Agents | FCPA Compliance and Ethics Blog

December 12, 2014

Seamus Heaney and Compliance With a Seat at the Table

I have long been fascinated with the Irish poet Seamus Heaney. I came to know him thought his 1999 translation of Beowulf. While I was aware that he had been awarded the 1995 Nobel Prize for Literature, I did not know his work as an Irish poet. However, this was rectified in a piece in the Times Literary Supplement (TLS), entitled “A stay against confusion – Seamus Heaney and the Ireland of his time”, by Roy Foster. In this piece he reviewed the evolution of Heaney’s poetry through the 1960s and 1990s. Foster believed that Heaney’s work in many ways mimicked the growth that “Irish intellectual as well as social and economic life”. Heaney began as a ‘nuts and bolts’ type of poet and moved to become a Yeatsian figure as the national poet of Ireland.

I thought about that growth and Foster’s article when I considered the question of what happens if you seek for something and then actually get it? For instance, you may have wanted a seat at the C-Suite table as a Chief Compliance Officer (CCO) and now you have one. What happens now, for instance in the situation where you find out that your company has decided to enter a new overseas market with a new product offering? The Chief Executive Officer (CEO) who championed you coming onboard with the big boys (or perhaps big girls) team looks down and says, “We need an analysis from the compliance perspective by the end of the week?” Where do you begin?

Obviously there are some preconditions for success such as your company should have a product that you can make and sell overseas for a profit. Further, you should have the time, money and sophistication to develop an international distribution network and you have the home office infrastructure to support a truly international business. Finally, you should have a senior management with at least an appreciation of compliance challenges in the target, with the personnel, technological solutions and internal training to address and meet these challenges. As you begin to think through this assignment you fall back on the four basic questions of (1) Who will we sell to? (2) What are we going to sell? (3) Where will we sell? (4) How will we sell?

Who will we sell to?

For any anti-corruption analysis you need to begin here as the Foreign Corrupt Practices Act (FCPA) applies to commercial relationships with foreign governments or instrumentalities such as state owned enterprises. Will your end using-direct customers be foreign governments or privately owned companies? What if your customers are distributors or other middlemen who will then sell to foreign governments or state owned enterprises? What about licenses; will you need special permits to sell to a foreign government or state owned enterprise or will you need some type of basic permit simply to transact business? If your company is subject to the UK Bribery Act this public/private distinction does not exist.

What are we going to sell?

What is the product or service you wish to take internationally? I will assume your company has done the market studies to ascertain it is a viable commercial concept. If it a product, is it a complete or partial product? Will you manufacture here in the US and only sell internationally or will you manufacture abroad as well? If it is here in the US, what about spare parts and accessories, will you need to obtain any licenses overseas? What about your technology, will that component require any licenses? If you will manufacture outside the corporate offices in the US, how will you assure quality in your supply chain? Conversely, if you manufacture in the US, do your supplier agreements allow you to resell outside the US?

Where will we sell?

This question may seem more important for export control issues; however it is also important in the anti-corruption world. Obviously this is because certain geographic areas are more prone to corruption than others. A starting place might be the Transparency International-Corruption Perception Index but you can also use tools such as the recently released TRACE Matrix which provides a much broader assessment of corruption indices and give you additional insight into a fuller panoply of corruption risks in a country. In addition to the basic corruption analysis you need to ascertain whether you can even sell your products in a new country, either because of US export regulations or the end using jurisdictions laws. You should also focus on the business culture of a country and whether it is compatible in doing business in compliance with relevant anti-corruption legislation. This will also help you in your search to find any local business partners.

How are you going to sell?

This is one of the most important questions you can ask under a FCPA analysis. It is because well over 90% of all FCPA enforcement actions involve third parties. If this is your first international sales effort, your company probably does not have an international based employee sales force. This means you will most probably need in-country partners for your target markets. Some of the most basic sales arrangements for third parties are as follows:

Agent/Sales Representative – This person or entity is an independent third party from the company. Compensation is usually commission based or combined with a periodic fee plus commission. It is generally viewed as the highest risk from the anti-corruption perspective but you will have a direct relationship with the end-using customer.
Distributor/Retailer – This person or entity is an independent third party from the company. Your company will sell to the distributor/retailer who then resells your product. You will have less visibility into the end user and hence a greater export control risk. Consignment is a variation on this model but if you are warehousing you will need to be aware of other US rules such as revenue recognition under US GAAP or local, indigenous rules on storage and warehousing.
Consultant – This is also an independent third party who is paid a periodic fee. The fee can be more easily assessed for an hourly or service based rather than simply a commission based fee structure.

There are some other sales arrangements that you may whish to consider. You can acquire a local business and run it as your own company. Of course if you do so, you may buy all of these liabilities, both known and unknown. You can joint venture with another local company. Here you may have the dual problems of less actual control yet the same amount of potential exposure, particularly under the FCPA if you fail to perform the requisite pre-acquisition due diligence and allow any illegal conduct to continue going forward. You can issue a manufacturing license to an in-country manufacturer and allow them to make and then sell your product using your technology. Finally, you can issue a brand license where you license an existing company to put your brand name on your product manufactured by another entity. Of course if you use any of these types of arrangements you will need to go through a full third party management cycle; consisting of a business justification, questionnaire, due diligence, contract and management thereafter.

From the internal control perspective you will need to make sure you have several key compliance related controls in place. This will include the aforementioned vetting of all customers and third parties; appropriate controls over each transaction, including both quotes and contracts; empowered and non-conflicted employees; and finally training and self-auditing. You will need separate controls over payment terms and payment mechanisms and controls to align shipping and export controls. Finally, do not forget the omnipresent segregation of duties and control over the vendor master file.

Lastly, you should focus on your high-risk points in any of the above. These include your full vetting and management of third parties. You should pay attention as to how you became aware of these third party sales representatives. You will also need to pay attention to your freight forwarders and other export control representatives. You will need to be vigilant going forward for outright bribes paid in either cash or other values such as free products, lavish travel, gifts and entertainment, especially if the travel has no business purpose.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Leave a Comment

April 21, 2014

Nursery Rhymes, a Chinese Proverb, the HP FCPA Enforcement and the Myth of the Rogue Employee

Filed under: Agents,compliance programs,Department of Justice,Enforcement Actions,FCPA,FCPA Professor,HP,Internal Controls — tfoxlaw @ 12:01 am

Hey diddle diddle,

The Cat and the fiddle,

The Cow jumped over the moon.

As my friend and colleague Jay Rosen is want to remind us, he continually learns much about compliance and ethics from his Kindergarten-aged daughters. I submit that you need only look to children’s nursery rhymes in the context of the recent Hewlett-Packard (HP) Foreign Corrupt Practices Act Enforcement (FCPA) to fully appreciate the inanity of the myth of the ‘rogue employee.’ HP has been cited as the prime example of the case where a small group of evil or ‘rogue employees’ purposely mislead their ultimate US corporate parent (HP Co) by engaging in bribery and corruption for which their US corporate parent, who did not engage in the corrupt action, were forced to pay the fines and penalties (and attendant investigative costs, remediation costs and negative publicity). For the purposes of this discussion we will leave out the millions of dollars that HP potentially benefited from via the illegal actions of its alleged ‘rogue employees’; or if there has ever been a case involving ‘rogue employees’ who, intentionally or otherwise, took a company down into FCPA grief.

I. HP-Poland – the Tale of Little Jack Horner – what a good boy I am

Little Jack Horner

Sat in the corner,

Eating a Christmas pie;

He put in his thumb,

And pulled out a plum,

And said ‘What a good boy am I!’

This is the one where commentators are having a Eureka moment. After all, the settlement documents point to one man, HP’s Poland Country Manager, and his John Le Carré-esque meetings. In this bribery scheme, the Country Manager engaged in a multi-year bribery scheme to pay bribes to one Polish government official to secure a large number of contracts. These bribes were paid surreptitiously, using a variety of techniques to evade detection but they all had one thing in common which I will ask you to figure out from the Bribery Box presented below.

HP-Poland Bribery Box Score

Bribe Amount	Method of Payment	Year Paid	Business Received
$150,000	Bag of cash, delivered to home of Polish gov official	2007	Contract valued at $15.7MM
$100,000	Bag of cash, delivered in parking lot to Polish gov official	2007
$130,000 to $140,000	Bag of cash delivered to Polish gov official	2008	Contract executed January 2008
$110,000	Bag of cash	2008	Contract executed in April 2008
$90,000	Bag of cash delivered to Polish gov official	2008	Contract executed May 2008
$30,000	Bag of cash delivered to Polish gov official	2008	Final 3 contracts totaled $32MM in value
$6,000	(offer)	2010	For contract signed in 2010 valued at $4MM
$30,000	Delivered as gifts	2007-2010	Total contracts valued at $60MM

For those of you not so quick on the draw the common element, at least until the end of the Box Score, is that all the bribes were paid in cash. For part of my in-house legal career, I did legal work for the energy industry and I have some familiarity in the amount of money that Country Manager’s made, at least the range of their salary and bonus, and it certainly was not enough to fund bribes in the amount of $600,000 in cash over a couple of years.

