

One of the ways to drive compliance into the DNA of an organization is through incentives such as making it a component of a year-end discretionary bonus payment. Indeed the FCPA Guidance states, “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance pro­gram, and rewards for ethics and compliance leadership. Some organizations, for example, have made adherence to compliance a significant metric for management’s bonuses so that compliance becomes an integral part of management’s everyday concern.”

Most Human Resources (HR) experts will opine that properly executed performance appraisals are crucial to organizational productivity as well as the development of employee skills and employee morale. Moreover, they can serve a couple of different functions for a best practices compliance program. First, and foremost, they communicate to each employee their job performance from a compliance perspective. However, one key is not to approach the performance appraisal review as an isolated event but rather a continual process. This means that instead of trying to play catch-up at the last minute, supervisors should provide feedback and assess job performance throughout the year so annual reviews are grounded in a year’s worth of experience. This includes the compliance component of each job. The second area performance appraisals impact is compensation. As noted above, the DOJ and SEC expect that your compliance program will have both discipline and incentives. But those incentives need to be based upon something. The score or other performance appraisal metrics will provide to you a standard which you can measure and use to evaluate for other purposes such as employee promotion or advancement to senior management going forward.

In her article Flewelling provides six points you should consider which I have adapted for the compliance component of an annual employee performance appraisal. 

  1. Prioritize reviews in your schedule – You should schedule the employee performance appraisal at least several days in advance, rather than when a time slot suddenly opens up. You would make sure that you allot sufficient time for unhurried give and take between the reviewer and the employee.
  2. Review the entire year’s performance – You should resist the attempt to focus the discussion on the latest compliance experience. This is called recency bias. If a compliance issue arose in the past month or so, you need to keep it in perspective for the entire review period. Moreover, by focusing a review on a recent problem you may obscure prior accomplishments and make an employee feel demoralized. Take care not to go too much in the opposite direction as recency bias can work both ways, and one should not let a favorable recent compliance event overshadow the full review period.
  3. Do not hesitate to critique – Be generous with praise where it is warranted, but do not hesitate to discuss improvements needed in the compliance arena. Many supervisors are reluctant to confront and indeed desire to avoid confrontation. However remaining silent about an employee’s compliance shortcomings is a disservice to both the company and the employee.
  4. Do not dominate the conversation – Remember that you must give the employee time for self-appraisal and to ask questions or to comment about the feedback received from the compliance perspective. If there are specific questions or concerns raised by the employee you need to be prepared to address them as appropriate.
  5. Understand the employee’s role – You need to understand and appreciate that if the recent economy has resulted in many employees assuming the responsibilities of more than one position. If relevant to the employee, acknowledge that fact and take it into account in the review. This is certainly true from the compliance perspective as many non-Compliance Department employees have cross-functional responsibilities. If they claim not to have the time to handle their compliance responsibilities you will need to address this with the employee and perhaps structurally as well.
  6. Anticipate reprisal – Although it is rare, you can face the situation where an employee who is very dissatisfied with a review may refuse to sign it. The employee may be offered the opportunity to add a statement to the review. Also point out that the employee signature is an acknowledgement of receiving the review and does not signify agreement. If the employee still refuses to sign, have a second supervisor come in to witness the refusal. This may be particularly important from the compliance perspective.

Flewelling ends her piece by noting, “A proper annual review requires considerable effort from employee supervisors. It should be a full-year process involving regular guidance and feedback and perhaps several mini-reviews along the way. But rather than viewing it as onerous, supervisors should keep in mind that it is a tool for making their departments work more efficiently and yields better results for everyone involved.” I would add this is doubled from the compliance perspective. Nonetheless the potential upside can be significant from your overall compliance program perspective.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

December 15, 2014

Hiring and Promotion in Compliance – Wait for Great

7K0A0597The role of Human Resources (HR) in anti-corruption programs, based upon the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act, is often underestimated. I come from a HR background and practiced labor law early in my career so I have an understanding of the skills HR can bring to any business system which deals with legal issues; which is not only required of all businesses but certainly is true of FCPA or UK Bribery Act compliance. If your company has a culture where compliance is perceived to be in competition or worse yet antithetical to HR, the company certainly is not hitting on all cylinders and maybe moving towards dysfunction.

