FCPA Compliance and Ethics Blog

December 9, 2014

Bobby Keys, the Rolling Stones and Establishing Trust

Bobby KeysBobby Keys died last week. What you probably did not know was that Keys was a Texan so we get to claim him. He was the saxophonist for the Rolling Stones and a number of other serious rockers. As Bruce Weber wrote in his New York Times (NYT) obituary, entitled “Bobby Keys, Hard-Living Saxophonist for Rolling Stones, Dies at 70, Keys “was a rock ’n’ roller in every sense of the term. Born (almost literally) in the shadow of Buddy Holly, he was a lifelong devotee and practitioner of music with a driving pulse and a hard-living, semi-law-abiding participant in the late-night, sex-booze-and-drug-flavored world of musical celebrity.”

But Keys was far more than just another rock and roll party animal. He “recorded with a Who’s Who of rock including Chuck Berry, Eric Clapton, John Lennon, George Harrison, Carly Simon, Country Joe and the Fish, Harry Nilsson, Joe Cocker and Sheryl Crow. He toured with Delaney and Bonnie and was recording with them in 1969”. For me his most famous work was with the Stones and his soaring sax solo in Brown Sugar. He worked on the albums “Sticky Fingers, Exile on Main Street, Goats Head Soup and Emotional Rescue”. He also joined the Stones for “almost a dozen tours over more than 30 years.” I was lucky enough to see Keys play with the Stones on their farewell tour last spring. Most interestingly he felt an instant kinship with Keith Richards, about an un-Texan a person as one can imagine.

I thought about Keys, both his life and his relationship with Keith Richards, when I read a couple of recent articles in the Financial Times (FT). The first one was by Luke Johnson and entitled “Trust can seem risky – but its absence is far more perilous.” Johnson said, “For commercial life to function at all, there has to be a general assumption of trust – that partners, staff, suppliers, customers and the authorities will do the right thing by each other. It is impossible to verify every transaction, and check each task: delegation is essential for all operations of scale. Those who are suspicious of everyone have to limit their ambitions, because they assume deceit is endemic. Such a pessimistic approach is a sorry and unprofitable state of human affairs. As Samuel Johnson said: “It is . . . happier to be sometimes cheated than not to trust.””

Trust is certainly important but as President Reagan noted, “Trust but verify”. In a Foreign Corrupt Practices Act (FCPA) or UK Bribery Act anti-corruption compliance program, this means that you need to obtain a full battery of information about any third party with which you might be doing business. Obviously performing due diligence is a well recognized step for any third party management protocol under the FCPA but with certain data and privacy restrictions coming out of locations as diverse as China and the EU, it may be the situation that you cannot perform full due diligence on third parties you may wish to do business with or through.

I have previously written extensively about the need for the management of the third party relationship after the contract is signed. However there are other steps that you can use to help in this process. These include steps one and two, which are the Business Justification and the Questionnaire. Viewed from another angle, they can provide further internal controls to your anti-corruption compliance program.

I believe it should be common sense that you have a business justification to hire or use a third party but it is also an important financial control. If that third party is in the sales chain of your international business it is important to understand why you need to have this particular third party represent your company. This concept is enshrined in the FCPA Guidance, which says, “companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the ser­vices to be performed.” Conversely, if a business representative cannot articulate a reason why you should have a new or another third party representative, your company probably does not need that third party.

The Questionnaire fills several key roles in your overall management of third parties. Obviously it provides key information that you need to know about who you are doing business with and whether they have the capabilities to fulfill your commercial needs. Just as importantly is what is said if the questionnaire is not completed or is only partially completed, such as the lack of awareness of the FCPA, UK Bribery Act or anti-corruption/anti-bribery programs generally. The information provided (or not provided) in the questionnaire will assist you in determining what level of due diligence to perform. But the final requirement of your questionnaire provides an important internal control. It is one of the most basic controls and is what internal control expert Henry Mixon calls the ‘stop and think control’. Your Questionnaire should require a signature that all of the information included is true and correct. It is something else under the ‘pains and penalties for perjury’ but nonetheless it should give anyone signing it outside the United States pause before the put their name on the line.

In his article Johnson ends with the following, “Confidence in the other party is the magic ingredient that empowers an entrepreneurial business to succeed. An absence of trust leads to paralysis. Straight dealing, accountability and transparency are much more about truth and candour than box-ticking and an obsession with regulations. Any partner can betray you and stay within the law if they are assiduous and devious enough. Integrity in your working relationships consists of a broader understanding than the letter of the law. In the end, all that any entrepreneur can do is obey their gut instinct and, perhaps, to follow the example of Charlie Munger, vice-chairman of Berkshire Hathaway and Warren Buffett’s partner, who said: “By the standards of the rest of the world, we overtrust. So far it has worked very well for us”.”

