FCPA Compliance and Ethics Blog

August 14, 2013

Bad Things Come In Threes for CCOs

It is often said that bad things come in threes. I have often wondered where this phrase came from. So I checked out Wikipedia, no luck there. How about trying Google as the harbinger of all knowledge? Again no such luck there. Not even About.com could help. Of course there is the good old saying ‘3 strikes and you’re out’ but I suspect that was based on something which preceded it. Whatever the origin of this folkloric belief, all I can say is that over the past couple of weeks, Chief Compliance Officers (CCOs) have taken it on the chin three times and, once again, the job of the CCO just got quite a bit harder and more challenging.

I.                   Banned for Life

Submitted for your consideration is the first item of bad news for the CCOs out there. It is the decision released on August 2nd by the Securities and Exchange (SEC) Administrative Law Judge Carol Fox Foelak (no relation) In the Matter of Daniel Bogar, Bernerd Young and Jason Green. Young was the CCO for disgraced financier Allen Stanford’s companies. For those who may not remember, Allen Stanford who sold “so-called certificates of deposits” through his offshore bank in Antigua, Stanford International Bank Ltd. Unfortunately for all, it turned out that Stanford was running a massive Ponzi-scheme by paying off old investors with monies invested by new ones, to the tune of over $7bn. Stanford was convicted for his crimes.

Young was not charged or convicted with participating in the Ponzi-scheme. However, he was slapped with an administrative penalty for failing to note or follow up on red flags, which, had he investigated, may have uncovered the scheme earlier. These acts (or perhaps inactions) included providing materials to financial advisors, which had he inquired into would have led to a determination that they were false. There were instances where company whistleblowers and others brought information to Young, which if he had properly investigated, he would have determined that a Ponzi-scheme was in place. The Administrative Law Judge also cited the conduct of Allen Stanford himself as raising a red flag which the CCO should have investigated.

As to the penalties that Young received, how about the following: disgorgement of $591,992.46,  a penalty of $260,000 and is barred from “association with any broker, dealer, investment adviser, municipal securities dealer, municipal advisor, transfer agent, or nationally recognized statistical rating organization and IS PROHIBITED, permanently, from serving or acting as an employee, officer, director, member of an advisory board, investment adviser or depositor of, or principal underwriter for, a registered investment company or affiliated person of such investment adviser, depositor, or principal underwriter.” In other words, Young can never be a CCO again or work in this industry again.

Why is this decision so significant to CCOs? It is often said that bad facts make bad law. The facts surrounding Allen Stanford and his multi-billion Ponzi-scheme, short of Bernie Madoff, are about as bad as it gets. Maybe Young does deserve a severe spanking for his role in not asking questions. But the problem for CCOs is now there is a precedent for at least a civil proceeding to be filed by the SEC for failure to engage in sufficient due diligence, see red flags and perform proper investigations. This coupled with the size of the disgorgement, penalty and lifetime ban in working as a CCO or in the industry makes the CCO world quite a bit darker today.

II.                Is Your Code of Conduct Mere Puffery?

The second example is the Dismissal granted by the US District Court for the Northern District of California, in the shareholder derivative action, entitled “Cement & Concrete Workers District Council Pension Fund, et al., v. Hewlett Packard Company, et al.” This lawsuit was some of the continued fallout from the Mark Hurd era at Hewlett Packard (HP). As reported in an AmLaw Litigation Daily article, entitled “Morgan Lewis Beats HP Securities Suit over Hurd Conduct”, “in the fall of 2007, the company hired a marketing consultant named Jodie Fisher.” Fisher later “accused Hurd of sexual harassment. He resigned later that year. The harassment claims were never substantiated, but an internal investigation performed by Covington & Burling turned up evidence that Hurd used company resources to wine and dine Fisher and then tried to hide the relationship from HP’s board.” Hurd later admitted that he had a “very close personal relationship” with Fisher.

A shareholder action was brought by the plaintiff who claimed in part that “HP and Hurd made false and misleading statements when they (1) issued and updated HP’s Standards of Business Conduct Brochure (SBC) in 2006, May 2008 and June 2010”. In the Plaintiff’s Complaint they said that “These statements were misleading because in light of Hurd’s endorsement of these tenets, there was an implication that Hurd was in fact in compliance with them. In truth, Hurd was knowingly violating each of these tenets in his dealings related to Fisher, by (a) inappropriately using his position as CEO to attempt to pursue a romantic relationship with Fisher, (b) submitting expense reports that did not accurately reflect their meetings, and (c) knowingly allowing Fischer to receive compensation and/or expense reimbursement where there was not a legitimate business purpose.”

