FCPA Compliance and Ethics Blog

May 10, 2013

Use Planes, Trains and Automobiles to get to Compliance Week 2013

Patriots PictureTo say I am excited would be putting it mildly. Yes that most premier of compliance related conferences is on the short horizon; Compliance Week 2013 is nearly upon us. It will be from May 20-22 at the Mayflower Hotel in Washington DC. As usual, Matt Kelly and his outstanding team have put together a first rate program for the General Counsel (GC), compliance practitioner (in-house or outside counsel), FCPA Bar/FCPA Inc. or even Mike Volkov’s good friends, the FCPA Paparazzi. If there is one national compliance conference that you can attend each year, for my money, this is the event.

As Matt Kelly has said, the theme of Compliance Week 2013 is “Seeing All the Data” and is designed as “a testament to how vital it is that compliance executives have visibility into all the information and operations at their enterprises. That could be anything from tracking all your third parties, or monitoring all the data your business collects about customers, or seeing all the regulatory risks you face as you build a risk-management program.” This theme is certainly appropriate as I believe that 2013 will be the year that the use of data in transaction;  third party; relationship and all other forms of ongoing monitoring will make any compliance program more robust. There are several sessions where these topics will be explored, including the following: Continuous Transaction Monitoring That Works, the Kroll Benchmarking Report, Mapping Data on Information Governance, Automating Third Party Risk, and Financial Reporting. This plethora of sessions speaks to the emergence of technology as a tool to support compliance.

Another key theme of Compliance Week 2013 is leadership. The first day of the conference is the subject of leadership. The first keynote speaker on Day One is Ed Breen, the chairman and former Chief Executive Officer (CEO) of Tyco International Ltd, who had to pick up the tatters of that company in 2002, as his predecessor went off to prison, and then rebuild the entire operation. The second keynote speaker on Day One is retired Major General Lewis MacKenzie, former head of U.N. peacekeeping forces in Yugoslavia, Central America, Middle East and Vietnam. Some of the sessions on Day One regarding leadership will focus on the practical; how to position the compliance department as an asset rather than an obstacle; how to craft a Code of Conduct that fits your business and culture; how to do business in India, Latin America, and elsewhere.

For the FCPA consigliori amongst you, I will once again be leading a conversation on the most recent Foreign Corrupt Practices Act (FCPA) developments. With the recent Parker Drilling Company and Ralph Lauren Corporation resolutions and the various individuals who have been indicted or have pled out, it promises to be an interesting and informative time for anyone interested in all things FCPA. If it turns out that after my session you are still craving more insight about effective compliance with the FCPA there will be a session entitled “FCPA Guidance, Right From the Source”. This session will address any lingering questions you may have about the FCPA guidance published last fall by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC). The panel will include the top FCPA enforcers from both the DOJ and SEC, who will offer their latest thinking on anti-bribery enforcement and answer questions from the audience about best practices and putting agency guidance to good use.

If your compliance challenges reach beyond the FCPA, there will be sessions which deal with broader compliance themes. In the area of export control, one conversation will have regulators who will discuss issues related to sponsoring a foreign-born worker here in the United States; some of the implications of the export control reform effort on investigations and prosecutions; and the absolute requirement to know your customer. There will also be a session which showcases the Boeing Co.’s approach to trade compliance, from monitoring regulatory changes to developing processes that simplify compliance and examples of how the Boeing program was implemented in its business units.

If internal controls are more to your taste or needs, then check out the panel discussion regarding FMC Corp. You will hear from the company’s internal control team that implemented an automated system to collect and monitor financial data: the software they used; the controls they streamlined; the high-level components of internal controls they did not automate, and the results so far. More focused on training? One session will discuss how to align business and compliance objectives with training, how to ensure you get the data you need to demonstrate progress, and what tools you can use to deliver training to a diverse workforce cost effectively. If you want to move beyond training and into embedding compliance into your company’s DNA, check out this session “Beyond Training: Articulating & Embedding Company Values”. This session will discuss how organizations with the most ethical rigor want to embed their cultural values in everything they do, so employees know how to conduct themselves in any circumstance, not just in moments of obvious crisis.

So whether it’s by plane, train or automobile, I hope that you can get to Compliance Week 2013. To help you do so, I have been authorized to offer a discount to readers of my blog. For registration and information, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 9, 2012

The Red Scare: Knowledge and the Importance of Due Diligence

 Ed. Note-we continue our series of guest posts from our colleague Mary Shaddock Jones, who today looks at the importance of due diligence.