One of the Ten Hallmarks of an Effective Compliance program relates to the key role HR plays in incentives and discipline. However, another key area that is not given as much attention is in hiring and promotion. The FCPA Guidance states, “[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority is to reward it. Conversely, if employees are led to believe that, when it comes to compensation and career advancement, all that counts is short-term profitability, and that cu tting ethical corners is an ac­ceptable way of getting there, they’ll perform to that measure. To cite an example from a different walk of life: a college football coach can be told that the graduation rates of his players are what matters, but he’ll know differently if the sole focus of his contract extension talks or the decision to fire him is his win-loss record.” In other words make compliance significant for professional growth in your organization and it will help to drive the message of doing business in compliance.

I thought about these concepts when I read an article in the Corner Office column of the Sunday New York Times (NYT), entitled “Sally Smith of Buffalo Wild Wings, on patience in hiring” where columnist Adam Bryant interviewed Sally Smith, the Chief Executive of Buffalo Wild Wings, the restaurant chain. She had some interesting concepts not only around leadership but thoughts on the hiring and promotion functions, which are useful for any Chief Compliance Officer (CCO) or compliance practitioner striving to drive compliance into the DNA of a company.

Leadership – Get Feedback

One of the early lessons which Smith learned about leadership is to set clear expectations. Bryant wrote that Smith told him, “You have to be really clear about what you want and what your expectations are. When you’re clear and everybody understands them, you have a much better chance of success than if you say, “Just do it.” It’s a great slogan, but you’ve got to know what it is that you’re just doing.” This is a constant battle for the compliance practitioner when senior management also makes clear that you must make your numbers as well. However this dynamic tension can be met and one of the best ways is to require business-types to make their numbers but doing so in a way that is in compliance with a company’s Code of Conduct and compliance regime.

A second leadership lesson that Smith has learned is around feedback. As you might guess from a Chief Executive, Smith has found that obtaining honest critiques about her management style from those who work under her is difficult to acquire. To overcome this reluctance she set up a program where her leadership can give anonymous reviews of her performance annually to the company’s Board of Directors. Bryant said, “My leadership team does a performance review on me each year for the board. It’s anonymous. They can talk about my management style or things I need to work on. If you want to continue growing, you have to be willing to say, “What do I need to get better at?”” This type of insight is absolutely mandatory for any best practices compliance program as anonymous reporting is also one of the Ten Hallmarks of an Effective Compliance program. But more than simply an anonymous reporting line for FCPA violations, how does your company consider feedback to determine how all levels of the company is doing compliance going forward or as the FCPA Guidance states, “From the boardroom to the shop floor.”

Hiring and Promotion – Waiting for Great

Here Smith had some thoughts put in a manner not often articulated. One of her cornerstones when hiring is to search out the best person for any open position, whether through an external hire or internal promotion. Bryant stated that Smith said “We use the phrase “wait for great” in hiring. When you have an open position, don’t settle for someone who doesn’t quite have the cultural match or skill set you want. It’s better to wait for the right person.”

Smith articulated some different skills that she uses to help make such a determination. Once a potential hire or promotion gets to her level for an interview, she will assume that person is technically competent but “I assume that you’re competent, but I’ll probe a bit to make sure you know what you’re talking about. And then I’ll say, “If I asked the person in the office next to you about you, what would they say?””

Passion and curiosity are other areas that Smith believes is important to probe during the hiring or promotion process. In the area of passion, Smith will “Often ask, “What do you do in your free time?” If they’re passionate about something, I know they’re going to bring that passion to the workplace.” Smith believes curiosity is important because it helps to determine whether a prospective hire will fit into the Buffalo Wild Wings culture. Bryant wrote, “I look for curiosity too, because if you’re curious and thinking about how things work, you’ll fit well in our culture. So I’ll ask about the last book they read, or the book that had the greatest impact on them.” Smith also inquires about jobs or assignments that went well and “ones that went off the tracks. You ask enough questions around those and you can determine whether they’re going to need a huge support team.”