However the District Court made short shrift of the plaintiff’s claims. In its dismissal, the Court said, ““Generally speaking, the 2008 and 2010 SBCs, as well as other statements relating to HP’s ethical code of conduct, do not constitute actionable misrepresentations or omissions because they are not material. “‘[V]ague, generalized, and unspecific assertions’ of corporate optimism or statements of ‘mere puffing’ cannot state actionable material misstatements of fact under federal securities laws. Such statements include those that are not “‘capable of objective verification’” or “‘lack[ ] a standard against which a reasonable investor could expect them to be pegged.’” “When valuing corporations, . . . investors do not rely on vague statements of optimism like ‘good,’ ‘well-regarded,’ or other feel good monikers.” “Instead, “professional investors, and most amateur investors as well, know how to devalue the optimism of corporate executives.””

How about that to warm the heart of every CCO out there? For that matter how about the Department of Justice (DOJ) or SEC who said in their jointly released FCPA Guidance that “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” So all the talk that we preach about the importance of a Code of Conduct; at least one court has now said it is ‘mere puffing’. Do you think that the Chief Executive Officer (CEO) will want to spend a bunch of money for an aspirational, puffery statement? I hope so because the DOJ and SEC still say it is important. But if a corporation ever takes the DOJ to trial in a Foreign Corrupt Practices Act (FCPA) matter, there is at least one court who has said a Code of Conduct is not important.

III.             Try Getting Your Records Out of Germany Now

Our third, and final item, comes courtesy of Nicholas Elliott from the Wall Street Journal (WSJ) Risk and Compliance Journal, in an article entitled “The Morning Risk Report: Germany’s Forceful Privacy”. Elliott reports that it is “going to be more complicated to do business in Germany, the fifth largest trading partner of the U.S. Angered by news that the U.S. National Security Agency’s electronic surveillance efforts included Germans, that country’s data-protection body declared last month that most data transfers to the U.S. breach its laws. This stance affects not only data transfers for which companies seek approval but also those covered under safe-harbor provisions of European law”.

This may well severely constrict the ability of US companies to investigate, audit or even monitor their German operations or German citizens who are employees or third parties to the company. Not that German companies and citizens have always been 100% lean when it comes to bribery and corruption (See: Siemens-corp division and Ecclestone, Bernie-ind. division). But clearly the US government has seriously infuriated some of its major trading partners for its spying to try and enforce the FCPA and this will come back to bite many US companies in the behind if they cannot get data and information out of Germany and are faulted by the DOJ and SEC for their failure to do so.

I wrote about the data privacy issue back in June in light of Edward Snowden’s revelations about National Security Agency (NSA) spying and the attendant fallout. This issue is now in the forefront of EU-US trade negotiations. An article in the Financial Times (FT), entitled “Data scandal clouds trade talks”, Hannes Swoboda, leader of the socialist members of the European Parliament, was quoted as saying “With all the information that we’ve found out in the recent days about how easily the US spies on people’s private data I think it will be difficult for the Americans to oppose a strong data protection agreement.” The article notes that many of the rules proposed for EU data protection are opposed by US companies because “their business models would be damaged.”

Elliott ends his article with the following, “At the same time, European privacy rules will probably be tightened, with a proposal for fines levied on companies that share data without customers’ permission. The Wall Street Journal reported last week that such rules could create further legal uncertainty by conflicting with U.S. laws such as the Patriot Act and Foreign Intelligence Surveillance Act.” Amen.