Even if you cannot perform the level of due diligence that you might otherwise like to do because of country or regional regulations, you can still talk to your prospective third party business partner. This can go quite a long way in you determining whether you can trust them. You can visit them in their office to get a better feel for the size of their operations. In addition to talking with the principals of the third party, you can visit with the employees who will work on your account, if it they are different from the principals of the organization.

Just as Bobby Keys and the Rolling Stones had an ultimate level of trust that lasted well over 40 years, you can learn to develop one with your third parties. And just as such trust is absolutely key in making great music, it is also required to make any successful business relationship.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

November 6, 2014

Supplier Risk Management – Interconnected Processes

The Last EmpireI recently read a book review in the Times Literary Supplement (TLS) by Archie Brown, entitled “One into fifteen”, where he reviewed the book “The Last Empire” by author Serhii Plokhy. Plokhy’s book is about the dissolution and final days of the Soviet Union. One of the more interesting precepts from the book is end of the Soviet Union as announced on Christmas Day, 1991, by then Communist Party Secretary Mikhail Gorbachev. Brown wrote, “All too often the dissolution of the Soviet Union is conflated with the end of Communism and with the end of the Cold War. But the book points out that the Politiburo had ceased to be the ruling body of the USSR in March of 1990 and thus it was “entirely fallacious to speak of either Communism or the Cold War as having ended in December 1991. The transformation of the system was a precondition for the demise of the state, with the latter being an unintended consequence of the former. But these were distinctive, albeit interconnected processes.””

I considered ‘interconnected processes’ when I saw the Compliance Insider, Illustrative Case Study Series, entitled “Supplier Risk Management”, in which The Red Flag Group laid out in a visual format how a company can effectively identify and manage risks in its supply chain. The process is dubbed ‘Report, Review and Improve’ and consists of six steps.

Step 1 – Collect information on the suppliers. This step begins with a review and assessment of your own Vendor Master files to make an initial determination if a new or indeed other supplier is needed. If there is a business justification for bringing the supplier into a commercial relationship with your company, then you should gather performance data on the proposed vendor. The article suggests that a technological solution can help to provide risk-rated questionnaires to facilitate the process by building workflows and approvals directly into your questionnaires.

Step 2 – Validate the collected information. This is the investigative step. You should take the information provided to you by the proposed supplier and test it. You can check on references. You should also engage the supplier directly by interviewing the internal staff of the proposed supplier and review documents and records as appropriate. When necessary, you may also wish to consider the use of outside experts or internal consultants for recommendations or validations. This step should end with the creation of a risk score of the data you have gathered. Here a technological solution can assist by automating your analysis of completed questionnaire with a risk-based scoring of the answers to facilitate the validation process.

Step 3 – Rate the risk of the supplier. This is the analysis step where you should “compare the risks against your complete knowledge of the proposed supplier.” You should also compare your assessed risks against industry data and the risk-rank the proposed supplier or suppliers. A technological solution can also help to crunch large amounts of numbers or other data to give a first pass on your risk-ranking which can be further refined if required.

Step 4 – Implement risk management controls. The article posits that this step should include the conducting of background due diligence and integrity analysis by screening against known watch lists, sanctions lists and those of politically-exposed-persons (PEPs). A technological solution can help this step by managing the request and delivery of due diligence reports, aid in the reviewing, approving and tracking of completed reports and ensure ongoing compliance with automated daily reviews of such lists. Another suggested component of this step is to meet with your internal and external stakeholders to convey expectations. From this point you should be ready to enter the contracting phase, with appropriate compliance terms and conditions. To the extent required, you should also create and manage your compliance policy for the supplier at this stage as well.

Step 5 – Assess and monitor the supplier. In any relationship with a third party in the compliance world, this step is where the rubber hits the road and you have to manage the relationship. The article discusses custom eLearning that can allow you to quickly and efficiently create training programs for your suppliers based upon your compliance regime and not hypothetical training based on legal standards. A technological solution can also assist you in obtaining online certifications to certify that your supplier is in compliance with your company’s business requirements and internal controls. Finally such a solution can help to automate the process going forward to ensure that certification updates are provided, executed and tracked. But more than the ongoing certifications and training, you will need to monitor the transactions you engage in with a supplier. This may entail reviewing a large amount of data through transaction monitoring but it may also entail going to visit a supplier and going through the deep dive of an audit.

Step 6 – Continuous reporting, review and monitoring. All of this information you obtained must be fully documented. Of course, it must be documented to produce to a regulator if the government comes calling. However, this information can also be used to improve the supplier relationship and perhaps even your vendor system. One of the most interesting suggestions was to create a ‘Virtual Data Room’ dedicated to your suppliers. Not only would the creation of such a stored environment enable you to call up information requested by a regulator on short notice, you would also have it in an accessible format for supply chain process improvements. The article suggests trying such techniques as implementing performance incentive programs which can push compliance culture and behavior changes based upon the data you collect. Interesting the clothing company Levi Strauss instituted just such a policy for suppliers in the area of corporate social responsibility, it announcing it earlier this week.