So let me get this straight, no one else at HP-Poland aided the Country Manager while he helped himself to the kitty? Didn’t anyone even notice, say in 2007, one of our $250,000 was missing? If not, the Country Manager had to have help in siphoning off funds from HP itself to fund these bribes? So my first question is where was HP internal audit? At the country level? At the region level? At the corporate level? Where was HP Co, when HP-Poland landed $60MM in contracts, in determining how these contracts were procured? Where were HP internal controls?

Was the Country Manager like Little Jack Horner? What a good boy I am?

II. HP-Russia – Yes Sir, Yes Sir, Three Bags Full

Baa, baa, black sheep,

Have you any wool?

Yes, sir, yes, sir,

Three bags full.

HP-Russia seems to confuse commentators the most about the myth of the ‘rogue employee’. Here they point to the coded spreadsheets (the “Encrypted Spreadsheet”), which could only be unlocked and read by the conspirators themselves. And after all, they lied, lied, when they were asked about some of the details of the transaction in questions. I am sure Inspector Renoir is still shocked, shocked, to discover that gambling is still occurring on the premises of Rick’s Café American in Casablanca.

So why three bags full? Well, first of all, if you are from a certain university in central Texas you’ll immediately know what it means. For the less delicate among you, it would mean a large load of Col. Sherman Potter’s horse-hockey; three bags full in fact. This deal had been floating around HP for years, was well-known enough to raise multiple Red Flags inside the company and was simply internally shopped until it slid through by hook, nook or crook; or in this case, three bags full.

The initial deal was inked with the Russian government in June 2001 but as the Russian government could not fund it, they sought another foreign government to fund and that government was the US. However, to do so, it required that at least 85% of all goods and services were of US origin. To meet this requirement, the initial deal was changed to substitute a US intermediary (Intermediary 2) who replaced the Swiss intermediary on the deal (Intermediary 1). HP Co conducted due diligence on Intermediary 2 and then met with Intermediary 2 in the US to conduct additional due diligence. However, Intermediary 2 balked at answering more “pointed questions” about its expertise and financial wherewithal to handle the transaction. HP Co then told HP-Russia that they would not approve the transaction.

Not to be deterred from a good deal, the foreign government financing was switched from the US to Germany. In addition, Intermediary 2 was ditched for a one-man shop, Burwell Consulting Ltd (Burwell). Burwell and others were eventually paid nearly $21MM in bribes for the Russia government contract. There has been much discussion about how HP-Russia tricked HP-Germany’s employees through the use of “encrypted, password protected spreadsheets that tracked the deal’s financial inflows and outflows”. However, what I found more interesting was the discussion about how not only had HP-Russia shopped the deal internally and been told a resounding NO by HP Co for obvious Red Flags present but also the discussion of how HP-Russia internally funded the bribery scheme.

They did so by the classic ‘stuffing the channel’ that every software lawyer, accountant, bookkeeper, auditor, sales rep and anyone else subject to GAAP or IFSR learns on their first day of training on their first job. It goes like this: HP-Russia sold products to a channel partner; who then sold them to Intermediary 3; who then sold them back to HP with a mark-up and voila, you have a big pile of cash with which to bribe.

So what does the HP-Russia deal tell us about HP as a company? As with HP-Poland, you would have to question where was internal controls while this was playing out, at the country level, at the region level, at the anywhere level? But there is far more than simply internal controls going on here. Based on what was publicly announced in the settlement documents, HP Co had actual knowledge that the deal was rife with Red Flags as it was presented. It was so bad they shut it down. Of course, the business guys simply resurrected it in another place, in another guise. What does that say about the overall effectiveness of the compliance function at the time if HP-Russia could bring a Red Flagged deal to HP Co only to have it stopped, then to shove it through HP-Germany due to weak controls? What about the internal controls on how HP-Russia was able to generate $21MM in scammed money to pay the bribes in the first place? Think anyone else might have thought about running that scam through those robust internal controls? After all, its only three bags full…

III. HP-Mexico – Fool Me Once…

Fool Me Once,

Shame on You;

Fool me twice,

Shame on Me.

The above did not come from George Bush (The Younger) but is purported to be an old Chinese proverb. I like that thought anyway and it certainly informs our look the claim of ‘rogue employee’ in Mexico. Here, for reasons far beyond my comprehension, HP was able to secure a Non-Prosecution Agreement (NPA) from the Department of Justice (DOJ) for the actions of its subsidiary in Mexico in paying a bribe of $1.6MM to facilitate the winning of a contract worth $6MM. But the lesson learned from the ancient Chinese proverb certainly informs our look at the allegation of the ‘rogue employee’ down Mexico way.

HP-Mexico wanted to use a certain agent involving a deal with Pemex because he had a very close relationship with the Pemex official who would be making the decision on the contract. HP-Mexico even signed a contract with this agent where his description of services was an “influencer fee” for which he would receive a 25% commission. This agent could apparently neither meet HP Co’s due diligence requirements, accept HP Co’s mandatory commission rate or both but whatever the reason, they were not approved as an agent on the Pemex deal. But like all good HP business folks (beginning to see a pattern here?) HP-Mexico simply subcontracted this agent to an existing, approved HP channel partner. HP-Mexico then amazingly (or perhaps not) said that they needed to raise the commission rate of this channel partner from 1.5% to 26.5% because this channel partner was now “managing discounts with Pemex” which coincidentally, this channel partner had never done. Because this channel partner was previously approved by compliance, the request for increase in commission rate was never submitted to compliance for approval. Think an internal control or two might have been appropriate in this situation?

What do the nursery rhymes and Chinese proverb tell us about HP and the Myth of the Rogue Employee? All three of the bribery schemes involved showed that there were multiple failures of numerous systems that allowed the schemes to run rampant. But perhaps the thing that they speak to the most is the culture that existed at the company during the time frames in question. While the FCPA Professor and others have noted that some of the conduct in question began in Russia as long ago as 1999, the settlement documents speak to conduct in Poland as recently as 2010. Certainly, the NPA for HP-Mexico’s conduct was for actions in 2009. What was the tone set that not only allowed employees to think that they could get away with subverting the law but that they had to do so. That, perhaps, is the most troubling questions unanswered by the Myth of the Rogue Employee.

Whatever the answer to HP’s culture of compliance may have been at the time of the conduct which led to the enforcement action, the claim that the company does not bear responsibility for either setting that tone, facilitating the conduct by looking the other way when convenient or not having appropriate internal prevention and detection controls in place to prevent massive fraud by its own employees; the reality is that when a employees of a company can evade controls to generate multi-millions of dollars to generate pools of money to pay bribes, there is no ‘rogue employee’ or even small group of rogue employees. Or there is about as much chance as a cow jumping over the moon.

© Thomas R. Fox, 2014

Leave a Comment

April 4, 2014

Life Cycle Management of Third Parties – Step 5 – Management of the Relationship

Filed under: Agents,Bribery Act,compliance programs,Department of Justice,Document Document Document,FCPA,FCPA Guidance,Oversight,Oversight Committee,SEC,Third parties — tfoxlaw @ 12:01 am
Tags: best practices, Bribery Act, compliance programs, Department of Justice, DOJ, Due Diligence, ethics and compliance, FCPA, SEC

Today ends my review of what I believe to be the five steps in the management of a third party under an anti-bribery regime such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. On Monday, I reviewed Step 1 – the Business Justification, which should kick off your process with any third party relationship. On Tuesday, I looked at Step 2 – the questionnaire that you should send and third party and what information you should elicit. On Wednesday, I discussed Step 3 – the due diligence that you should perform based upon the information that you have received from and ascertained on the third party. On Thursday, I examined Step 4 – how you should use the information you obtain in the due diligence process and the compliance terms and conditions which you should place in any commercial agreement with a third party. Today, I will conclude this series by reviewing how you should manage the relationship after the contract is signed.

I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins and that work is found in Step 5– the Management of the Relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go down hill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship. This post will explore some of the tools which you can use to help make sure that all the work you have done in Steps 1-4 will not be for naught and that you will have a compliant anti-corruption relationship with your third party going forward.