These three strikes have the effect of the following: (1) denigrating an entire compliance regime of a company by declaring its foundational document ‘mere puffing’; (2) puts the CCO backside on the firing line for a civil or potentially criminal action if they do not uncover FCPA violations; and (3) making illegal the removal of certain data from Germany where not do so may well be a FCPA violation. Be afraid, be very afraid…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

June 11, 2013

FCPA Enforcement as a Security Issue and Implications for the Compliance Practitioner

One of the things that has long puzzled me is what led to the significant rise in the enforcement of the Foreign Corrupt Practices Act (FCPA) beginning in the 2003-2004 time frame? One of the more consistent theories that I have heard proffered, by Dan Chapman, Dick Cassin, Alexandra Wrage and others is that after 9/11, the Bush administration viewed corruption as a security issue. I admit that I was not totally sold on this theory until last week when, the FCPA Blog, in an article entitled “NSA spying also linked to FCPA enforcement”, reported that the National Security Agency (NSA) has engaged in economic espionage for the benefit of the United States and perhaps others. The FCPA Blog quoted a story from the American Spectator, entitled “Rise of the Surveillance State”, by James Bovard. One of the items which Bovard discussed is the program monikered ‘Echelon’, which he described as “a spy satellite system run by the National Security Agency along with the United Kingdom, Australia, New Zealand, and Canada. Echelon reportedly scans millions of phone calls, e-mail messages, and faxes each hour, searching for key words.”

Apparently this program is also used for FCPA enforcement. Bovard wrote that “A February report by the European Union alleged that Echelon has been used for economic espionage. Former CIA Director James Woolsey told a German newspaper in early March that Echelon collects “economic intelligence.” One example Woolsey gave was espionage aimed at discovering when foreign companies are paying bribes to obtain contracts that might otherwise go to American companies. Woolsey elaborated on his views in a condescending March 17 Wall Street Journal oped, justifying Echelon spying on foreign companies because some foreigners do not obey the U.S. Foreign Corrupt Practices Act. To add insult to injury, Woolsey noted there’s no reason for U.S. companies to steal backward Europe’s secrets.” Isn’t that a comforting thought when the US claims the Chinese are stealing secrets through computer hacking.

But what are the implications for the compliance professional? For a more Orwellian prediction, John Batchelor, in an article entitled “ NSA Scandals: FCPA Compliance Game Changer?”, has this chilling predeiction, “Currently it takes months or years to develop a solid FCPA case and most of those end up with fines and some type of penalty. Could that change to a new way of enforcement where the government targets a company, identifies corruption, gathers evidence, and instead of going through the motions, simply calls them to schedule a meeting, slapping a fine and a series of actionable tasks for the company in question? It’s not happening now, but that is a question.” It would seem to do away completely with the concept of due process so I would discount this scenario as unlikely.

However, Batchelor does point out that such government oversight might well occur in countries which are known or perceived to be high risk for corruption. He says, “Under the FCPA we focus on anti-bribery, however, with our current emphasis on national security, I think there is a serious question to ask for any company that operates in high CPI areas where terrorist cells or money laundering outfits to terrorist cells operate.” From this premise, Batchelor poses several topical inquiries which you should consider now. They include: “How well do you know your agents? How well do you know their relationships? How well do you know the companies they are affiliated with? Are there red-flags that low-level DPL type screenings might not uncover?”

I believe that the revelations which came out last week will make the compliance professional’s job more difficult but that difficulty may well be due to the backlash against not only the massive collections of data that the US government is obtaining through its surveillance programs but also the arrogance shown in statements like former CIA Director Woolsey, in the statement quoted in the American Spectator article. I believe that there three general areas which will negatively affect US compliance professionals.

First, is in the area of data access. Edward Luce, in a Financial Times (FT) article entitled “Obama has hurt himself and business over privacy”, said that the “US is losing credibility in its goal of trying to stop the internet from balkanizing into separate national frameworks.” While Luce discussed this in terms of the US criticism of “the great firewall of China”; a US investor might think about the Securities and Exchange Commission’s (SEC’s) struggle to get China to agree to allow auditors to provide data to the US consistent with US securities laws, or laws which the SEC enforces, such as the books and records component of the FCPA.

Second, what about data privacy? I think that the acknowledgement of the US surveillance programs will lead other countries to toughen up their data privacy requirements. This means that the compliance professional will be faced with an even more bewildering set of data privacy requirements to deal with to accurately access a company’s compliance program. For the intelligence angle, Luce quoted Ira Hunt, the CIA’s chief technology officer for the following, “Since you can’t connect the dots you don’t have…we fundamentally try and collect everything and hang on to it forever.” However, we now know that this surveillance also was used for other law enforcement issues such as enforcement of the FCPA. While foreign governments cannot legislate privacy as to the data collected by the US government, they certainly can do so vis-à-vis US companies doing business in their jurisdictions or home-domiciled foreign companies which are subject to the FCPA through a US subsidiary.