If you do not subscribe to The Red Flag Group’s Compliance Insider publication, I suggest that you do so. It is one of the very best periodicals around on the building blocks of compliance. The six steps it has laid out for process of identifying and managing your supplier compliance risks under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act demonstrates the thesis of Plokhy’s book reviewed in the TLS; that it is interconnected processes which usually mark change and management. In the case of the former Soviet Union, it may be been drawn by more human factors but there are now a variety of technological tools available to assist your facilitation of this process under any anti-bribery or anti-corruption compliance regime.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 21, 2014

What Can You Do When Risk Changes in a Third Party Relationship?

RiskThe GlaxoSmithKline PLC (GSK) corruption matter in China continues to reverberate throughout the international business community, inside and outside China. The more I think about the related trial of Peter Humphrey and his wife, Yu Yingzeng for violating China’s privacy laws regarding their investigation of who filmed the head of GSK’s China unit head in flagrante delicto with his Chinese girlfriend, the more I ponder the issue of risk in the management of third parties under the Foreign Corrupt Practices Act (FCPA). In an article in the Wall Street Journal (WSJ), entitled “Chinese Case Lays Business Tripwires”, reporters James T. Areddy and Laurie Burkitt explored some of the problems brought about by the investigators convictions.

They quoted Manuel Maisog, chief China representative for the law firm Hunton & Williams LLP, who summed up the problem regarding background due diligence investigations as “How can I do that in China?” Maisog went on to say, “The verdict created new uncertainties for doing business in China since the case hinged on the couple’s admissions that they purchased personal information about Chinese citizens on behalf of clients. Companies in China may need to adjust how they assess future merger partners, supplier proposals or whether employees are involved in bribery.”

I had pondered what that meant for a company that wanted to do business in China, through some type of third party relationship, from a sales representative to distributor to a joint venture (JV). What if you cannot get such information? How can you still have a best practices compliance program around third parties representatives if you cannot get information such as ultimate beneficial ownership? At a recent SCCE event, I put that question to a Department of Justice (DOJ) representative. Paraphrasing his response, he said that companies still need to ask the question in a due diligence questionnaire or other format. What if a third party refuses to answer, citing some national law against disclosure? His response was that a company needs to very closely weigh the risk of doing business with a party that refuses to identify its ownership.

The more that I thought about that answer the more I became convinced that it was not only the right answer under any type of FCPA compliance program but also the right response from a business perspective. A company must know who it is doing business with, for a wide variety of reasons. The current situation in China and even the convictions of Humphrey and Yu do not change this basic premise. You can ask the question. If a party does not want to disclose its ownership, you should consider this in any business relationship going forward.

The Humphrey and Yu conviction do not prevent you from asking the question about ownership. Their convictions mean that you may not be able to verify that information through what many people thought was publicly available information, at least publicly available in the west. I was struck by one line in the Areddy and Burkitt article, “It’s not just that the tactical business practices need to change; it’s the mind set” quoting again from Maisog.

I breakdown the management of third parties under the FCPA into five steps, which are:

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

The due diligence step is but one of these five. Further due diligence is performed in large part to verify the information that you receive back from a proposed third party. So what if you can longer use avenues previously open to you in markets such as China? Perhaps there are other ways to manage this issue. Areddy and Burkitt also interviewed Jerry Ling, a partner at Jones Day, for the following “companies will need to analyze Chinese accounting documents themselves and conduct more in-person interviews with anyone they want to know more about in China.”

Ling’s point dovetails directly into what I heard from the DOJ representative. There is nothing about the Chinese law, or any other country’s law, which prevents you from asking some basic questions that are found in the Step 2 Questionnaire cited above. You can always ask who the owners of a company are, whether they are direct or beneficial. You can always ask if a company, its owners or its senior management have been involved in any incidents involving bribery and corruption and you can always ask if the company has a Code of Conduct and/or compliance program and whether its owners or senior management are aware of the FCPA and have had training on it.

Assuming the company will answer your questionnaire, the difficulty you may find yourself in now is verifying the information that you receive. In Ronald Reagan parlance, you may trust but you may not be able to verify it. Ling said in the WSJ article that “The challenge now for clients is that it’s hard to get good information.”

However, due diligence is but one step in the management of any third party in a FCPA compliance program. Just as when risk goes up and you increase your management around that risk, the situation is similar in here. Putting it another way, if you cannot obtain private information such as personal identification numbers during the due diligence process, you can put greater management around the other steps that you can take. Further, there has been nothing reported which would suggest that publicly filed corporate licenses or other information that might show ownership can no longer be accessed. Court records and public media searches also seem to still be available.