Managing third party relationships is an area that continues to give companies trouble and heartburn. The “2013 Anti-Bribery and Corruption Benchmarking Report – A joint effort between Kroll and Compliance Week” found that many companies are still struggling with ongoing anti-corruption monitoring and training for their third parties. Regarding training, 47% of the respondents said that they conduct no anti-corruption training with their third parties at all. The efforts companies do take to educate and monitor third parties are somewhat pro forma. More than 70% require certification from their third parties that they have completed anti-corruption training; 43% require in-person training and another 40% require online training. Large companies require training considerably more often than smaller ones, although when looking at all the common training methods, 100% of respondents say their company uses at least one method, if not more.

While the FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. Diana Lutz, writing in the White Paper by The Steele Foundation entitled “Global anti-corruption and anti-bribery program best practices”, said, “As an additional means of prevention and detection of wrongdoing, an experienced compliance and audit team must be actively engaged in home office and field activities to ensure that financial controls and policy provisions are routinely complied with and that remedial measures for violations or gaps are tracked, implemented and rechecked.”

One noted commentator has discussed techniques to provide this management and oversight any third party relationship. Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), writing in the Compliance Week magazine set out a five-step process for managing corruption risks, which I have adapted for third parties.

Screen – Monitor third party records against trusted data sources for red flags.
Identify – Establish helplines and other open channels for reporting of issues and asking compliance related questions by third parties.
Investigate – Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
Analyze – Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
Audit – Finally, your company should have regular internal audit reviews and inspections of the third party’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.

Based upon the foregoing and other commentators, I believe there are several different roles in a company that play a function in the ongoing monitoring of the third party. While there is overlap, I believe that each role fulfills a critical function in any best practices compliance program.

Relationship Manager

There should be a Relationship Manager for every third party which the company does business with through the sales chain. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include:

Point of contact with the Third Party for all compliance issues;
Maintaining periodic contact with the Third Party;
Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
Submitting annual reports to the company’s Oversight Committee summarizing services provided by the Third Party;
Assisting the company’s Oversight Committee with any issues with respect to the Third Party.

Compliance Professional

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. I do not believe that this will create a conflict of interest or that there are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the relationship manager to provide advice, training and communications to the third party.

Oversight Committee

I advocate that a company should have an Oversight Committee review all documents relating the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk.

After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment is within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests.

Audit

A key tool in managing the relationship with a third party post-contract is auditing the relationship. I hope that you will have secured audit rights, as that is an important clause in any compliance terms and conditions. Your audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as one to (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a base line I would suggest that any audit of a third party include, at a minimum, a review of the following:

the effectiveness of existing compliance programs and codes of conduct;
the origin and legitimacy of any funds paid to Company;
books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
all disbursements made for or on behalf of Company; and
all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

If you want to engage in a deeper dive you might consider evaluation of some of the following areas:

Review of contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
Determine that actual due diligence took place on the third party.
Review FCPA compliance training program; both the substance of the program and attendance records.
Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
Review employee expense reports for employees in high-risk positions or high-risk countries.
Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party’s compliance program designed to identify risks and what has been the result of any so identified?
Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

In addition to monitoring and oversight of your third parties, you should periodically review the health of your third party management program. Once again I turn to Diana Lutz and her colleague Marjorie Doyle, and their White Paper entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, where they gave a checklist to test companies on their relationships with their third parties.

Do you have a list or database of all your third parties and their information?
Have you done a risk assessment of your third parties and prioritized them by level of risk?
Do you have a due diligence process for the selection of third parties, based on the risk assessment?
Once the risk categories have been determined, create a written due diligence process.
Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations?
Is there someone in your organization who is responsible for the management of each of your third parties?
What are “red flags” regarding a third party?

Perhaps now you will understand why I say that after you prepare the Business Justification; send out, receive back and evaluate the Questionnaire; set the appropriate level of Due Diligence; evaluate the due diligence and execute a contract with appropriate Compliance Terms and Conditions; now the real work begins, as you have to manage the third party relationship.

I hope that you have found this review of the life cycle management of third parties helpful for your compliance program.

© Thomas R. Fox, 2014

Leave a Comment

April 3, 2014

Life Cycle Management of Third Parties – Step 4 – The Contract

This post continues to outline what I believe are the five steps in the life cycle of third party management. Today I will look at Step 4, the contract. However, before we get to the contracting stage a word about what to do with Steps 1-3. You cannot simply obtain the information detailed in these first three steps; you must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, which have appeared, these Red Flags must be cleared or you must demonstrate how you will manage the risks identified. In others words you must Document, Document and Document that you have read, synthesized and evaluated the information garnered in Steps 1-3. As the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) continually remind us, a compliance program must be a living, evolving system and not simply a ‘Check-the-Box’ exercise.

After you have completed Steps 1-3 and then evaluated and documented your evaluation, you are ready to move onto to Step 4 – the contract. Obviously any commercial relationship should be governed by the terms and conditions of a written contract. Clearly your commercial terms should be set out in the contract. In the area of commercial terms the FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

In addition to the above analysis from the compliance perspective, you should incorporate compliance terms and conditions into your contracts with third parties. I would suggest that you begin with some type of compliance terms and conditions template, which can be used as a starting point for your negotiations. The advantages of such a template are several; they include: (1) the contract language is tested against real events; (2) the contract language assists the company in managing its compliance risks; (3) the contract language fits into a series of related contracts; (4) the contract language is straight-forward to administer and (5) the contract language helps to manage the expectations of both contracting parties regarding anti-bribery and anti-corruption.

What are the compliance terms and conditions that you should include in your commercial contracts with third parties? In the Panalpina Deferred Prosecution Agreement (DPA), Attachment C, Section 12 is found the following language, “Where necessary and appropriate, Panalpina will include standard provisions in agreements, contracts, and renewals thereof with all agents and business partners that are reasonably calculated to prevent violations of the anticorruption laws, which may, depending upon the circumstances, include: (a) anticorruption representations and undertakings relating to compliance with the anticorruption laws; (b) rights to conduct audits of the books and records of the agent or business partner to ensure compliance with the foregoing; and (c) rights to terminate an agent or business partner as a result of any breach of anti-corruption laws, and regulations or representations and undertakings related to such matters.” In the Johnson & Johnson (J&J) DPA, the same language as used in the Panalpina DPA is found in Attachment C, entitled “Corporate Compliance Program”. However, in Attachment D, entitled “Enhanced Compliance Obligations”, the following language is found: “Contracts with such third parties are to include appropriate FCPA compliance terms and conditions including; (i) representatives and undertakings of the third party to compliance; (ii) right to audit; and (iii) right to terminate.”

Mary Jones, in an article in this blog entitled “Panalpina’s World Wide Web”, suggested the following language be present in your compliance terms and conditions:

payment mechanisms that comply with this Manual, the FCPA [Foreign Corrupt Practices Act], the UKBA [UK Bribery Act] and other applicable anti-corruption and/or anti-bribery laws during the term of such contract;
the counterparty’s obligation to maintain accurate books and records in compliance with the Company’s Policy and Compliance Manual;
the counterparty’s obligation to certify on an annual basis that: (i) counterparty has not made, offered, or promised any payment or gift of money or anything of value, directly or indirectly, to any Government Official (or any other person or entity if UK Bribery Act applies) for the purpose of obtaining or retaining business or getting any improper business advantage; and (ii) counterparty has not engaged in any conduct or behavior prohibited by the Code of Conduct, Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law;
the Company’s right to audit the counterparty’s books and records, including, without limitation, any documentation relating to the counterparty’s interaction with any governmental entity (or any entity if UK Bribery Act applies) on behalf of the Company, and the counterparty’s obligation to cooperate fully with any such audit; and
remedies (including termination rights) for the failure of the counterparty to comply with the terms of the contract, the Code of Conduct, the Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law during the term of such contract.

Based on the foregoing experts and the research I have engaged in, I believe that compliance terms and conditions should be stated directly in the document, whether such document is a simple agency or consulting agreement or a joint venture (JV) with several formation documents. The compliance terms and conditions should include representations that in all undertakings the third party will make no payments of money, or anything of value, nor will such be offered, promised or paid, directly or indirectly, to any foreign officials, political parties, party officials, candidates for public or political party office, to influence the acts of such officials, political parties, party officials, or candidates in their official capacity, to induce them to use their influence with a government to obtain or retain business or gain an improper advantage in connection with any business venture or contract in which the company is a participant.

In addition to the above affirmative statements regarding conduct, a commercial contract with a third party should have the following compliance terms and conditions in it.