At midnight on November 9, 1989, East Germany’s rulers gave permission for the Berlin Wall, separating East and West Berlin, to be opened up.  Ecstatic crowds immediately began to clamber on top of the Wall and hack large chunks out of the 28-mile barrier.  I remember viewing the scene on T.V.  It was a momentous moment in world history.  For those of you who may not know, while East Germany never officially adopted a “red flag” for its country, on most official buildings, the national flag (black-red-gold with hammer and circle) was flown with a solid red flag flown next to it!  Twenty-two years later the “fall of the Red Flag of East Berlin”, seems like distant memory.  However, for businesses doing business internationally the “red flag” has once again come to represent a warning or a threat in terms of liability under the FCPA

The Lay Person’s guide to the FCPA published by the Department of Justice warns U.S. firms about their choice of overseas partners and agents. A bad choice is someone who is likely to make corrupt payments. That likelihood, the DOJ says, is usually indicated by warning signs called “red flags.” If there are red flags to start with, and if the intermediary does bribe a foreign official to help the business, the company will have trouble arguing it shouldn’t be responsible for an FCPA violation based on an indirect corrupt payment.

Red flags, as the name suggests are easy to spot, and include such things as: (1) unusual payment patterns or financial arrangements;  (2) a history of corruption in the country;  (3) a refusal by the foreign joint venture partner or representative to certify that it will not take any action that would cause the U.S. firm to be in violation of the FCPA; (4) unusually high commissions; (5) Lack of transparency in expenses and accounting records; (6) An apparent lack of qualifications or resources on the part of the joint venture partner or  representative to perform the services offered; and, (7) a recommendation from the local government of the intermediary to hire this particular third party.

Although red flags are often relatively easy to discover, the failure to look may result in a company being subject to severe penalties.  As a result,  prior to dealing with any third party, companies should conduct Due Diligence in an  attempt to discover whether the third party is involved in any prohibited corrupt practices or has some connection to a foreign government official that you may not be aware of.  Due diligence is thus an essential tool, as it allows one to acquire knowledge of any existing or potential “red flags”, thus enabling entities to make informed decisions on whether or not to interact with or transact business with certain persons and entities.

The practical pointer for today’s blog is this- The undeniable truth is that Companies must know who they are doing business with and, as importantly, why they are choosing to do business with this particular entity.  This requires the accumulation of information! In order to collect adequate information concerning prospective third-party Agents or Business Partners, many companies are now using a consistent set of tools, for example: (1) questionnaires requiring the person within the company who is recommending the retention of a third party to provide basic information such as the reasons for engagement, the specific services required, how prospective third-party individuals or companies were selected for possible service, relevant experience and capabilities of the prospective third party, whether the prospective third-party would need to interact with government officials, how much and in what manner the third party should be compensated, etc.; (2) a questionnaire submitted to the prospective third party requesting significant information regarding the ownership, physical location, management, experience, relationship to foreign government officials, references of the third party and an assurance by the third party that it understands and is willing to comply with anti-corruption laws and regulations; (3) some method of vetting the reputation and background of the prospective third-party representative or business partner. Ultimately,  the level of due diligence required will generally be commensurate with the level of perceived risk.

When conducting due diligence of high-risk third parties, one should typically employ the services of  third party professionals.  These professionals can help insure that the high risk third party does not pose potential FCPA liability through the use of various means such as: checks of corporate filings and business records, legal proceedings, Internet searches, and adverse media checks.  Furthermore,  many emerging markets and developing countries pose such a great risk of FCPA liability, that additional due diligence procedures including “in-country” (a/k/a “boots on the ground”) searches may be required such as: conducting searches of localized public records, phone interviews, site visits, and reference checks.

Consider the following policy language:

Under the U.S. FCPA,  the Company and its Personnel could be liable for indirect offers, promises of payments, or payments to any Government Official (or to private entity if the UK Bribery Act is involved) if such offers, promises, or payments are made through an Agent or Partner with the knowledge that a Government Official will be the ultimate recipient. As a result, it is important that the Company, through the Company Compliance Officer, consider the necessity of conducting anti-corruption due diligence on a prospective Agent or Partner. If after performing a risk assessment the Company concludes that a due diligence investigation should be conducted, then the extent of the investigation must be determined.  The degree of due diligence the Company will perform depends upon a lot of factors, including the dollar value of the arrangement, the expected contact with government officials, and the country at risk.  In making the determination, the Company will consider whether the transaction raises “red flags”.