But what if you simply cannot determine if the information you are provided regarding ownership is accurate or even truthful? You can still work to manage the relationship through your commercial terms by setting your commission or other pay rates at a reasonable amount of scale. If you are dealing with a commissioned sales representative, you can probably manage this area of the relationship by setting the commission in the range of 5%. You can also manage the relationship by reviewing invoices to make sure there is an adequate description of the services provided so that they justify whatever compensation the third party is entitled to receive under the contract. You may also want to schedule such a third party for an audit ahead of other parties to help ensure adherence to your compliance terms and conditions.

There may be times when you cannot verify the true or ultimate beneficial owner of a third party. That does not have to be the end of the analysis. If that situation arises, you may want to see if there are other risk mitigation tools at your disposal. Put another way, if such a red flag arises, can it be cleared? Can it be managed? If your company is looking a major deal for multi-millions and your agent will receive a six or seven figure commission, the risk of not knowing with certainty may be too great because in such a case, an unknown owner could be a government official who has awarded the contract. But if your agent receives a considerably smaller commission and hence there is a considerably small amount of money to constitute a bribe, you may be able to manage that risk through a close and effective relationship management process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 15, 2014

Lauren Bacall Whistling or How to Structure Customer Due Diligence

BacallYesterday we honored Robin Williams whom we lost earlier this week. Today we honor Lauren Bacall. She will always be a part of that great team of Bogey and Bacall. Most of us were introduced to her in the movie To Have and Have Not. I thought she was one of the most sultry and sexy icons of the 40s screen sirens. As Manohla Dargis wrote in her article for the New York Times (NYT) entitled, “That Voice and the Woman Attached,” that “When she opened her mouth in “To Have and Have Not” — taking a long drag on a cigarette while locking Humphrey Bogart in her gaze — she staked a claim on the screen and made an immortal Hollywood debut. But in 1944 at the exquisitely tender age of 19, she was also projecting an indelible screen persona: that of the tough, quick-witted American woman who could fight the good fight alongside her man.” She later married Bogart and together they were certainly Hollywood, if not American royalty, going forward. And she probably did more for the art of whistling than any person on Earth.

Yesterday I wrote about the Foreign Corrupt Practices Act (FCPA) investigation into certain transactions in Venezuela by Derwick Associates (Derwick) and a US company ProEnergy Services (ProEnergy). ProEnergy supplied turbines that Derwick resold to the Venezuelan government and then installed in that country. I wondered if US companies now need to become more concerned with not only who they do business with but how their customers might be doing business. In the parlance, you may now need to ramp up your ‘Know Your Customer’ information to continue throughout a seller-purchaser relationship.

Doug Cornelius, in a post on his Compliance Building blog, entitled “Proposed Regulations on Customer Due Diligence”, discussed “The U.S. Treasury Department’s Financial Crimes Enforcement Network has proposed revisions to its customer due diligence rules. Of course, the proposed rule would affect financial institutions that are currently subject to FinCEN’s customer identification program requirement: banks, brokers-dealers, and mutual funds.” While, investment advisers and private fund managers are not specifically mentioned in the proposed new regulation, Cornelius noted, “FinCEN suggested that it may be considering expanding these customer due diligence requirements to other types of financial institutions.” In other words, this new proposed regulation would not be directly applicable to a large number of US commercial enterprises doing business outside the United States.

However, the proposed regulation did provide some insight into how US companies, not otherwise subject to it, might think about ways to approach such an inquiry. Referencing an inquiry into anti-money laundering issues (AML) Cornelius wrote that AML programs should have four elements:

  1. Identify and verify the identity of customers;
  2. Identify and verify the identity of beneficial owners of legal entity customers;
  3. Understand the nature and purpose of customer relationships; and
  4. Conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.

Clearly any FCPA based due diligence would focus on point 2. Cornelius zeroed in on it when he wrote “The definition of “beneficial owner” is proposed as have two prongs”:

  • Ownership Prong: each individual who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25% or more of the equity interests of a legal entity customer, and
  • Control Prong: An individual with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer or senior manager (g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer); or (ii) any other individual who regularly performs similar functions.

He also noted, “For identifying ownership of an entity, FinCEN has proposed a form of certification.” But he found such a “certification to be overly simplistic. It only asks for individuals with ownership in the entity. This would clearly miss ownership of the account holder by other entities who could be “bad guys.” The certification also only requires one senior officer.  That makes it too easy to appoint a straw man as executive officer to hide the underlying control by a “bad guy.”” But the FinCen proposed notice itself states “these existing core requirements are already laid out in the BSA [Bank Secrecy Act] as minimum requirements”.

I was equally interested in points 3 and 4. Under point 3, an entity subject to the regulation needs to “Understand the nature and purpose of customer relationships”. The proposed regulation further explained “to gain an understanding of a customer in order to assess the risk associated with that customer to help inform when the customer’s activity might be considered “suspicious.”” Such an inquiry could help a business to “understand the relationship for purposes of identifying transactions in which the customer would not normally be expected to engage. Identifying such transactions is a critical and necessary aspect of complying with the existing requirement to report suspicious activity and maintain an effective AML (or anti-corruption compliance) program.”