I found these insights by Smith very useful for a compliance practitioner and the hiring and promotion functions in a compliance program. By asking questions about compliance you can not only find out the candidates thoughts on compliance but you will also begin to communicate the importance of such precepts to them in this process. Now further imagine how powerful such a technique could be if a Chief Executive asked such questions around compliance when they were involved in the hiring or promotion process. Talk about setting a tone at the top from the start of someone’s career at that company. But the most important single item I gleaned from Bryant’s interview of Smith was the “Wait for great” phrase. If this were a part of the compliance discussion during promotion or hiring that could lead to having a workforce committed to doing business in the right way.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

November 24, 2014

The FCPA Guidance: Still Going Strong at Two

Brithday TwoOne of the great things about Sunday afternoon is that Mike Volkov posts his Monday blog, when I usually have time to read it when I get the email notification that it is up. Yesterday he wished the Department of Justice’s (DOJ) and Securities and Exchange Commission’s (SEC) jointly released 2012 A Resource Guide to the U.S. Foreign Corrupt Practices Act (Guidance) a belated Happy 2nd Birthday and bemoaned the fact no one else had done so. Inspired, and somewhat chagrined by Volkov, I decided to blog today about a couple of the highlights from the FCPA Guidance.

I. The Ten Hallmarks of Effective Compliance Programs

As a ‘Nuts and Bolts’ guy I found the DOJ/SEC formulation of their thoughts on what might constitute a best practices compliance program, the most useful part. The Guidance cautions that there is no “one-size-fits-all” compliance program. It recognizes a variety of factors such as size, type of business, industry and risk profile a company should determine for its own needs regarding a Foreign Corrupt Practices Act (FCPA) compliance program. But the Guidance made clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

  1. Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states, “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
  2. Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. Importantly, the Guidance made clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model.
  3. Oversight, Autonomy, and Resources. This section began with a discussion on the assignment of a senior level executive to oversee and implement a company’s compliance program. Equally importantly, the compliance function must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Finally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall, the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
  4. Risk Assessment. The Guidance states, “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”
  5. Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high-risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
  6. Incentives and Disciplinary Measures. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.”
  7. Third-Party Due Diligence and Payments. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
  8. Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
  9. Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
  1. Mergers and Acquisitions.Pre-Acquisition Due Diligence and Post-Acquisition Integration.Here the DOJ and SEC spell out their expectations in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information was not something on which most companies had previously focused. A company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

II. Declinations

Many commentators such The FCPA Professor, Mike Volkov, myself and others have advocated that the DOJ release information about Declinations because they are an excellent source of information for the compliance practitioner about the DOJ’s thinking on FCPA enforcement issues. Indeed I had written, “In an area like Foreign Corrupt Practice Act (FCPA) enforcement, where guiding case law is largely non-existent, compliance practitioners must rely on the actions and decisions of federal enforcement agencies for information. Such information is available in the form of enforcement actions, the release of Deferred Prosecution Agreements (DPAs) and Non-Prosecution Agreements (NPAs), and hypothetical fact patterns presented to the Department of Justice (DOJ) through its Opinion Release procedure. But one highly valuable source of guidance has been kept from regulated entities and their counsels: DOJ and Securities and Exchange Commission (SEC) “declination” decisions, opinions which are drafted when the agencies decline to prosecute an individual or organization. A change is needed in this counterproductive policy. The release of substantive information on declinations would help foster greater compliance with the FCPA by providing practitioners with specific facts of circumstances where investigations did not result in an enforcement action.”

Whether the DOJ was answering any of the commentary, it hardly matters. But a significant section of the Guidance is dedicated specifically to six Declinations provided to companies which self-disclosed possible FCPA violations. The types of issues reported to the DOJ were as varied as mergers and acquisitions (M&A); actions by third parties on a company’s behalf which violated the FCPA; payments improperly made by company employees which were incorrectly characterized as facilitation payments; and illegal bribes paid out by a small group of company employees. From these Declinations, I derived the following points (1) The Company was alerted to possible corrupt conduct via its compliance program or internal controls. (2) Possible FCPA violations were self-reported or otherwise voluntarily disclosed to the DOJ/SEC. (3) The entities in question conducted a thorough internal investigation and shared the results with the DOJ/SEC. (4) The conduct violative of the FCPA was not pervasive and consisted of relatively small bribes or other corrupt payments. (5) The company took immediate corrective action against the person(s) engaging in the conduct. (6) Each company’s compliance program was expanded or enhanced and these enhancements were reflected in compliance training, internal process improvements and additional enhanced internal controls.