Examples of common “red flags” with third parties are as follows:

  • The prospective acquisition target, Agent, or Partner insists that its identity remain confidential or refuses to divulge the identity of its owners, directors, or officers.
  • Family, business or other ‘special’ ties with government or political officials.
  • Reputation for violation of local law or company policy, such as prohibitions on commissions, or currency or tax law violations. Also negative press, rumors, allegations, investigations or sanctions.
  • The transaction or the prospective acquisition target, Agent, or Partner is or operates in a country where there is widespread corruption or a history of bribes and kickbacks
  • Requests from government officials or agencies to engage or hire specific third parties.
  • Inadequate credentials for the nature of the engagement or lack of an office or an established place of business.
  • Missing or inadequate documentation to support services and invoices. Unsupported charges or expenses, requests for payment of non-contracted amounts.
  • Convoluted or complex payment requests, such as payment to a third party or to accounts in other countries, requests for payments in cash or requests for upfront payment for expenses or other fees.
  • Requests for political, charitable contributions or other favors as a way of influencing official action.
  • Third party has a reputation for getting ‘things done’ regardless of circumstances or suggests that for a certain amount of money, he can fix the problem or “make it go away”.

All due diligence investigations conducted by the Company will include an analysis of potential “red flag” issues.  Investigations of potential “red flag” issues should be carefully documented and relevant documents, such as due diligence, questionnaires, reports, and compliance certificates, should be maintained by the Company Compliance Officer or his or her designee.

On Monday, we will examine contractual language to consider when contracting with approved Agents and Partners.  Stay tuned.

 Mary Shaddock Jones has practiced law for 25 years in Texas and Louisiana primarily in the international marine and oil service industries.  She was of the first individuals in the United States to earn TRACE Anti-bribery Specialist Accreditation (TASA).  She can be reached at msjones@msjllc.com or 337-513-0335. Her associate, Miller M. Flynt, assisted in the preparation of this series.  He can be reached at mmflynt@msjllc.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor.


December 23, 2011

Coalition for Excellence in Compliance Releases Restricted Party Screening and Other Export Compliance Best Practices

Ed. Note-I often talk about compliance convergence. Today we host a guest post from our colleague and fellow UT Longhorn, Doug Jacobson. This article originally appeared in Doug’s blog, International Trade Law News. In his blog Doug discusses news, analysis and information on export control, sanctions, customs law, FCPA, anti-dumping and other international trade issues. We reprint his article, with his permission, in its entirety.
The Coalition for Excellence in Export Compliance (CEEC) (pronounced “seek”), a voluntary group of experienced export compliance professionals from leading companies, law firms, research organizations and consulting firms, recently released a series of detailed and practical standards containing best practices on a wide range of important topics for export and sanctions compliance programs.

CEEC’s mission is to provide a uniform set of best practices that companies and trade compliance professionals could use to provide clarity over the existing patchwork of official and unofficial guidance regarding export and sanctions compliance requirements and programs. The best practices are not tied to any particular country’s laws or requirements and are intended to be applicable worldwide.
To date, CEEC has issued best practices covering a wide range of topics, including: screening, training, classification, personnel, management commitment, license determinations and use, and intangible exports. Additional compliance-related best practices topics will be issued by CEEC in the near future.
CEEC’s best practices on Restricted Party Screening  contains valuable guidance on restricted party screening programs and ways to implement screening programs. For example, CEEC’s restricted party screening best practices provides recommendations on the types of parties to be screened, how and when screening should be conducted, the structure of restricted party screening programs, the lists to check and how matches and potential matches to restricted party lists should be handled.
With respect to the types of parties to be screened, CEEC’s screening best practices note that both domestic and international transactions should be screened, since certain restrictions may apply to domestic transactions, domestic transactions may be part of an international transaction, and reputational concerns may exist. The screening best practices provide a detailed list of the types of parties that should be screened (to the extent applicable), including customers, suppliers, freight forwarders, banks, agents, ship to parties, etc.
CEEC’s screening best practices indicate that a “software tool should be used for screening” and that it should “employ a “fuzzy logic” algorithm to identify close as well as identical matches.” Of course, because restricted party list changes are often effective immediately, the “the automated screening tool must promptly update all applicable watch lists as these lists are changed and updated by issuing authorities.”
As for the structure of a restricted party screening program, CEEC’s screening best practices recommend that the screening process should be documented, and it could be “advantageous to centralize the screening program” in order to “minimize duplicative work and promote uniformity.”
Regarding the lists to check, CEEC advises that a “risk analysis should be done to determine which lists (by country, type, etc.) are needed for the organization to use for screening.” For example, it “may be appropriate to use different lists for different businesses, different categories of transactions, or different geographic locations.”
CEEC’s screening best practices provides specific information and guidance on the frequency of screening and at what point in the screening process screening should be done. For example, the best practices recommend that new business partners should be screened prior to the first transaction or other business dealing and that organizations “should consider implementing procedures to screen at the time the business partner is entered into the organization’s database, when background or credit checks are run, when quotes or proposals are requested, or at some other time, as appropriate.” The best practices indicate that “the intervals in between database screenings should be measured and limited in order to mitigate the risk of doing business with a restricted/prohibited/denied party.”
Finally, with respect to screening matches and potential matches, CEEC’s best practices state that an organizations’ restricted party screening process “must allow for a transaction to be halted unless and until any screening matches are cleared. To minimize business disruption, potential matches should be cleared as promptly as possible and the determination “should be documented.” When an actual match to a restricted party list occurs, the CEEC best practices advise that “depending upon the nature of the list, the legal applicability in the jurisdiction, and an evaluation of reputational concerns, the process must allow for determination by an authorized person whether the transaction may proceed . . . and this decision should be documented.”
CEEC members encourage comments and suggestions for improving the best practices and CEEC’s website contains a contact page for the submission of comments on their efforts to date.
We wish a Happy Holidays to all and in spite of what Rick Perry may say, you can say Merry Christmas out loud.