The final point 4 relates to ongoing monitoring. Once again consider the position of the US Company, ProEnergy, in the referenced FCPA investigation. What can or should it have done in the way of ongoing monitoring of its customer. The proposed regulation states “industry practice generally involves using activity data to inform what types of transactions might be considered “normal” or “suspicious.”

Furthermore, FinCEN understands that information that might result from monitoring could be relevant to the assessment of risk posed by a particular customer. The proposed requirement to update a customer’s profile as a result of ongoing monitoring (including obtaining beneficial ownership information for existing customers on a risk basis), is different and distinct from a categorical requirement to update or refresh the information received from the customer at the outset of the account relationship at prescribed periods”. Lastly the proposed regulation states, “Finally, as noted above with respect to the obligation to understand the nature and purpose of customer relationships, monitoring is also a necessary element of detecting and reporting suspicious activities”.

There does not have to be a direct bribe or other corrupt payment made by a US company to have liability under the FCPA. FCPA enforcement is littered with companies that have paid bribes through third parties. However, as the Fifth Circuit said in Kay v. US, “[W]e hold that Congress intended for the FCPA to apply broadly to payments intended to assist the payor, either directly or indirectly,” [emphasis mine]. ProEnergy would seem to be at the far edge of potential FCPA liability but if it knew, had reason to know, or even perhaps should have known about some nefarious conduct by its customer, it does not take too many steps to get to some FCPA exposure. The proposed FinCEN rules on customer due diligence for financial institutions might be a good starting point for other commercial entities to consider.

If all of the above is a bit too heavy for a Friday, well view this clip on how to whistle by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 13, 2014

Thinking Through Risk Rankings of Third Parties

7K0A0014-2One question often posed to me is how to think through some of the relationships a company has with its various third parties in order to reasonably risk rank them. Initially I would break this down into sales and supply chain to begin any such analysis. Anecdotally, it is said that over 95% of all Foreign Corrupt Practices Act (FCPA) enforcement actions involve third parties so this is one area where companies need to put some thoughtful consideration. However, the key is that if you employ a “check-the-box” approach it may not only be inefficient but more importantly, ineffective. The reason for this is because each compliance program should be tailored to an organization’s specific needs, risks and challenges. The information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company, generally, to prevent violations, detect those that do occur, and remediate them promptly and appropriately.

Sales Side

I tend to view things in a straightforward manner when it comes to representatives on the sales side of your business. I believe that third party representatives you might have, whatever you might call them, i.e. sales reps, sales agents, sales agents, commissioned sales agents, or anything else, are high risk and therefore they should receive your highest level of scrutiny. This is also true with any party that might be called, charitably or not, ‘a partner’ whether that is a joint venture (JV) partner, plain old partner, Teaming Partner or another monickered ‘partner’. However, under this approach you should also consider the perception of corruption in the geographic area that you will use the third party. I recognize that you can overlay a financial threshold but the reality is that if a sales representative generates such a small amount of money for your business you probably do not need them as representative.

At least with distributors, I have seen merit in more sophisticated approaches such as that set out by David Simon, a partner at Foley & Lardner LLP, who advocates a risk analysis should more appropriately based on the nature of a company’s relationships with their distributors. The goal should be to determine which distributors are the most likely to qualify as agents; for whose acts the company would likely to be held responsible.  He argues that it is a continuum of risk; that is, on the low-risk end are distributors that are really nothing more than re-sellers with little actual affiliation with the supplier company. On the high-risk end are distributors who are very closely tied to the supplier company, who effectively represent the company in the market and end up looking more like a quasi-subsidiary than a customer.

Simon looks at agency principles to guide his analysis of whether a distributor qualifies as an agent for FCPA purposes. He argues that factors to consider include:

  • The volume of sales made to the distributor;
  • The percentage of total sales of the distributor’s total business the principal’s product represents;
  • Whether the distributor represents the principal in the market, including whether it can (and does) use the company trademarks and logos in its business; and

Whether the principal company is involved in the running of the distributor’s business (such as by training the distributor’s sales agents, imposing performance goals and objectives, or providing reimbursement for sales activity).

Once a company segregates out the high-risk distributors that likely qualify as agents and potentially subject the company to FCPA liability from those that are mere re-sellers and pose less FCPA risk, FCPA compliance procedures can be tailored appropriately. For those distributors that qualify as “agents” and also pose FCPA risk, full FCPA due diligence, certifications, training and contract language are imperative. For those that do not, more limited compliance measures that reflect the risk-adjusted potential liability are perfectly appropriate.