So here’s to the Guidance at the ripe of age of 2. Thanks for coming into all of our (compliance) lives. I have also held back the best for last; the Guidance is available for free on the DOJ website and you can download it by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

November 17, 2014

Opinion Release 14-02: Dis-Linking The Illegal Conduct Going Forward

Dis-linkOne of my favorite words in the context of Foreign Corrupt Practices Act (FCPA) enforcement is dis-link. I find it a useful adjective in explaining how certain conduct by a company must be separated from the winning of business. But it works on so many different levels when discussing the FCPA. Last week I thought about this concept of dis-linking when I read the second Opinion Release of 2014, that being 14-02. One of the clearest ways that the Department of Justice (DOJ) communicates is through the Opinion Release procedure. This procedure provides to the compliance practitioner solid and specific information about what steps a company needs to take in the pre-acquisition phase of due diligence. However, 14-02 directly answers many FCPA naysayers long incorrect claim about how companies step into FCPA liability through mergers and acquisitions (M&A) activity.

From the Opinion Release it was noted that the Requestor is a multinational company headquartered in the United States. Requestor desired to acquire a foreign consumer products company and it’s wholly owned subsidiary (collectively, the “Target”), both of which are incorporated and operate in a foreign country, never issuing securities in the United States. The Target had negligible business contacts in the US, including no direct sale or distribution of their products. In the course of its pre-acquisition due diligence of the Target, Requestor identified a number of likely improper payments by the Target to government officials of Foreign Country, as well as substantial weaknesses in accounting and recordkeeping. In light of the bribery and other concerns identified in the due diligence process, Requestor also detailed a plan for remedial pre-acquisition measures and post-acquisition integration steps. Requestor sought from the DOJ an Opinion as to whether the Department would then bring an FCPA enforcement action against Requestor for the Target’s pre-acquisition conduct. It was specifically noted that the Requestor did not seek an Opinion from the Department as to Requestor’s criminal liability for any post-acquisition conduct by the Target.

Improper Payments and Compliance Program Weaknesses

In preparing for the acquisition, Requestor undertook due diligence aimed at identifying, among other things, potential legal and compliance concerns at the Target. Requestor retained an experienced forensic accounting firm (“the Accounting Firm”) to carry out the due diligence review. This review brought to light evidence of apparent improper payments, as well as substantial accounting weaknesses and poor recordkeeping. The Accounting Firm reviewed approximately 1,300 transactions with a total value of approximately $12.9 million with over $100,000 in transactions that raised compliance issues. The vast majority of these transactions involved payments to government officials related to obtaining permits and licenses. Other transactions involved gifts and cash donations to government officials, charitable contributions and sponsorships, and payments to members of the state-controlled media to minimize negative publicity. None of the payments, gifts, donations, contributions, or sponsorships occurred in the US, none were made by or through a US person or issuer and apparently none went through a US bank.

The due diligence showed that the Target had significant recordkeeping deficiencies. Nonetheless, documentary records did not support the vast majority of the cash payments and gifts to government officials and the charitable contributions. There were expenses that were improperly and inaccurately classified. It was specifically noted that the accounting records were so disorganized that the Accounting Firm was unable to physically locate or identify many of the underlying records for the tested transactions. Finally, the Target had not developed or implemented a written code of conduct or other compliance policies and procedures, nor did the Target’s employees show an adequate understanding or awareness of anti-bribery laws and regulations.

Post-Acquisition Remediation

The Requestor presented several pre-closing steps to begin to remediate the Target’s weaknesses prior to the planned closing in 2015. Requestor aimed to complete the full integration of the Target into Requestor’s compliance and reporting structure within one year of the closing. Requestor has set forth an integration schedule of the Target that included various risk mitigation steps, dissemination and training with regard to compliance procedures and policies, standardization of business relationships with third parties, and formalization of the Target’s accounting and record-keeping in accordance with Requestor’s policies and applicable law.

DOJ Analysis

The DOJ noted black-letter letter when it stated, ““It is a basic principle of corporate law that a company assumes certain liabilities when merging with or acquiring another company. In a situation such as this, where a purchaser acquires the stock of a seller and integrates the target into its operations, successor liability may be conferred upon the purchaser for the acquired entity’s pre-existing criminal and civil liabilities, including, for example, for FCPA violations of the target. However this is tempered by the following from the 2012 FCPA Guidance, “Successor liability does not, however, create liability where none existed before. For example, if an issuer were to acquire a foreign company that was not previously subject to the FCPA’s jurisdiction, the mere acquisition of that foreign company would not retroactively create FCPA liability for the acquiring issuer.””