Indeed this very issue is now in the forefront of EU-US trade negotiations. In another article in the FT, entitled “Data scandal clouds trade talks”, Hannes Swoboda, leader of the socialist members of the European Parliament was quoted as saying, “With all the information that we’ve found out in the recent days about how easily the US spies on people’s private data I think it will be difficult for the Americans to oppose a strong data protection agreement.” The article notes that many of the rules proposed for EU data protection are opposed by US companies because “their business models would be damaged.”

Lastly, what about jurisdiction and the FCPA? Currently if a banking transfer goes thought the US banking system, FCPA jurisdiction attaches. While it has not yet been tested, several commentators have spoken about information which might be saved on servers based in the US. So what if information appears on Google or through a Google-search or on Facebook? Now take the next step and ask, if there is data mining, which strikes pay dirt, could that create or even portend jurisdiction?

As an American, I understand the need for enhancing security protocols after 9/11. It is an irritation, but only that, similar to taking off my shoes to go through security, all courtesy of Richard Reid, ‘the Shoe Bomber’. Further, these US government surveillance programs, which have been ongoing though both a GOP and Democratic administration, were authorized by an overwhelming majority of both houses of the US Congress and has judicial oversight. But many outside the US may not see the same needs and protections that I see in place. Luce said in his article, “Washington’s reassurances are irrelevant to the 3.4bn non-Americans who are online…But foreigners might not be comforted to learn that their privacy is protected by a secret US court, which is overseen by a select group of US lawmakers who are themselves sworn to secrecy.”

I think that the job of the compliance practitioner just got a lot tougher.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

February 11, 2013

Quadrophenia and Four Compliance Issues

This past weekend I saw the remaining members of The Who perform in their Quadrophenia Tour. While I had seen Roger Daltry perform the rock opera Tommy, I had never seen Pete Townsend in concert. To say I was blown away would be putting it mildly, especially as Quadrophenia does not even make it into my top three favorite Who albums, which are, in descending order, Who’s Next, Tommy and Live at Leeds. While Roger Daltry’s voice was not as strong as it was during his Tommy tour, not doubt due to the longer duration of this tour, it was still a great performance and it was worth it to see Pete Townsend. He can still rock. Also they ended the show with three songs from Who’s Next, which alone was worth the price of admission.

The story generally revolves around four themes based upon the four personalities of the members of the band; Daltry, Townsend, Keith Moon and John Entwhistle. However, it was also a play on (for those of you old enough to remember) quadrophonic sound. According to Pete Townsend, “”The whole conception of Quadrophenia was geared to quadraphonic, but in a creative sort of way. I mean I wanted themes to sort of emerge from corners. So you start to get the sense of the fourness being literally speaker for speaker.” So inspired by ‘fourness’ today, I will review four issues that have, or will, impact the compliance practitioner.

I.                   EU and Data Privacy

In an article in the Financial Times (FT), entitled “EU refuses to bend on tough data privacy law”, reporter James Fontanella-Khan wrote that Viviane Reding, the EU Commissioner for Justice, said that she will continue to fight any US attempts to water down its proposed data protection and privacy law, “which would force global technology companies to obey European standards across the globe.” Further, “Exempting non-EU countries from our data protection regulations is not on the table. It would mean applying a double standard.” Fontanella-Khan said that “US tech companies argue that it would be unfair for them to be subject to EU laws that are too stringent and could result in expensive administrative burdens and hefty fines for errant companies.” Can you think of any US laws that non-US companies have to comply with?

Issues for the compliance practitioner? There could be a myriad, from internal investigations, to sharing data with US regulators to ongoing monitoring and auditing. While it is currently US technology companies which are leading the fight against these new tough standards, non-tech companies could do well to assess how these changes may well impact them.