Supply Chain

This determination of the level of due diligence and categorization of a supplier should depend on a variety of factors, including, but not limited to, whether the supplier is (1) located, or will operate, in a high risk country; (2) associated with, or recommended or required by, a government official or his or her representative; (3) currently under investigation, the subject of criminal charges, or was recently convicted of criminal violations, including any form of corruption; (4) a multinational publicly traded corporation with a recognized exemplary system of compliance and internal controls, that has not been recently investigated or convicted of any corruption offense or that has taken appropriate corrective action to remedy such conduct; or (5) a provider of widely available services and products that are not industry specific, are offered to the public at large and do not fall under the definition of Minimal-Risk Supplier detailed below.

A High-Risk Supplier is an individual or an entity that is engaged to provide non-project specific goods or services to a company. It presents a higher level of compliance risk because of the presence of one or more of the following factors: (a) It is based or operates in a country (including the supply of goods or services to a company) that poses a high risk for corruption, money laundering, or commercial bribery; (b) It supplies goods or services to a company from a high-risk country; (c) It has a reputation in the business community for questionable business practices or ethics; or (d) It has been convicted of, or is alleged to have been involved in, illegal conduct and has failed to undertake effective remedial actions. Finally, it presents one or more of the following factors,: (1) It is located in a country that has inadequate regulatory oversight of its activities; (2) it is in an unregulated business; (3) its ultimate or beneficial ownership is difficult to determine; (4) the company has an annual spend of more than $100,000 with the supplier; (5) it was established or registered in a jurisdiction where ownership is not transparent or that permits ownership in the form of bearer shares; (6) it is registered or conducts business in a jurisdiction that does not have anti-corruption, anti-money laundering and anti-terrorism laws comparable to those of the United States and the United Kingdom; or (7) it lacks a discernable and substantial business history.

A Low-Risk Supplier is an individual or a non-publicly held entity that conducts business such as a sole proprietorship, partnership or privately held corporation, located in a Low-Risk Country. Some indicia include that it (1) supplies goods, equipment or services directly to a company in a Low-Risk Country; (2) a company has an annual spend of less than $100,000 with the supplier; and (3) the supplier has no involvement with any foreign government, government entity, or Government Official. However, if the supplier has other indicia of lower risk such that it is a publicly-held company, it may be considered a Low-Risk Supplier because it is subject to the highest disclosure and auditing and reporting standards such as those under the US Securities Exchange Act of 1934, including those publicly traded on a reputable and highly regulated stock exchange, such as the New York or London exchanges, and are, therefore, subject to oversight by highly regarded regulatory agencies.

Below the high and low risk categories I would add the category of ‘Minimal-Risk Suppliers’ who generally provide to a company goods and services that are non-specific to a particular project and the value of the transaction is $25,000 or less. Some examples might be for the routine purchase of fungible items and services, including, among others: Office supplies, such as paper, furniture, computers, copiers, and printers; Industrial or factory supplies, including cleaning materials, solvents, safety clothing and off-the-shelf equipment and parts; Crating and other standard materials for packing products for shipping; Leasing and rental of company cars and other equipment; and Airline or other travel tickets or services. This category would also include those third parties that provide widely available services and products that are not industry specific, are offered to the public at large. Here you might think of periodicals, florists, daily limousine and taxi, airline and food delivery (including coffee shops, pizza parlors and take out) services.

Last, but certainly not least, is the category of Government Service Providers, which includes entities that generally come into a company through the supply chain, who interact with a foreign government on behalf of your company. Examples might be customs brokers, providers who obtain and process business permits, licenses, visas, work permits and necessary clearances or waivers from government agencies; perform lobbying services; obtain regulatory approvals; negotiate with government agencies regarding the payment of taxes, tax claims, and tax audits. These third parties present some of your highest risks so they need to have not only the highest level of scrutiny but post contract-signing management as well.

The risk ranking of third parties is one of the areas that seems to continue to cause confusion, if not outright bewilderment. The manner in which the articulated risk rankings presented herein is not to be the ‘be-all and end-all’. As the FCPA Guidance reminds us, “An effective compliance program promotes “an orga­nizational culture that encourages ethical conduct and a commitment to compliance with the law.”…A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.” If you think through your risk rankings and can articulate a reasonable basis for doing so followed by documentation, I think your own risk ranking system will survive regulatory scrutiny.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 10, 2014

Where to Now St. Peter? – Due Diligence Going Forward in China

Tumbleweed ConnectionWhatever you might think of where his career went, Elton John had some great early stuff. I still rank Tumbleweed Connection right up there as one of my favorite albums of all-time. And while it was packed with some great tracks, one of my most favorite was Where to Now St. Peter? It was the opening track on Side 2 and dealt with whether a dying soldier would end up in heaven or hell. While perhaps having quite the spiritual overtones, I did think about this song when I read about the convictions on Saturday of Peter William Humphrey, a 58-year-old British national, and his wife, Yu Yingzeng, a 61-year-old naturalized American, on charges of illegally purchasing personal information about Chinese nationals.