This means that because none of the payments were made in the US, none went through the US banking system and none involved a US person or entity that this would not lead to a creation of liability for the acquiring company. Moreover, there would be no continuing or ongoing illegal conduct going forward because “no contracts or other assets were determined to have been acquired through bribery that would remain in operation and from which Requestor would derive financial benefit following the acquisition.” Therefore there would be no jurisdiction under the FCPA to prosecute any person or entity involved after the acquisition.

The DOJ also provided this additional information, “To be sure, the Department encourages companies engaging in mergers and acquisitions to (1) conduct thorough risk-based FCPA and anti-corruption due diligence; (2) implement the acquiring company’s code of conduct and anti-corruption policies as quickly as practicable; (3) conduct FCPA and other relevant training for the acquired entity’s directors and employees, as well as third-party agents and partners; (4) conduct an FCPA-specific audit of the acquired entity as quickly as practicable; and (5) disclose to the Department any corrupt payments discovered during the due diligence process. See FCPA Guide at 29. Adherence to these elements by Requestor may, among several other factors, determine whether and how the Department would seek to impose post-acquisition successor liability in case of a putative violation.”

Discussion

Mike Volkov calls it ‘reading the tea leaves’ when it comes to what information the DOJ is communicating. However, sometimes I think it is far simpler. First, and foremost, 14-02 communicates that there is no such thing as ‘springing liability’ to an acquiring company in the FCPA context nor such a thing as simply buying a FCPA violation, simply through an acquisition only, there must be continuing conduct for FCPA liability to arise. Most clearly beginning with the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) have communicated what companies need to do in any M&A environment. While many compliance practitioners had only focused on the post-acquisition integration and remediation; the clear import of 14-02 is to re-emphasize importance of the pre-acquisition phase.

Your due diligence must being in the pre-acquisition phase. The steps taken by the Requestor in this Opinion Release demonstrate some of the concrete steps that you can take. Some of the techniques you can use in the pre-acquisition phase include (1) having your internal or external legal, accounting, and compliance departments review a target’s sales and financial data, its customer contracts, and its third-party and distributor agreements; (2) performing a risk-based analysis of a target’s customer base; (3) performing an audit of selected transactions engaged in by the target; and (4) engaging in discussions with the target’s general counsel, vice president of sales, and head of internal audit regarding all corruption risks, compliance efforts, and any other major corruption-related issues that have surfaced at the target over the past ten years.

Whether you can make these inquiries or not, you will also need to engage in post-acquisition integration and remediation. 14-02 provides you with some of the steps you need to perform after the transaction is closed. If you cannot perform any or even an adequate pre-acquisition due diligence, the time frames you put in place after the acquisition closes may need to be compressed to make sure that you are not continuing any nefarious FCPA conduct going forward. But it all goes back to dis-linking. If a target is engaging in conduct that violates the FCPA but the target itself is not subject to the jurisdiction of the FCPA, you simply cannot afford to allow that conduct to continue. If you do allow such conduct to continue you will have bought a FCPA violation and your company will be actively engaging and participating in an ongoing FCPA violation. That is the final takeaway I derive from this Opinion Release; it is allowing corruption and bribery to continue which brings companies into FCPA grief. Opinion Release 14-02 provides you a roadmap of the steps you and your company can take to prevent such FCPA exposure.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

November 7, 2014

Don’t Collapse in the Wind – Knowledge is Power

Tacoma Narrows BridgeOn November 7, 1940, high winds buffeted the Tacoma Narrows Bridge leading to its collapse. The first failure came at about 11 a.m., when concrete dropped from the road surface. Just minutes later, a 600-foot section of the bridge broke free. Subsequent investigations and testing revealed that when the bridge experienced strong winds from a certain direction, the frequency oscillations built up to such an extent that collapse was inevitable. For posterity, the collapse of the Bridge was captured on film.

I thought about this spectacular engineering failure when I read, yet again, commentary about representatives from the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) appearing at for-profit conferences to give presentations to attendees. Personally, I was shocked, simply shocked to find out that one has to pay to attend these events. Further, it appears that one or more of the companies running these events, ACI, Momentum, IQPC, HansonWade, among others, might actually be for-profit companies. It was intimated that one of the ways the conference providers enticed registrants to pay their fees was to provide a forum of lawyers practicing in the Foreign Corrupt Practices Act (FCPA) space, to whom representatives from the DOJ and SEC could speak. Now I am really, really really shocked to find that people actually pay to obtain knowledge.