Indemnification: Full indemnification for any FCPA violation, including all costs for the underlying investigation.
Cooperation: Require full cooperation with any ethics and compliance investigation, specifically including the review of foreign business partner emails and bank accounts relating to your Company’s use of the foreign business partner.
Material Breach of Contract: Any FCPA violation is made a material breach of contract, with no notice and opportunity to cure. Further, such a finding will be the grounds for immediate cessation of all payments.
No Sub-Vendors (without approval): The foreign business partner must agree that it will not hire an agent, subcontractor or consultant without the Company’s prior written consent (to be based on adequate due diligence).
Audit Rights: An additional key element of a contract between a US Company and a foreign business partner should include the retention of audit rights. These audit rights must exceed the simple audit rights associated with the financial relationship between the parties and must allow a full review of all FCPA related compliance procedures such as those for meeting with foreign governmental officials and compliance related training.
Acknowledgment: The foreign business partner should specifically acknowledge the applicability of the FCPA to the business relationship as well as any country or regional anti-corruption or anti-bribery laws, which apply to either the foreign business partner or business relationship.
On-going Training: Require that the top management of the foreign business partner and all persons performing services on your behalf shall receive FCPA compliance training.
Annual Certification: Require an annual certification stating that the foreign business partner has not engaged in any conduct that violates the FCPA or any applicable laws, nor is it aware of any such conduct.
Re-qualification: Require the foreign business partner re-qualify as a business partner at a regular interval of no greater than every three years.

Many will exclaim, “What an order, I can’t go through with it.” By this they mean that they do not believe that they will be able to get the third party to agree to such compliance terms and conditions. I have found that while it may not be easy, it is relatively simply to get a third party to agree to these, or similar, terms and conditions. One approach to take is that they are not negotiable. When faced with such a position on non-commercial terms many third parties will not fight such a position. There is some flexibility but the DOJ will require the minimum terms and conditions that it has suggested in the various Attachment Cs to the DPAs I have discussed. But the best position I have found is that if a third party agrees with these terms and conditions, they can then use that as a market differentiator from other third parties who have not gone through the life cycle management of a third party as this series has discussed.

© Thomas R. Fox, 2014

Leave a Comment

April 1, 2014

Life Cycle of Third Party Management – Step 2 Questionnaire

Filed under: Agents,Best Practices,Bribery Act,compliance programs,FCPA,FCPA Guidance,Questionnaire,Third parties — tfoxlaw @ 12:01 am
Tags: best practices, Bribery Act, compliance, compliance programs, Department of Justice, DOJ, Due Diligence, FCPA

Today, I continue my five-part series on the life cycle of third party management under an anti-bribery/anti-corruption regime such the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act, reviewing Step 2, which I label as the “Questionnaire”. The term ‘questionnaire’ is mentioned several times in the FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. I believe that this requirement is not only a key step but also a mandatory step for any third party that desires to do work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk but run away from doing business with such a party.

In the 2011 UK Ministry of Justice’s (MOJ), discussion of Six Principals of an Adequate Procedures compliance program, they said the following about the Questionnaire, “This means that both the business person who desires the relationship and the foreign business representative commit certain designated information in writing prior to beginning the due diligence process.” Indeed, the use of a Questionnaire was one of the key findings of Kroll’s “2012 FCPA Benchmark Report”. As reported in the FCPA Blog, in a post entitled “Compliance Officers Troubled By Third-Party Risk”:

71% require third parties to complete a disclosure listing affiliations with foreign officials (65% verify that third parties adhere to the company’s code of ethics and 73% confirm that each third party is free from sanctions pertaining to compliance with anti-bribery regulation).

One of the key requirements of any successful anti-corruption compliance program is that a company must make an initial assessment of a proposed third party relationship. The size of a company does not matter as small businesses can face quite significant risks and will need more extensive procedures than other businesses facing limited risks. The level of risk that companies face will also vary with the type and nature of the third parties it may have business relationships with. For example, a company that properly assesses that there is no risk of bribery on the part of one of its associated persons will, accordingly, require nothing in the way of procedures to prevent bribery in the context of that relationship. By the same token the bribery risks associated with reliance on a third party agent representing a company in negotiations with foreign public officials may be assessed as significant and, accordingly, requires much more in the way of procedures to mitigate those risks. Businesses are likely to need to select procedures to cover a broad range of risks but any consideration by a court in an individual case of the adequacy of procedures is likely necessarily to focus on those procedures designed to prevent bribery on the part of the associated person committing the offence in question.

So what should you ask for in your questionnaire? Randy Corey, Executive Vice President (EVP), Global Compliance Officer at Edelmen Inc. said in a presentation at Compliance Week 2012, entitled “3rd Party Due Diligence Best Practices in Establishing an Effective Anti-Corruption Program”, that his company has developed a five-step approach in evaluating and managing their third parties. In Step 3 they ask What Do You Need To Know?Initially, Corley said that Scope of review depends on risk assessment, High Risk, Medium Risk or Low Risk. This risk ranking will determine the level of information collected and due diligence performed. The key element of this step is data collection. The initial step is to have the third party complete an application which should include requests for information on background and experience, scope of services to be provided, relevant experience, list of actual and beneficial owners, references and compliance expertise.

Below are some of the areas which I think you should inquire into from a proposed third party include the following:

Ownership Structure: Describe whether the proposed third party is a government or state-owned entity, and the nature of its relationship(s) with local, regional and governmental bodies. Are there any members of the business partner related, by blood, to governmental officials?
Financial Qualifications: Describe the financial stability of, and all capital to be provided by, the proposed third party. You should obtain financial records, audited for 3 to 5 years, if available. Obtain the name and contact information for their banking relationship.
Personnel: Determine whether the proposed agent will be providing personnel, particularly whether any of the employees are government officials. Make sure that you obtain the names and titles of those who will provide services to your company.
Physical Facilities: Describe what physical facilities that will be used by the third party for your work. Be sure and obtain their physical address.
•References: Obtain names and contact information for at least three business references that can provide information on the business ethics and commercial reliability of the proposed third party.
PEPs: Are any of the owners, beneficial owners, officers or directors politically exposed persons (PEPs).
UBOs: It is imperative that you obtain the identity of the Ultimate Beneficial Owner (UBO).
Compliance Regime: Does the proposed third party have an anti-corruption/anti-bribery program in place? Do they have a Code of Conduct? Obtain copies of all relevant documents and training materials.
FCPA Training and Awareness: Has the proposed third party received FCPA training, are they TRACE certified or certified by some other recognizable entity?

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses.

The questionnaire fills several key roles in your overall management of third parties. Obviously it provides key information that you need to know about who you are doing business with and whether they have the capabilities to fulfill your commercial needs. Just as importantly is what is said if the questionnaire is not completed or is only partially completed, such as the lack of awareness of the FCPA, UK Bribery Act or anti-corruption/anti-bribery programs generally. Lastly, the information provided (or not provided) in the questionnaire will assist you in determining what level of due diligence to perform. So tomorrow I will discuss due diligence.

© Thomas R. Fox, 2014

Leave a Comment

February 27, 2014

Alfred the Great, GE and the Management of Third Party Risk

Filed under: Agents,Best Practices,compliance programs,Culture,Department of Justice,Distributors,Due Diligence,Ethical Leadership,Ethics,FCPA,FCPA Guidance,Foeign Business Partner,Third parties — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA

I am currently studying Medieval England including the reign of Alfred the Great. As you might expect with someone monikered as ‘The Great’ he is certainly considered right up there with the greatest Kings of England. Not only did he largely drive out the Viking invaders from his country but he also set the stage for the unification of England under one crown, for the first time since the days of Roman Britain under the Caesars. One of the innovations he developed was fortified towns, called burgs, from which to resist Viking raids and incursion. But more than simply walled cities for defense, within these fortified towns was a wide road running down the middle of the town called the ‘High Street’ and a street situated next to the town’s walls appropriately called ‘Wall Street’. These streets were wider than the others in the town to facilitate the movement of troops in the time of crisis, such as a Viking raid. In other words, Alfred evaluated the risk to his kingdom and put multiple layers of steps into place to manage those risks.

In the Foreign Corrupt Practices Act (FCPA) compliance world, one of the key components that the Department of Justice (DOJ) wants to see is a risk assessment and a company managing its risks, based upon said risk assessment. One company’s response to a risk or set of risks does not necessarily mean that another company must follow it. The DOJ’s Ten Hallmarks of an Effective Compliance Program are broad enough to allow companies to manage their own risks, hopefully effectively. I thought about this concept when I was listening to a presentation by Flora Francis and Andrew Baird of GE Oil & Gas at the 2014 SCCE Utility and Energy Conference in Houston this week on GE’s third party risk management. First of all, if you have the chance to hear a couple of nuts and bolts compliance practitioners from GE like these two speak, run, don’t walk, to their presentation. GE’s commitment to compliance is well known but also the company’s willingness to share about their compliance program is a great boon to the compliance community. Lastly, is the gold-standard nature of the GE compliance program and while it may be more than your company needs to manage their own risks, the GE compliance regime does shine a light that we can all aspire to in our own compliance programs.