In a one day trial the couple was convicted of illegally purchasing information on Chinese citizens. In an article in the Financial Times (FT), entitled “China court hands GSK investigator jail term and orders deportation”, Gabriel Wildau and Andrew Ward reported that husband Humphreys received a two and a half year jail term which was “just short of the three-year maximum”. In an article in the Wall Street Journal (WSJ), entitled “China Convicts Two Corporate Investigators”, James T. Areddy and Laurie Burkitt reported that he was also ordered to pay a fine of approximately $32,500 and will be deported from the country when his jail term is completed. Wife Yingzeng received a two year jail term and was ordered to pay a fine of approximately $23,000 but will be allowed to remain in the country after her sentence is completed.

In a New York Times (NYT) article, entitled “In China, British Investigator Hired by Glaxo, and Wife, Sentenced to Prison”, David Barboza reported that the couple “acknowledged that from 2009 to 2013, they obtained about 250 pieces of private information about individuals, including government-issued identity documents, entry and exit travel records and mobile phone records, all apparently in violation of China’s privacy laws.” According to the NYT article, wife Yu claimed that she did not know her actions where illegal and was quoted as saying, “We did not know obtaining these pieces of information was illegal in China. If I had known I would have destroyed the evidence.” According to the WSJ, the privacy law which was the basis of the conviction, was enacted in 2009 “to make it illegal to handle certain personal medical records and telephone records” but that the law itself “remains vague” on what precisely might constitute violation.

From the court statements, however, it did appear that the couple had trafficked in personal information. As reported by the WSJ, “In separate responses over more than 10 hours, My Humphreys and Ms. Yu denied that their firm trafficked in personal information, saying they had hired others to obtain personal data when clients requested it.” From the documents presented by the prosecution, it would seem clear that the couple had obtained my items which were more personal in nature. They were alleged by prosecutors to have “used hidden cameras to gather information as well as government records on identification numbers, family members, real-estate holdings, vehicle owner, telephone logs and travel records.”

Recognizing the verdicts under Chinese laws are usually predetermined and the entire trials are scripted affairs, there is, nonetheless, important information communicated to the outside world by this trial. First and foremost is, as reported in the NYT article is a “chilling effect on companies that engage in due diligence work for global companies, many of whom believe the couple may have been unfairly targeted.” The WSJ article went further quoting Geoffrey Sant for the following, “It impacts all attempts to do business between the U.S. and China because it will be very challenging to verify the accuracy of company or personal financial information.” In other words, things just got a lot tougher to perform, what most companies would expect to be a minimum level of due diligence.

Second is the time frame noted in the court statements as to the time of the violations, from 2009 to 2013. Many had assumed that Humphreys and Yingzeng’s arrests related to their investigation work on behalf of the British pharmaceutical giant GlaxoSmithKline PLC (GSK) which was trying to determine who had filmed a sex tape of the company’s head of Chinese operations, which was then provided to the company via an anonymous whistleblower. This would seem to beg the question of whether the couple would have been prosecuted if they not engaged in or accepted the GSK assignment.

But as Elton John asked, “Where to now St. Peter?” You should always remember that performing due diligence is but one of five steps in the management of the third party life cycle. If you cannot perform due diligence at a level that you do in other countries or that you could even have done in China before the Humphreys and Yu trial, you can beef up the other steps to help proactively manage your third parties. I often say that your real work with third parties begins when the contract is executed because then you have to manage the relationship going forward. So, if you cannot perform the level of due diligence you might like, you can put more resources into monitoring the relationship, particularly in the area of invoice review and payments going forward.

In a timely article found in this month’s issue of the SCCE magazine, Compliance and Ethics Professional, Dennis Haist and Caroline Lee published an article, entitled “China clamps down on bribery and corruption: Why third-party due diligence is a necessity” where they discussed a more robust response to the issue as well. They note that the retention of third party’s to do business in China is an established mechanism through which to conduct business. They advise “For multinationals with a Chinese presence, or plans to enter the market in the near future, now is the time to pay close attention to the changing nature of the business landscape as it relates to bribery and corruption.” Further, they suggest that “In order to ensure compliance with ABAC [anti-bribery/anti-corruption] regulatory scrutiny, multinationals must demonstrate a consistent, intentional and systematic approach to third-party compliance.” But in addition to the traditional background due diligence, they believe that companies should consider an approach that moves to proactively managing and monitoring third parties for compliance. Lastly, at the end of the day if a regulator comes knocking from the Department of Justice (DOJ) or Serious Fraud Office (SFO), you will need to demonstrate the steps you have put in place and your active management of the process.