Armed with the new piece of information that there is a marketplace where people actually pay to obtain information, I have decided to practice what I preach and perform a self-assessment to determine if I am part of this commerce in ideas. Unfortunately I have come to the understanding that not only do I participate in that marketplace but also I actually use information provided by representatives of the US government in my very own marketing and commerce. So with a nod to Adam Smith’s Invisible Hand of the Marketplace; I now fully self-disclose that I digest to what US government regulators say about the FCPA, repackage it and then (try) and make money from it. (I know you are probably as shocked, shocked as I was to discover this.)

Where can one go to find out information about the FCPA, its enforcement and how the DOJ and SEC view compliance programs? First and foremost is the FCPA Guidance, jointly issued by the DOJ and SEC back in 2012. It is still the best one volume resource on the government’s thinking on a wide range of issues relating to the FCPA. For a ‘Nuts and Bolts’ guy like me, it even has some suggested building blocks of FCPA compliance called the Ten Hallmarks of an Effective Compliance Program. Of course, such a treatise must cost thousands of dollars so that it is only available to a very select few. Oops, it is available for FREE on the DOJ website. Darn, as I planned to buy up all of the copies and then put on for pay seminars across the world as the only source of such knowledge.

Since the FCPA Guidance is available for free, perhaps I can corner the market on all known enforcement actions and Opinion Releases. I am sure that they will provide lots of good information such as what might constitute an effective compliance program, what are some of the actions that got companies into FCPA hot water and suggestions by the DOJ and SEC as to what might have constituted compliance failures. I have even heard that in Opinion Releases, the DOJ will pass upon fact patterns and indicate if they believe such facts might be prosecuted for FCPA violations. Double oops, as all of those are publicly available as well and for FREE. Double Darn.

OK, well if the FCPA Guidance is free and all the enforcement actions and Opinion Releases are available for free; maybe I can corner the market on court opinions, which discuss the FCPA. I am a lawyer and I bet all the other lawyers would pay me if I were the only person in the world who had access to them (or even better yet we were in China where the trials are held in secret-imagine that market!). I know there are only a handful of such cases but imagine the power I would have if only I knew about them. Why I could I put on seminars and pay people to attend. Triple oops, as I just found out that the court decisions are public record and available for FREE. Drat.

Well if all this information about the FCPA is available for free what can I do to make money? Hmm, maybe, just maybe, if I put information together from all of the above sources in a book people might be interested in buying it. What if I wrote multiple books? Do you think there might be a market for such written texts? I certainly hope so and to further entice you to join in this nefarious act of for-profit commerce, I invite you to check out my latest book, Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, available at Compliance Week. Or perhaps you might want to purchase either of the other three printed or five eBooks I have written on FCPA compliance. But wait a minute, wouldn’t that mean I am making money off free government information? I guess I better self-disclose those facts and let the chips fall where they may. Hopefully Adam Smith will give me a declination of the Invisible Hand.

If no one will buy any of the books I have written, maybe they would attend training that I might put on. I could talk about all this free government information, put it in power points slides and other written materials and then charge people to get trained. I could even call it ‘FCPA Training’. Maybe I could go to other parts of the country and put on training, maybe in places where they might not have heard about all the free DOJ and SEC information. Of course, I would have to find such a place. But wait a minute, wouldn’t that mean I am making money off of free government information. I guess I better self-disclose that as well.

If no one will buy any books I write or go to training seminars that I might put on, I could always write a blog. Do you think anyone would pay to read a blog? Nah 

How about the following as a business strategy? I will tell people I am lawyer and I will give them legal advice on the FCPA. Of course to do so, I will have to use all of these free resources listed above and then charge clients for my legal services. Think there might be a market for that legal advice? I am not really sure so perhaps I should make a provisional self-disclosure that if any clients came to me for legal advice, I would charge them and hence engage in commerce. It would also allow me to apply to join that hallowed group, FCPA INC. whose members (1) practice law around the FCPA, (2) put on FCPA training, (3) write books on the FCPA and (4) generally pontificate on all things FCPA. Sounds like a great group to belong to, you think they will take me? If so I can’t wait to learn the secret handshake so I can proudly commune, in secret, with its members. Hopefully they will not haze pledges too badly, as I am way too old to survive another Pledge Week.