Both speakers made clear that GE’s program was the company’s response to its assessed risks. Further, the compliance program has evolved, not only as the company’s risks have evolved but also as the company has determined what works and does not work as well. Within the realm of third parties’ the prescient question from compliance to the business unit would be ‘What is your “Go To Market Strategy” and how will your use of third parties assist you in carrying out that strategy?’ Some of the factors the speakers cited could include your company’s market coverage strategy, product segmentation, pricing and margin expectation, an added capability which your company may not possess such as technology, and finally there could be local legal requirements for a local content third party in certain countries.

Some of the factors which GE considers, when evaluating a third party, include the following:

Business Model: Do we need third parties to reach our customers or can we build the organization ourselves?
In-house Capabilities: Do we already have the organization in place to handle these capabilities?
Overlap: Do we already have a third party in the region/country that can handle our needs?
Volume of Business: How much business will this third party bring to the company?
Compliance Risk: Where is the third party located? Will they interact with government officials? Do they have same commitment to compliance?
Regulatory Environment: Is it simple or strict? What are the chances of regulatory violations?
Reputation: What is the third party’s reputation in the market?

I was also intrigued to learn about the risk analysis process that GE uses with its third parties. Initially the process breaks the risks down into low risk and high risk. A low risk received a limited review and analysis, while a high risk receives an escalated review and analysis consisting of the following reviews: compliance, legal, business leadership and finance.

But more than simply the level of review, I was interested in the ‘Risk Score Drivers’ that GE has developed. Once again, the speakers emphasized that these are GE’s risk score drivers and have been developed over time through the company’s internal analysis and processes. Nevertheless I found them to be a very useful way to think about third party risk. The risk score drivers listed were:

Country channel where the third party is located in or where it sells into;
Experience by the third party with the sales channel;
Type of third party involved; agent, reseller, distributor;
Commission rate, is it standard v. non-standard;
Will any sub-third party relationships be involved;
Will the third party sell to government entity or instrumentality;
Do any of the third party’s principals, Officers or Agents work for a foreign government, state owned enterprise or political party;
Was the third party mandated by customer or the end user;
What is the third party’s contract duration;
Is the third party involved in more than one project;
Does the third party have any historical compliance issues;
What is the percent of sales with products or services; and
What is GE’s annual revenue with the third party?

GE compliance then takes these scoring factors and puts them into an evaluation matrix when determining the amount of risk involved and whether or not the company should move forward with a proposed third party. If the decision is made to move forward and create a commercial relationship, the third part must agree to commit to the compliance standards of GE; stay current with and obey all applicable legal and regulatory provisions; comply with all contractual provisions; grant to GE audit rights; agree to report any compliance violations; certify to all compliance requirements on a regular basis; receive and complete compliance training and to allow regular site visits. GE also requires each third party to have a relationship manager assigned to it who is there to establish ongoing communication, provide ongoing training and to provide a platform for business improvement. Internally GE has processes in place to refresh due diligence; review, renew and update as appropriate contracts; conduct regular site visits and periodic audits.

Flora and Andrew ended their presentation with the following quote from the US Sentencing Guidelines about the question – ‘When is Enough, Enough?’ When you can show the government agency asking that you have taken appropriate steps to design, implement, and enforce a compliance program that is generally effective in preventing and detecting criminal conduct.

Their presentation was an excellent mechanism for the compliance practitioner to assess their third party management program. Although they made clear that this program was not for all companies, there is enough meat present for anyone to use in evaluating where you might be and where you might need to go in management of your third parties. And just as Alfred the Great constructed a defense-in-depth in his fortified towns, so the GE program for the management of third party risk has several layers of protection so that when the crisis does arise, they can adequately respond when the government comes knocking.

© Thomas R. Fox, 2014

Comments (1)

January 2, 2014

The 2013 FCPA Year in Review-Corporate Enforcement Actions

Filed under: Agents,Best Practices,Books and Records,compliance programs,Deferred Prosecution Agreement,Department of Justice,Enforcement Actions,FCPA,Non-Prosecution Agreements,SEC — tfoxlaw @ 11:58 am
Tags: best practices, compliance, compliance programs, FCPA, Foreign Corrupt Practices Act, Internal Controls, SEC

In my final post of 2013, I reviewed all of the individual Foreign Corrupt Practices Act enforcement actions which occurred in the past year. In this first post of 2014, I review all the corporate enforcement actions in 2013. If you would like to have a handy reference on all of the 2013 FCPA enforcement actions, I am pleased to announce the publication of my latest book, entitled, “2013-the FCPA Year in Review”. It is available in an eBook format on Amazon.com.

A. Total

Total SA engaged in a nearly decade long, breathtaking bribery scheme. In this scheme, Total paid approximately $60MM to an un-named Iranian Official of the National Iranian Oil Company (NIOC), who steered two major projects Total’s way. The projects for which Total paid the bribes were the Sirri A and E oil and gas fields and South Pars gas field. Total paid a criminal penalty to the DOJ of $245.2 million and civil penalty of $153 to the SEC.” Total’s agreed monetary penalty of $398MM was the fourth biggest FCPA resolution.

B. Parker Drilling

The company was involved in a bribery scheme to pay-off judges in a Nigerian Tax Court to allow Parker Drilling to pay lower than warranted tax assessments for its drilling rigs in the country. Due to its efforts to create a gold standard compliance program all the while undergoing its own internal investigation, Parker Drilling’s conduct earned it an “approximately 20 percent reduction off the bottom of the fine range” which suggested a fine of between $14.7MM to $29.4MM. The final DOJ fine was $11,760,000. The company also agreed to pay disgorgement of $3,050MM plus pre-judgment interest of $1,040,818, to the SEC.

C. Ralph Lauren

The Ralph Lauren Company received Non-Prosecution Agreements (NPA) granted by the SEC and DOJ. The illegal conduct at issue related to its Argentinian subsidiary and efforts by the General Manager of that operation, who conspired with a customs clearance agency to make payments “to assist in improperly obtaining paperwork necessary for goods to clear customs, to permit clearance of items without the necessary paperwork, to permit the clearance of prohibited items, and to avoid inspection.” For its conduct, Ralph Lauren agreed to pay $882K to the DOJ and $593K in disgorgement and $141K in pre-judgment interest to the SEC.

D. Weatherford

In late November, Weatherford International Limited (Weatherford) concluded one of the longest running open FCPA investigations when it agreed to the ninth largest FCPA fine of all-time and one of its subsidiaries, Weatherford Services Limited (WSL), agreed to plead guilty to violating the anti-bribery provisions of the FCPA. The total amount of fines and penalties for the FCPA violations was $152.6 million. The company was also hit with another $100 million in fines and penalties for trade sanctions bringing its total amount paid to $252.6 million. The bribery schemes that Weatherford used were varied but stunning in their brazen nature. But in spite of how things began, Weatherford was able to make a turnaround and substantially improve its position by reversing this initial nose-thumbing at US regulators.

E. Stryker

In an interesting FCPA enforcement action resolved in October, the Stryker Corporation agreed to settle with the SEC via an Administrative Order, not a criminal action filed by the DOJ. According to the FCPA Blog, “The SEC said Stryker Corporation will pay $13.2 million to resolve FCPA violations. The bribes totaled about $2 million and were ‘incorrectly described as legitimate expenses in the company’s books and records,’ according to the SEC. Stryker will disgorge to the SEC $7.5 million and prejudgment interest of $2.28 million. It is also paying a penalty of $3.5 million.” SEC Complaint. There was not even a civil Complaint filed by the SEC and Stryker is not required to have a Corporate Monitor to assess its ongoing compliance efforts or its commitment to having a compliance program.

F. Diebold

In late October, Diebold, an Ohio company which makes ATM machines, agreed to pay a criminal fine of $25.2 million to the DOJ and $23 million in disgorgement and prejudgment interest to the SEC to resolve allegations it violated the FCPA by covering up bribes to bank officials in China, Indonesia and Russia. The total fine of just over $48MM. The DOJ charged it in a two-count information with conspiring to violate the FCPA’s anti-bribery and books and records provisions and a substantive books and records offense. There were no charges under the anti-bribery provisions, which apply only to corrupt payments to foreign officials. The Diebold resolution took the form of a DPA with the DOJ, along with a fines and a Corporate Monitor. From its resolution with the SEC in addition to the profit disgorgement and prejudgment interest paid the company agreed to an agreed injunction to stop, once again, violating the FCPA.