December 9, 2011

Compliance Convergence: Deemed Exports

I write regularly about compliance convergence. One of the areas which converge with anti-corruption compliance is export control. Within the area of export control, a sub-area which is little discussed and less understood, is the area of deemed exports. I recently saw an article on this issue in the Oct/Nov issue of the SCCE Magazine, entitled “Understanding the compliance risk of deemed exports” by Anthony Hardenburgh. The author, Vice President of Global Trade Content for Amber Road (formerly Management Dynamics Inc,) laid out the regulations governing this issue and then delineates some controls to manage this export control risk of deemed exports.

What is a Deemed Export?

As a general rule, a deemed export occurs when US technology, which otherwise requires a license for export, is made available to a foreign national by verbal communication, visual inspection or practical use within or outside the United States. The deemed export rule is of great importance to both universities and in the business world. There are numerous ways in which a deemed export can occur. It can come through discussions by professional colleagues in academia, presenting a paper with licensed technology at a conference or by a plant tour of your company.

The consequences of a violation of the deemed export rule can be severe. An administrative penalty can be the greater of $250,000 or twice the value of the transaction involved for each administrative violation. Such a violation can also include the denial of export rights, which for a company with an international business can be devastating. There can also be a criminal penalty attached for serious violations, with a fine levied of up to $1MM and/or up to 20 years in prison. Indeed a University of Tennessee professor was criminally convicted and sentenced to 48 months in prison for “allowing foreign students access to export-controlled research”, in spite of warnings by the university compliance officer that such conduct was not allowed under the deemed export rule.

Risk Management

What steps can you, as a compliance officer, take to manage this risk? Hardenburgh notes that many compliance officers will not know or even understand everything happening in every university lab or company test facility. The management of this risk begins with preventative steps which Hardenburgh lists as follows:

  • Written Export Control Policy, including Deemed Exports.
  • Ongoing training on this Policy.
  • Continuing communications to employees.
  • Risk evaluation to determine if export licenses are required. If licenses are required make certain that such technology is not made available until the licenses are obtained.
  • Monitoring the entire process to detect any deviations from the Compliance Program.
  • Safeguard licensed technologies from viewing or release to foreign nationals.
  • Document all steps taken.

Compliance Convergence

The steps that Hardenburgh has suggested will not sound new or radical to the compliance professional. Determining if a risk exists, evaluating that risk and then managing that risk is standard fair in the compliance world. The deemed export rule is just one additional risk that should fall under compliance through export control. Although the penalties can be severe, the solutions to manage the risk are relatively straight-forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

May 19, 2011

Compliance Convergence: Export Control

Previously we have written about Compliance Convergence, which noted Compliance Expert Howard Sklar, the author of Open Air Blog, has termed as “the merging of control programs such as anti-bribery and anti-corruption, with anti-money laundering, and export control.”, in regard  to the Foreign Corrupt Practices Act (FCPA) and touched on briefly with regards to anti-money laundering laws and regulations. Today we will turn our attention to Howard’s third prong in Compliance Convergence, that of Export Control.

Generally speaking, a Company must comply with all applicable export control laws in the country of origin of the products including, in some instances, the components contained within the products and technologies they are exporting; and all applicable international sanctions that may not be directly addressed in national law (e.g., United Nations sanctions programs). Witness the recent sanctions entered into by the US, UN and EU regarding trade with Libya.