If you have not quite ascertained the point of today’s post, please consider the following – knowledge is power. If you want knowledge about the FCPA there are plenty of places you can look for free to obtain that knowledge. If you want to hear the DOJ or SEC’s most current thinking on FCPA related issues, you can also attend a (for-pay) FCPA conference. If so, I am sure I will see you there because I certainly value what they have to communicate to us. I also plan to continue to communicate it to you; sometimes even for profit. Long Live Adam Smith and his Invisible Hand! 

Always remember, a little knowledge can go a long way, even if you have to pay to garner it.

================================================================================================================================================================================================================================================

To further emphasize some of these articulations, I am pleased to announce that I will present some of my thoughts on the issue of internal controls in an effective compliance program, in a webinar hosted by The Network, next Tuesday, November 11 at 1 PM EST. For details and registration, click here.

On December 4, I will be making a live presentation on the recent trend for the DOJ and SEC to target internal controls in FCPA enforcement actions and the interplay with the COSO 2013 Update at a live event, hosted by The Network, in Houston. Baker and McKenzie partner Stephen Martin will be joining me and will discuss risk assessments in a best practices compliance program. For details and registration, click here.

And best of all both events are FREE, just like this video of the Tacoma Narrow Bridge collapsing.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 29, 2014

Doing Compliance-The Book

Doing ComplianceI have consistently tried to bring a ‘Nuts and Bolts’ approach to my writing about compliance. Last year when describing some of my writing on the building blocks of a Foreign Corrupt Practices Act (FCPA) compliance program to my friend Mary Flood, she said “That’s great but what about actually doing compliance?” Fortunately for me, she did not ask how as there is no telling just how much hot water answering that question would have gotten me into! Her idea about writing a book which a compliance practitioner could use as a one-volume reference for the everyday work of anti-corruption compliance was the genesis of my most recent hardbound book, Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program. I am pleased to announce that the book is hot off the presses and now available for purchase through Compliance Week in the US and Ark Publishing in the UK.

Just as the world becomes more flat for business and commercial operations, it is also becoming so for anti-corruption and anti-bribery enforcement. Any company that does business internationally must be ready to deal with a business environment with these new realities. My book is designed to be a one-volume work which will give to you some of the basics of creating and maintaining an anti-corruption and anti-bribery compliance program which will meet any business climate you face across the globe. I have based my discussion of a best practices compliance program on what the Criminal Division of the US Department of Justice (DOJ) and Enforcement Division of the Securities and Exchange Commission (SEC) set out in their jointly produced “FCPA – A Resource Guide to the U.S. Foreign Corrupt Practices Act”, the FCPA Guidance, the ‘Ten Hallmarks of an Effective Compliance Program.” The FCPA Guidance wisely made clear that there is no ‘one-size-fits-all’ approach when it stated, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors.” Thus, the book is written to provide insight into the aspects of compliance programs that DOJ and SEC assesses, recognizing that companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs.

This book does not discuss the underlying basis of the FCPA, the UK Bribery Act or any other anti-corruption or anti-bribery legislation. I have assumed the reader will have a modicum of knowledge of these laws. If not, there are several excellent works, which can provide that framework. The book is about doing business in compliance with these laws. As with all Americans, I appreciate any list that is deca-based, so the format of 10 hallmarks resonates with me. I have used this basic ten-part organization in laying out what I think you should consider in your anti-corruption and anti-bribery compliance program. In addition to presenting my own views in these areas, I also set out the views of both FCPA practitioners and commentators from other areas of business study and review. The book includes the following:

Chapter 1 – Where It All Begins: Commitment from Senior Management and a Clearly Articulated Policy against Corruption  It all begins at the Top, what should management say and do? ‘Tone at the Top’ is a great buzz word but how does a company truly get the message of compliance down through the ranks? This chapter discusses the techniques management can use to move the message of compliance down through middle management and into the lower ranks of the company.

Chapter 2 – Some Written Controls: Code of Conduct and Compliance Policies and Procedures  The Cornerstone of your antibribery/anti-corruption compliance program is set out in your written standards and internal controls which consist of a Code of Conduct, Compliance Policy and implementing Procedures. This chapter discusses what should be in the written basics of your compliance program and how best to implement these controls.

Chapter 3 – For the CCO: Oversight, Autonomy, and Resources The role and function of a Chief Compliance Officer (CCO) in any compliant organization cannot be overstated. Simply naming a CCO is no longer enough to meet even the minimum requirements of best practices. One of the key areas that the DOJ will review is how is a CCO allowed to fulfill his role. Does the position have adequate resources? Does it have autonomy and support in the corporate environment? Does the Board of Directors exercise appropriate oversight? This chapter reviews the Compliance Function, Oversight, Autonomy and Resources and relates structuring the compliance function in an organization.