II.                Will DOJ Open FCPA Investigation Against EADS?

Perhaps not fully appreciating the irony in reporting the EADS story in the same issue as the above EU data privacy story, the FT also had an article by Carola Hoyos, entitled “FBI probe of EADS unit claims”, who reported that the Federal Bureau of Investigation (FBI) has interviewed “a witness and taken possession of documents in connection with allegations” that a British subsidiary of the European aerospace entity EADS, named GPT Special Management Systems, bribed Saudi Arabian military officials, in connection with business dealings. Hoyos reported that GPT “made ₤11.5 of unexplained payments – some via the US – to bank accounts in the Cayman Islands.”

Although there is no known open US Department of Justice (DOJ) investigation open into the EADS matter at this point, Hoyos noted that it was the DOJ which led the effort to investigate and eventually fine the UK company BAE, the amount of $400MM after the British government ordered the Serious Fraud Office (SFO) inquiry into allegations of BAE bribery for sales of equipment into Saudi Arabia “citing economic and diplomatic interests”. The FBI interviews occurred even though the SFO is currently investigating the matter. Hoyos also reported that EADS “maintained that its own investigations into the matter had yielded no evidence of wrongdoing.”

III.             Think Before You Hit That Send Button

In a post in his blog, the D&O Diary, entitled “Damning E-mails: Can We Talk?”, author Kevin LaCroix wrote that “revelations this past week arguably represent some type of high-water mark, as a cluster of serious allegations were accompanied by a trove of embarrassing excerpts from emails and instant messages. While the latest disclosures provide yet another reminder of the dangers associated with ill-considered use of modern electronic communications technology, they also raise questions about the use that regulators and claimants are attempting to make of the communications.” He was talking about the Commodities Futures Trading Commission’s press releases announcing RBS’s settlement this past week of charges of alleged Libor manipulation drew heavily on excerpts from the bank’s internal electronic communications. While noting that “emails do sometimes in fact evidence wrongdoing” the problem with them “is that when seemingly damning email excerpts are blasted into the media, it is very difficult to appreciate the larger context within which the excerpts fit.”

As much as he has distaste for the selective use of emails in this manner by regulators, LaCroix believes that they can provide a teachable moment. He writes that “a useful exercise to try to adopt is to pause and ask yourself, before hitting “send”, how the message would look if it were to fall into the hands of a hostile and aggressive adversary who was looking for ways to try to make you or your company look bad. Were this simple test to be more widely implemented, we would certainly see a marked reduction in, for example, running email jokes about the French maid’s outfit. My final thought is this – we all know that many electronic messages are written in haste and sometimes with insufficient care. With full awareness of this attribute of electronic communications, we should hesitate to jump to too many conclusions about the seemingly damaging inferences that could be drawn from email or instant message excerpts. But we should also learn from the inferences that regulators and claimants are trying to draw and try to take that into account in our own communications.” I could not have put it better myself.

IV.              Trust Your Gut and Raise Your Hand

There have recently been a plethora of articles about ‘big data’ and how it can help in the monitoring of a Foreign Corrupt Practices Act (FCPA) compliance program. I have been one of the folks to write and talk about it. However, in an article in the New York Times (NYT), entitled “Sure, Big Data is Great. But So Is Intuition”, reporter Steve Lohr wrote that while he thinks that big data is a powerful tool and an unstoppable tread it “might be a time for reflection, questions and qualms about this technology.” This is because, like all mathematical models, big data is “a simplification.” He quotes Thomas Davenport for the following. “A major part of managing Big Data projects, he says, is asking the right questions: How do you define the problem? What data do you need? Where does it come from? What are the assumptions behind the model that the data is fed into? How is the model different from reality?”

So the underlying basis for analyzing big data may actually be “too simple minded, rather than too smart.” All of this leads back to intuition. I would add that if the hair on the back of your neck stands up, your gut tells you something is wrong or something does not smell right, it probably isn’t right. The implications for the compliance practitioner? I would like to propose that the largest is in the area of training. What I try and tell non-compliance practitioners when I put on training is that if you see, smell or sense one of the above, just raise your hand. You do not have to know the ins and outs of the FCPA or know the answer but I do ask that you raise your hand and get the issue to a person who does have the expertise to analyze the issue.

If you have the chance to see The Who on their Quadrophenia Tour, all I can say is to drop whatever you are doing and go see it. I do not know if it will be your last chance to see Pete Townsend but when he winds up for one of those trademark windmill slams down the guitar strings, just close your eyes and listen. It is pure bliss and a quad of sensations for the ages.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Blog at WordPress.com.