What are some of the lists that a company must check for each overseas transaction? They include the US Department of State’s International Traffic in Arms Regulations (ITAR), which control the export and re-export of military products and technologies. The ITAR site contains a list compiled by the State Department of parties who are barred by §127.7 of ITAR (22 CFR §127.7) from participating directly or indirectly in the export of defense articles, including technical data or in the furnishing of defense services for which a license or approval is required by ITAR.

The Bureau of Industry and Security (BIS) has two lists which a Company must review. These include 1) the Denied Persons List, which provides a list of individuals and entities that have been denied export privileges. Any dealings with a party on this list that would violate the terms of its denial order are prohibited; and 2) the Unverified List which provides a list of parties where BIS has been unable to verify the end use in prior transactions. The presence of a party on this list in a transaction is a “red flag” that should be resolved before proceeding.

The US Treasury Department, Office of Foreign Assets Control (OFAC) has regulations which may prohibit a transaction if a party one of these lists. These lists can include both the Specially Designated Nationals (SDN) list and the General Order 3 to Part 736 (page 9) which sets out the general order which imposes a license requirement for exports and re-exports of all items subject to the Export Administration Regulations (EAR) where the transaction involves a party named in the order.

Therefore, a company must ensure that the US government permits it to export (1) its goods; (2) to the buyer; (3) in a particular company. But more is required that simply checking the status of to whom a company might be selling directly to, even if such buyer is located in the US. Writing in the In-House Texas supplement to the March 7, 2011 edition of the Texas Laywer, Jackson Walker attorney Robert Soza, Jr. in an article entitled, “Establish an Effective Export-Compliance Program’ noted that “multiple US export-control requirements come into play if a company’s actions indicate that it knows that its goods will be exported abroad such as delivering a product to a US port.”

Soza goes on to write that the creation and implementation of an export control policy and program “minimizes the risk of non-compliance and may reduce penalties in the result of a violation.” He sets forth his guidelines of what an effective export control compliance program should include.

1.     Top and Middle Management Committee. The tone from management must support the company’s overall export control efforts.

2.     Continuous Risk Assessment. If a company does not currently have a compliance program, it should initiate an evaluation to determine if it has violated any US export controls laws or regulations in prior transactions.

3.     A written policy back up by a procedures manual. The policy should be spelled out in writing with the detailed procedures filled in on how to conduct an effective export control system.

4.     Ongoing training of employees. Training should be provided for all employees with international sales responsibilities, marketing, export and those involved with the hiring of foreign nationals. The training can be live or web-based. The training should be designed to provide employees with the keys which trigger day-to-day regulatory implications.

5.     Ongoing screening of employees, contractors, customers, products and transactions. There must mechanism through software or other methods for the continuous monitoring of these items and individuals. Simply checking any of the above once only provides a snapshot at the time the review was made. In this current compliance and enforcement environment such checks must be made on each transaction and more continually for employees, contractors, customers and products.

6.     Record Keeping (Document, Document, Document). If you do not keep records and document something you cannot measure it and if you cannot measure it you cannot improve. However, when dealing with the government, if you do not document it, you cannot prove it.

7.     Period Audits. After you have put your export control policy in place, your company should engage in an effective continuous export controls assessment and regular spot audits will help to ensure compliance.

8.     An internal program for the reporting of violations and appropriate mechanism for escalation of any export violations. In addition to some type of hotline for the reporting of any export control violations, your company should have a dedicated export control resource expert who can be available to answer question and generally provide assistance to those employees charged internally with export control.

9.     Appropriate corrective actions to hold employees accountable under a progressive disciplinary program and voluntary self-disclosure. A policy has no teeth if there are no repercussions to employees who violate the export control program. If there are violations, the government will expect to see discipline and training based on event.

(Any of this sounding familiar?)

Soza concluded his article by stating:
While it is often difficult to obtain senior management commitment to an export-compliance program [a company] simply cannot afford to sell their products and services internationally without such a program in place. Penalties for failure to comply with these requirements may result in the loss of export privileges, fines and imprisonment, not to mention damaging publicity.

We do not believe that we could have articulated it better. Compliance Convergence in these areas demonstrates that the ostrich days of a sticking your head in the sand regarding export controls are long gone. But just as convergence demonstrates the widening scope of compliance, we believe that it provides opportunities for cross-discipline compliance. Export control needs to talk to the FCPA compliance attorney and let them know the screening they perform on a regular basis. A company’s treasury or finance department needs to communicate its offshore payment policy regarding its prohibition of payment of any invoices in countries other than the home country of the payee or where the work was perform. There is an opportunity to learn from each of these disciplines so take advantage of the Compliance Convergence in your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Blog at WordPress.com.