Chapter 4 – The Cornerstone of Your Compliance Program: Risk Assessment It all begins here, as a risk assessment is the road map to managing your compliance risk. The implementation of an effective compliance program is more than simply following a set of accounting rules or providing effective training. Compliance issues can touch many areas of your business and you need to know not only what your highest risks are, but where to marshal your efforts in moving forward. A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify areas of high risk so that you can prioritize your resources to tackle these high-risk areas first. This chapter discusses what risks you should assess, the process for doing so and using that information going forward.

Chapter 5 – Getting Out on the Road: Training and Continuing Advice Once you have designed and implemented your compliance program, the real work begins and you must provide training on the compliance program and continuing advice to your company thereafter. This means that another pillar of a strong compliance program is properly training company officers, employees, and third parties on relevant laws, regulations, corporate policies, and prohibited conduct. However merely conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. The expectations for effectiveness are measured by who a company trains, how the training is conducted, and how often training occurs. This chapter discusses getting the message of compliance out to your employees.

Chapter 6 – Do As I Do & As I Say: Incentives and Disciplinary Measures Any effective compliance program will use a variety of tools to help ensure that it is followed. This means that you must employ both the carrot of incentives and the stick of disciplinary measures to further compliance. How can you burn compliance into the DNA of your company? Discipline has long been recognized as an important aspect of a compliance regime but more is now required. This chapter relates structuring compliance into the fabric of your company through hiring, promotion of personnel committed to compliance and how to reward them for doing business ethically and in compliance with the FCPA.

Chapter 7 – Your Greatest Source of FCPA Exposure: Third Parties and How to Manage the Risk Third Parties are universally recognized as the highest risk in any compliance program. Indeed it is estimated that well over 90% of all FCPA enforcement actions involve third parties. Therefore it is important how to manage this highest risk for an anti-corruption program. This chapter provides a five-step process for the investigation and management of any third party relationship; from agents in the sales chain to vendors in the supply chain.

Chapter 8 – How Do I Love Thee: Confidential Reporting and Internal Investigations In any company, your best source about not only the effectiveness of your compliance program but any violations are your own employees. This means that you must design and implement a system of confidential reporting to get your employees to identify issues and then have an effective internal investigation of any issues brought to your attention. Your own employees can be your best source of information to prevent a compliance issue from becoming a FCPA violation. This chapter provides the best practices for setting up internal reporting and investigating claims of compliance violations.

Chapter 9 – How to Get Better: Improvement: Periodic Testing and Review Once you have everything up and running you still need to not only periodically oil but also update the machinery of compliance. You do this through the step of continuous improvement, which is the use of monitoring and auditing to review and enhance your compliance regime going forward. A company should focus on whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program.

Chapter 10 – Should I or Shouldn’t I? Mergers and Acquisitions The last thing you want to bring in through an acquisition is another company’s FCPA violation for which your company must pay the piper; also known as buying a FCPA violation. Effectively managing your mergers and acquisitions (M&A) process can help you to identify risk areas in a potential acquisition and then remediate any issues in the post-acquisition integration phase. This chapter gives you the most recent pronouncements on how to avoid FCPA exposure in this key area of corporate growth and to use the M&A function to proactively manage compliance.

Chapter 11 – A Few Words about Facilitation Payments One of the key differences between the US FCPA and UK Bribery Act is that the US law allows facilitation payments. However, in today’s interconnected world, to allow one part of your company to make facilitation payments while UK subsidiaries or others covered by the UK Bribery Act are exempted out from your standard on facilitation payments has become an administrative nightmare. This chapter explores what is a facilitation payment, how the policing of your internal policy has become more difficult and some companies which have been investigated regarding their facilitation payments. It also provides guidelines for you to follow should your company decide to allow them going forward.

So with thanks to Mary Flood for the idea, Matt Kelly, the Editor of Compliance Week for the publishing platform and Helen Roche & Laura Slater and the rest of the team at Ark Publishing for getting me through the publishing process in a professional manner, I am published to announce that Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program is now available for purchase.

You can purchase a copy of Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program in the US by clicking here. You can purchase a copy of Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program in the UK by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com. © Thomas R. Fox, 2014

« Previous PageNext Page »

Blog at WordPress.com.