G. Bilfinger SE

In early December, DOJ announced it had resolved an ongoing FCPA with German entity Bilfinger SE (Bilfinger). This case involved the same background facts and events as the Willbros corporate FCPA enforcement action and the related individual enforcement actions with some of its former employees. The facts in this case were bad, bad, bad. The Bilfinger enforcement action moves towards the ending of one of the sorriest examples of corporate malfeasance in the FCPA world. While it took a long time, justice has certainly been a long time coming. With the continued flight from justice of former Willbros employee James Tillery who renounce his US citizenship to try and escape prosecution by taking refuge in Nigeria; perhaps things are coming to an end. But with the conclusion of this corporate enforcement action against Bilfinger, perhaps there may be additional individual enforcement actions.

H. Archer-Daniels-Midland

In late December, it was announced by the DOJ and SEC that they had settled both a criminal and civil enforcement action with Archer-Daniels-Midland Company. The DOJ resolved the criminal action when a subsidiary of ADM pled guilty and agreed to pay more than $17 million in criminal fines to resolve charges that it paid bribes through vendors to Ukrainian government officials to obtain value-added tax (VAT) refunds, in violation of the FCPA. In a parallel civil FCPA action settled with the SEC and the SEC Press Release noted that “The payments were then concealed by improperly recording the transactions in accounting records as insurance premiums and other purported business expenses. ADM had insufficient anti-bribery compliance controls and made approximately $33 million in illegal profits as a result of the bribery by its subsidiaries.” In addition to the DOJ fine of $17.8MM, ADM agreed to pay “disgorgement of $33,342,012 plus prejudgment interest of $3,125,354.”

What Did It All Mean?

The clear message from these corporate enforcement actions is that early detection and remediation can lead to a significant reduction in fines and penalties. I believe that these corporate enforcement actions make clear that a company’s actions during the pendency of the investigation, in addition to the underlying FCPA violations, will be evaluated and assessed to determine the final penalty. The DOJ and SEC continue to communicate not only what they believe constitutes a best practices compliance program but equally importantly what actions a company can engage in which will significantly reduce a company’s overall fine and penalty. Both the DOJ and SEC continue to communicate, through their enforcement actions, to the compliance practitioner what they expect from companies in the way of a best practices compliance program and what a company should do if they discover a potential FCPA violation. These communications, through enforcement actions, DPAs, NPAs and Declinations, are consistent with the information provided by the DOJ/SEC in the FCPA Guidance. These enforcement actions demonstrate that if a company gets ahead of the curve, it can significantly lessen its overall penalty and pain.

© Thomas R. Fox, 2014

Leave a Comment

December 4, 2013

The Weatherford FCPA Settlement, Part III

Yesterday, I reviewed the conduct which Weatherford International Limited (Weatherford) engaged in over a period from 2002-2011 in connection with its Foreign Corrupt Practices Act (FCPA) investigation, noted the deficiencies in its compliance program and its internal controls and even how the company intentionally impeded the investigations of both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC). Today, I want to look at how the company changed course in mid-stream during the investigation, brought in a top-notch and well respected lawyer as its Chief Compliance Officer (CCO), created a best-in-class compliance program; all of which saved the company millions of dollars in potential fines and penalties.

I. DOJ Fine Calculation

To resolve the criminal aspects of this case, Weatherford agreed to pay an $87.2 million criminal penalty as part of a Deferred Prosecution Agreement (DPA) with the DOJ. There was also another $65.6 million paid to the SEC. However the figure paid to the DOJ was at the very bottom range of a potential criminal penalty. The range listed in the DPA was from $87.2 to $174.3 million. In coming up with this range under the Federal Sentencing Guidelines, it is significant for the actions that Weatherford did not receive credit for during the pendency of the investigation. The company did not receive a credit for self-reporting. The company only received a -2 for its cooperation because prior to 2008 the company engaged in activities to impede the regulators’ investigation.

So the fine range could have been more favorable to the company. But the key is that Weatherford received the low end of the range. How did they do this?

A. New Sheriff in Town

One of the key things Weatherford did was bring in Billy Jacobson as its CCO and give him a seat at the table of the company’s Executive Board. He was a Federal Prosecutor in the Fraud Section, Criminal Division, US Department of Justice. He also served as an Assistant Chief for FCPA Enforcement Department so we can assume he understood the FCPA and how prosecutors think through issues. (Jacobson also worked as a State Prosecutor in New York City, with my former This Week in FCPA co-host Howard Sklar, so shout out to Howard.) Jacobson was not hired directly from the DOJ but after he had left the DOJ and had gone into private practice. There is nothing that shows credibility like bringing in a respected subject matter expert and giving that person the tools and resources to turn things around.

But more than simply bringing in a new sheriff, Weatherford turned this talk into action by substantially increasing its cooperation with the government, thoroughly investigating all issues, turning over the results to the DOJ and SEC and providing literally millions of pages of documents to the regulators. The company also cleaned house by terminating officers and employees who were responsible for the illegal conduct.

B. Increase in Compliance Function

In addition to establishing Jacobson in the high level CCO position, the company significantly increased the size of its compliance department by hiring 38 compliance professionals and conducted 30 anti-corruption compliance reviews in the countries in which Weatherford operates. This included the hiring of outside consultants to assess and review the company’s compliance program and beefing up due diligence on all third parties, including those in the sales and supply chain, joint venture (JV) partners and merger or acquisition (M&A) candidates. The company also agreed to continue to enhance its internal controls and books and records to prevent and/or detect future suspect conduct.

If you have ever heard any of the current Weatherford compliance professionals speak at FCPA conferences, you can appreciate that they are first rate; that they know their stuff and the company supports their efforts on an ongoing basis.

C. Best in Class Compliance Program

During the pendency of the investigation, Weatherford moved to create a best practices compliance program. They appear to have done so and agreed in the DPA to continue to maintain such a compliance program. Under Schedule C to the DPA, it set out the compliance program which the company had implemented and continued to keep in place, at least during the length of the DPA. It included the following components.

High level commitment from company officials and senior management to do business in compliance with the FCPA.
A substantive written anti-corruption compliance code of conduct.
Written policies and procedures to implement this code of conduct.
A robust system of internal controls, including accounting and financial controls.
Risk assessments and risk reviews of its ongoing business.
No less than annual assessments of its overall compliance program.
Appropriate oversight and responsibility of a Chief Compliance Officer.
Effective training for all employees and relevant third parties.
An effective compliance function which can provide guidance to company employees.
A robust internal reporting system.
Effective investigations of any reported compliance issue.
Appropriate incentives for employees to do business ethically and in compliance.
Enforced discipline for any employee who violates the company’s compliance program.
Suitable due diligence and management of third parties and business partners.
A correct level of pre-acquisition due diligence for any merger or acquisition candidate, including a risk assessment and reporting to the DOJ if the company uncovers and FCPA-violative conduct during this pre-acquisition phase.
As soon as practicable, Weatherford will integrate any newly acquired entity into its compliance regime, including training of all relevant new employees, a FCPA forensic audit and reporting of any ongoing violations.
Ongoing monitoring, testing and auditing of the company’s compliance function, taking into account any “relevant developments in the field and the evolving international and industry standards.”

D. Monitor

Weatherford also agreed to an external monitor. However, the term of the monitor is not the entire length of the three-year DPA; the term of the monitor is only 18 months. The monitor’s primary function is to assess the company’s compliance with the terms of the DPA and report the results to the DOJ at least twice during the terms of the monitorship. After this 18 month term the DOJ will allow the company to self-report to the regulators. It should be noted that the term of the external monitor can be extended by the DOJ.

II. Conclusion

It certainly has been a long, strange journey for Weatherford. I should note that I have not discussed at all the Oil-For-Food aspect of this settlement, which was an additional $100MM penalty to the company. However, with regard to the FCPA aspects of the matter, there are some very solid and telling lessons to be drawn from this case. First and foremost is that cooperation is always the key. But more than simply cooperating in the investigation is that a company should take a pro-active approach to putting a best-in-class compliance program in place during, rather than after the investigation concludes. Also, a company cannot simply ‘talk-the-talk’ but must come through and do the work to gain the credit. The bribery schemes that the company had engaged in and the systemic failures of its compliance program and internal controls, should serve as a good set of examples for the compliance practitioner to use in assessing a compliance program.

The settlement also sends a clear message from both the DOJ and SEC on not only what type of conduct will be rewarded under the US Sentencing Guidelines, but what they expect as a compliance program. One does not have read tea leaves or attempt to divine what might be an appropriate commitment to compliance to see what the regulators expect these day.

Leave a Comment

October 10, 2013

Will World Cup 2022 Become World Cup 2023?

Filed under: Agents,Best Practices,Bribery Act,Charitable donations,compliance programs,Culture,Ethical Leadership,Ethics,FCPA,Financial Times — tfoxlaw @ 5:49 am
Tags: corruption, FIFA, WSJ

SPOILER ALERT – This article reveals that the temperature becomes quite hot in Qatar in the summer months.

That paragon of compliance and ethics, the world’s richest and most influential single-sport ruling body Fédération Internationale de Football Association (FIFA), has been in the news recently because it has only just recently discovered, after an exhaustive multi-year investigation, that temperatures in the country of Qatar can reach between 40-50C during the summer months, and for those of you who don’t read Celsius temperatures that translates to between 104 to 122 degrees Fahrenheit. I have been in such temperatures and I can assure you that is hot weather. However, although FIFA awarded the 2022 World Cup tournament to Qatar back in 2011, it has only now become aware of the fact that there is hot weather in the summer months in Qatar.

The Wall Street Journal on Qatar’s Bid

I was also interested in the bid process which awarded the rights to host the 2022 World Cup to Qatar. In a January 13, 2011 article in the Wall Street Journal (WSJ), entitled “Qatar’s World Cup Spending Spree”, reporter Matthew Futterman detailed the “spending spree” of a reported one year amount of $43.3 million by Qatar, which led to its winning World Cup bid. Futterman’s article focused on information derived from the internal documents of Qatar’s bidding committee. Futterman reported that there was no evidence that Qatar violated the rules and regulations of FIFA to secure its winning bid. Rather, he reported on how Qatar “worked within FIFA’s broad guidelines” to secure its winning bid.

From the internal bid documents, obtained by the WSJ, Futterman reported that some of the tactics used by Qatar included:

1. Charitable Donations. Commitments were made to establish, build or continue to fund soccer academies, through a football-training academy, Aspire Academy for Sports Excellence, controlled by the Qatar Royal Family, for the home countries in which FIFA executives who would vote on the 2022 site selection. The WSJ article cited examples in Thailand and Nigeria. In Thailand, Futterman reported that Aspire would “build a football academy” and in Nigeria it would “expand grass-roots training”. These internal documents also revealed that the Aspire Academy would continue to work with three African countries which were home to FIFA executive committee members, who all had a vote on the 2022 site selection.

2. Use of Marketing Agents. The Qatar bid included the hiring of certain well known celebrities to assist in the effort. In order to “talk up” the Qatar bid to host the 2022 World Cup, the WSJ reported that it hired several international personalities as “Bid Ambassadors” to endorse the Qatar bid. These endorsements were important because they assisted Qatar to “establish its legitimacy within FIFA and connections to executive committee members.” The only Bid Ambassador named in the WSJ article was the former French star Zinedine Zidane. It was reported that Zidane received $3 million for his endorsements of the Qatar bid.

Review under the FCPA and Bribery Act

FIFA is generally recognized as a, non-US, Non-Governmental Organization (NGO) and, therefore, the US Foreign Corrupt Practices Act (FCPA) does not apply to it. But I thought it might be of use to review some of the tactics, as reported in the WSJ, that Qatar used to secure the 2022 World Cup bid, in the context of what might be allowed under the FCPA. Probably most fortunately for both FIFA and the Qatar, was that FIFA’s award was made before the UK Bribery Act became effective. However, it should be noted that the UK Bribery Act would apply to UK companies and citizens involved in the matter because there is no public/private distinction under the Bribery Act and unlike the FCPA, the Bribery Act does not require that a bribe be offered or paid to a foreign governmental official, only that a bribe or offer to bribe be made.

Charitable Donations – The Football Academies

Charitable donations are not banned by the FCPA or the Bribery Act. However any such donations must be made following the requirements of these laws. The FCPA Blog reported that when asked about the guidelines regarding requests for charitable giving, the FCPA then Deputy Chief of the Criminal Division’s Fraud Section at the US Department of Justice (DOJ), Mark Mendelsohn, said that any such request must be evaluated on its own merits. He advocated a “common sense” approach in identifying and clearing Red Flags. This would include determining if a governmental decision maker held a position of authority at the charity to which the donation would be made; whether the donation was consistent with a company’s overall pattern of charitable giving; who made the request for the donation; and how was it made.

Use of Marketing Agents – The Bid Ambassadors

Much has been written on the use of agents under the FCPA. The UK Ministry of Justice (MOJ) Consultative Guidance on the Six Principals for an “adequate procedures” or best practices anti-bribery and anti-corruption program also discuss agents. Recently, Michael Volkov, noted FCPA attorney, spoke on the topic of due diligence on third parties. Volkov believes the key for any compliance based issue is to document the evidence. If you ask questions and get answers, document the process. If you ask questions and do not receive answers, document that process too. But the key is to Document, Document, and Document.

Under the FCPA or Bribery Act, a significant investigation, in the form of background due diligence, must be employed. When a company does business with higher-risk third parties, you need to understand not just the parties involved, but the transactions that follow. This means that a company must also proceed with transactional due diligence. The most important thing to know is, will there be money left on the table? You need to know where that money is going. Under the FCPA if the end user is a Government, you need transaction-level due diligence if you want to be safe. However, the Bribery Act does not make this governmental/non-governmental distinction.

Remember the former French star Zidane and his $3 million payment? The question is what was he, and the other Bid Ambassadors, paid to do? According to the WSJ, they “helped Qatar establish its legitimacy within FIFA and connections to executive committee members”. Such a purpose might well require audit rights to determine where the money paid to the agent went and whether it can it be accounted for in a financial review. But there is one further analysis that being the amount paid to the agent. A commission rate can be a percentage of a successful bid or it can be a flat rate, fixed fee payment. In this situation we do not know what the financial reward to Qatar will be for hosting the 2022 World Cup. Indeed, the reward may not be financial but rather the prestige of hosting the quadrennial championship of the world’s most popular sporting event. So there may be no such measure of the Zidane payment. But if the figures cited in the WSJ article are correct, Zidane received an amount of almost 10% of the Qatar one-year budget. That must have purchased some serious connections. Such a high figure, in an applicable situation, might well lead to significant FCPA and Bribery Act scrutiny.

To say that FIFA was unaware that it gets hot in the summer in Qatar seems disingenuous at best. As reported by Roger Blitz, in a Financial Times (FT) article, entitled “Fifa faces quandry over World Cup in Qatar” Sepp Blatter, FIFA President has gone on record to say that awarding the 2022 World Cup to Qatar was “a mistake”. FIFA’s response to this newly discovered temperature issue would seem to equally demonstrate why it believes that all the other rules do not apply to it. There is talk that FIFA will simply move the 2022 World Cup Tournament from the summer of 2022 to the winter of 2023, no matter who or what it disrupts.

Qatar itself has instituted a $205bn infrastructure building program, including “new power plants and a new metro system. Billions more will be spent on hotels and stadiums.” But this construction effort has also come under criticism. The FT article also noted that The Guardian “reported that Nepalese workers were dying at the rate of one a day because of unsafe conditions on building sites”. Further, a local employment system known as kafala has impacted many laborers who have had their passports confiscated and have had delays in salary payments.

Apparently FIFA took none of these factors about Qatar’s bid into account when the award was made. I wonder what FIFA did base its decision on? But most importantly, I wonder if they will change the Tournament designation from World Cup 2022 to World Cup 2023?

Leave a Comment

August 9, 2013

Who Watches the Watchmen? A Look at Anti-Bribery Risks in the Legal Profession

Filed under: Agents,Due Diligence,FCPA,Trace International — tfoxlaw @ 1:01 am
Tags: best practices, compliance, compliance programs, Due Diligence, FCPA, Severin Wirz, TRACE International

Teodoro Obiang Mangue has led a life that few could easily relate to. At age 8, his father organized a coup against his uncle to assume the Presidency of Equatorial Guinea. Thirty years later, his father continues to maintain a tight grip over the country and Teodoro (nicknamed “Teodorin”) has become the heir apparent, comfortably coasting for the time being as Minister of Agriculture and Forestry.

Equatorial Guinea is a small country of about 600,000 people on the west coast of Africa. Much in Equatorial Guinea changed in the 1990s when large offshore oil deposits were discovered and the country quickly became one of the leading oil producers in sub-Saharan Africa. But while the elite in government enjoyed their newfound wealth, none have enjoyed it with quite as much flair as Teodoro. Among his list of expensive toys are several Bugattis, a couple Ferraris, Lamborghinis and Bentleys, a $38.5 million private jet, and a $30 million Malibu home bought in 2006 that was later ranked as the 6^th most expensive residential purchase in the United States that year. Not bad for someone whose official salary is only $60,000 a year. The true tragedy of the situation, however, is that the majority of Equatorial Guineans live below the poverty line, and the country ranks 136 of the 186 nations on the United Nation’s Human Development Index. This hasn’t stopped a playboy millionaire like Teodoro, though, who’s reportedly spent nearly $700,000 just to rent Microsoft co-founder Paul Allen’s 303-foot yacht for a weekend.

The Bribery Bar

For years, the international community has tried to expose Obiang’s illegitimate wealth, and in 2010, the United States Senate’s Permanent Subcommittee on Investigations published a scathing report on Obiang’s use of U.S. lawyers, bankers, real estate agents and escrow agents to launder $110 million in suspect funds out of Equatorial Guinea and into the United States. The report, entitled Keeping Foreign Corruption Out of the United States: Four Case Histories, shows how two U.S. lawyers, Michael Berger and George Nagler, actively helped Obiang to circumvent U.S. anti-money laundering controls at U.S. banks by allowing him to use their attorney-client and law office accounts as conduits for his funds. The two-step process of first transferring the funds to the lawyers’ attorney-client and law office accounts before transferring the funds to U.S. banks helped mask the fact that the funds were coming from Equatorial Guinea, which most banks flag as a high risk country due to its reputation for corruption. According to the report, Mr. Berger and Mr. Nagler assisted Mr. Obiang to hide his identity from the banks by, among other things, setting up shell companies for Mr. Obiang and failing to disclose to the banks that Mr. Obiang was the beneficial owner of those companies. “The Obiang case history,” summarized the Senate Subcommittee report, “demonstrates how a determined [politically exposed person] can employ the services of U.S. attorneys to bring millions of dollars in suspect funds into the United States through U.S. financial institutions.“

A few months after the Senate published its findings on Obiang, the International Bar Association, in cooperation with the Organization for Economic Co-operation and Development (OECD) and the United Nations Office on Drugs and Crime (UNODC), published the results of their own survey entitled Risks and threats of corruption and the legal profession. The survey’s goal was to alert readers “to the unfortunate fact that lawyers are indeed approached to act as agents/middlemen in transactions that could reasonably be suspected to involve international corruption.” Indeed, the results of the survey were disconcerting:

Nearly half of all respondents stated that corruption was an issue in the legal profession in their own jurisdiction;
More than a fifth of respondents said they have or may have been approached to act as an agent or middleman in a transaction that could reasonably be suspected to involve international corruption; and
Nearly 30 per cent of respondents said they’d lost business to corrupt law firms or individuals who have engaged in international bribery and corruption.

That lawyers are routinely involved in bribery schemes should come as little surprise to those in the FCPA bar. Some of the biggest cases brought under the Foreign Corrupt Practices Act have involved lawyers, including:

Hans Bodmer, a Swiss lawyer, who pleaded guilty in 2004 to helping move money in Viktor Kozeny’s scheme to bribe Azeri officials and gain control over the state-run oil company;
Jeffery Tessler, a British lawyer, who was hired by the TSKJ consortium to funnel bribes to high-ranking Nigerian officials regarding contracts to build liquefied natural gas facilities in Nigeria; and
Pablo Alegría Con Alonso and José Manuel Aguirre Juárez, two Mexican attorneys accused of assisting Walmart to deliver cash to mayors, city council members, urban planners, and all manner of government bureaucrats in Mexico in order to secure business in the country.

Legal Obligations

Why are members of the legal profession so often implicated in these bribery schemes? Part of the problem may be due to a lack of client transparency. In many countries, lawyers have no obligation to look into the source of their client’s funds, even if their client is a high-risk, politically exposed person. In the US, for example, lawyers have been excluded under the Patriot Act to conduct anti-money laundering due diligence, unlike banks and other financial institutions. Other countries that have no direct anti-money laundering measures applicable to lawyers include China, India and Canada.

Even when a lawyer is aware that their client is engaged in illegal behavior, many legal professionals may feel a contradictory obligation to refrain from revealing confidential information that they’ve gained as part of the attorney-client relationship. This issue was brought center-stage in the early 2000s after the Enron, WorldCom and Tyco scandals, which showed just how much attorneys knew of the illicit behavior going on without doing anything to stop it. Now, in the wake of Sarbanes Oxley, the American Bar Association’s Model Rules of Professional Conduct state that once a client has used the lawyer’s services in furtherance of a crime, the lawyer must withdraw completely from representation.

Still, many lawyers remain unaware of their responsibilities, especially those having to do with corruption. As a result, the IBA has made it a goal to continue to inform lawyers of their duties not to perpetuate bribery schemes. Earlier this year, it published an Anticorruption Guidance meant for bar associations around the world to develop anti-corruption initiatives that are relevant to practitioners in their jurisdictions, and last year, the IBA coordinated with the OECD, the UNODC and 40 law schools selected from various countries to pilot the use of anti-corruption training into the syllabus of law degrees.

Increasing Due Diligence

Another problem in this area is the fact that law firms are so rarely vetted themselves for anti-bribery. In fact, more than two-thirds of respondents in the 2010 IBA survey said that their law firms had never been subject to anti-corruption or anti-money laundering due diligence conducted by foreign clients; more than 90 per cent stated that less than 25 per cent of clients required them to certify that they had any anti-corruption compliance program at all. Often, that means that companies operating in foreign jurisdictions are choosing who to hire for legal advice based solely on reputation. In its 2010 report, the IBA wrote “that clients are unaware of their own due diligence responsibilities and/or that they do not consider lawyers as intermediaries who could engage in corrupt acts and/or be subject to anti-corruption rules and regulations.” The dilemma brings to mind the Latin phrase quis custodiet ipsos custodes? – “who watches the watchmen?“

As companies become increasingly aware of these risks, many are now asking to conduct at least some level of due diligence on their outside lawyers. And if this was something that at one time would have been frowned upon in the legal profession, many foreign lawyers, like other third party intermediaries, are seeing due diligence as a way to distinguish themselves from their peers. Earlier this Summer, TRACE International partnered with the Pan-African Lawyer’s Union (PALU) to offer free TRAC profiles to African lawyers and law firms. The TRAC certification offers PALU law firms an online platform to rapidly exchange baseline due-diligence information with potential clients. For those companies operating in the high-speed world of complex international commercial negotiations and international dispute resolution, TRAC is a quick and easy way to gain comfort with an outside law firm.

Conclusion

Lawyers, as guardians of the law, play a vital role in the fight against corruption. Yet the unfortunate reality is that some abuse their positions to perpetuate bribery schemes. Companies, aware that there is a growing expectation for them to conduct due diligence on a broader range of third parties, are now beginning to weigh outside counsel as potential risks. After all, if bribery doesn’t discriminate based on profession, then nor should a company’s due diligence program. All of that is a good thing for honest lawyers, companies that want to do right, and, in the end, the innocent victims of corruption.

Severin Wirz, Attorney and Manager, Advisory Services ,TRACE International, Inc. He can be reached via email at wirz@TRACEinternational.org and phone at 410) 990 0076.

TRACE is a non-profit membership association helping companies to raise their anti-bribery standards. As part of its commitment to transparency in the legal profession, TRACE is waiving the fee for all attorneys and law firms who would like to subscribe to TRAC. Simply visit www.tracnumber.com and apply the code: OPENLAW2013. This code will remain valid for the whole month of August.

Comments (1)

FCPA Compliance and Ethics Blog

December 12, 2014

Seamus Heaney and Compliance With a Seat at the Table

April 21, 2014

Nursery Rhymes, a Chinese Proverb, the HP FCPA Enforcement and the Myth of the Rogue Employee

April 4, 2014

Life Cycle Management of Third Parties – Step 5 – Management of the Relationship

April 3, 2014

Life Cycle Management of Third Parties – Step 4 – The Contract

April 1, 2014

Life Cycle of Third Party Management – Step 2 Questionnaire

February 27, 2014

Alfred the Great, GE and the Management of Third Party Risk

January 2, 2014

The 2013 FCPA Year in Review-Corporate Enforcement Actions

December 4, 2013

The Weatherford FCPA Settlement, Part III

October 10, 2013

Will World Cup 2022 Become World Cup 2023?

August 9, 2013

Who Watches the Watchmen? A Look at Anti-Bribery Risks in the Legal Profession

January

Blogroll

Pages

Admin

Read by Email

Recent Posts from FCPA Compliance and Ethics Report: FCPA Compliance and Ethics Report

Episode 240-Bill Coffin on Compliance Week 2016

Episode 239-Jonathan Armstong On EU Privacy Shield

Episode 238-John Allen on HR Touch Points in Compliance

Episode 237-Steve McCalmont on the Avior Risk Management Platform

Episode 236-Adam Turteltaub and SCCE CCO Survey