In the FT, WSJ and NYT articles it was clearly pointed out that the invisible elephant in the room was GSK. Also it is not clear what the personal tragedy that Humphreys and Yu have endured will mean for GSK or the individuals caught up in that bribery scandal going forward. Humphreys had previously said that he would not have taken on the GSK sex tape assignment if it had been disclosed to him that the company had sustained allegations of corruption by an internal whistleblower. Perhaps one lesson may be that in the future companies will have to disclosure more to those they approach to perform such investigative services.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 31, 2014

Lessons Learned from the Beautiful Game: Compliance, FIFA and the World Cup

World Cup e-BookThe 2014 World Cup is over and in the books. It was a great tournament for probably everyone across the globe but the host nation of Brazil. While there are many lessons to be learned from this event, the lead up to and events of this year’s World Cup provide some interesting insights for the compliance practitioner. I have collected some of my writings on FIFA, the World Cup and the world of the ‘Beautiful Game’ in one volume, entitled, “Lessons Learned from the Beautiful Game: Compliance, FIFA and the World Cup”. It is now out and available from amazon.com in Kindle e-reader format.

In this short volume I take a look at some for the following topics.

  • FIFA and its selection process for the 2022 World Cup in Qatar.
  • Performing due diligence and World Cup bids.
  • Referee Professionalism as an anti-corruption tool
  • What are some of the consequences for failure to set a proper tone-at-the-top.
  • Leadership lessons from managers of some of the world’s top soccer clubs.
  • Lessons learned from both compliance successes and failures.

I am sure that you will find this e-Book gives you some ideas for your anti-corruption compliance program, no matter which FIFA country you might practice compliance in. Finally, you cannot beat the price, as it is only $3.99. You can order a copy by going to amazon.com or by simply clicking here.

July 16, 2014

Mergers and Acquisitions Under the FCPA, Part III

M&AToday I conclude my three-part series on mergers and acquisitions under the Foreign Corrupt Practices Act (FCPA) with a review of the post-acquisition phase.

Previously many compliance practitioners had based decisions in the M&A context on DOJ Opinion Release 08-02 (08-02), which related to Halliburton’s proposed acquisition of the UK entity, Expro. In the spring of 2011, the Johnson & Johnson (J&J) DPA changed the perception of compliance practitioners regarding what is required of a company in the M&A setting related to FCPA due diligence, both pre and post-acquisition. On June 18 2012, the DOJ released the Data Systems & Solutions LLC (DS&S) DPA which brought additional information to the compliance practitioner on what a company can do to protect itself in the context of M&A activity.

08-02 began as a request from Halliburton to the DOJ from issues that arose in the pre-acquisition due diligence of the target company Expro. Halliburton had submitted a request to the DOJ specifically posing these three questions: (1) whether the proposed acquisition transaction itself would violate the FCPA; (2) whether, through the proposed acquisition of Target, Halliburton would “inherit” any FCPA liabilities of Target for pre-acquisition unlawful conduct; and (3) whether Halliburton would be held criminally liable for any post-acquisition unlawful conduct by Target prior to Halliburton’s completion of its FCPA and anti-corruption due diligence, where such conduct is identified and disclosed to the Department within 180 days of closing.

I. Halliburton 

Halliburton committed to the following conditions in 08-02, if it was the successful bidder in the acquisition:

  1. Within ten business days of the closing. Halliburton would present to the DOJ a comprehensive, risk-based FCPA and anti-corruption due diligence work plan which would address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. The Halliburton work plan committed to organizing the due diligence effort into high risk, medium risk, and lowest risk elements.

a)     Within 90 days of Closing. Halliburton would report to the DOJ the results of its high risk due diligence.

b)    Within 120 days of Closing. Halliburton would report to the DOJ the results to date of its medium risk due diligence.

c)     Within 180 days of Closing. Halliburton would report to the DOJ the results to date of its lowest risk due diligence.

d)    Within One Year of Closing. Halliburton committed full remediation of any issues which it discovered within one year of the closing of the transaction.

Many lawyers were heard to exclaim, “What an order, we cannot go through with it.” However, we advised our clients not to be discouraged because 08-02 laid out a clear road map for dealing with some of the difficulties inherent in conducting sufficient pre-acquisition due diligence in the FCPA context. Indeed the DOJ concluded 08-02 by noting, “Assuming that Halliburton, in the judgment of the Department, satisfactorily implements the post-closing plan and remediation detailed above… the Department does not presently intend to take any enforcement action against Halliburton.”

II.Johnson & Johnson (J&J)

In Attachment D of the J&J DPA, entitled “Enhanced Compliance Obligations”, there is a list of compliance obligations in which J&J agreed to undertake certain enhanced compliance obligations for at least the duration of its DPA beyond the minimum best practices also set out in the J&J DPA. With regard to the M&A context, J&J agreed to the following:

  1. J&J will ensure that new business entities are only acquired after thorough FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. Where such anti-corruption due diligence is not practicable prior to acquisition of a new business for reasons beyond J&J’s control, or due to any applicable law, rule, or regulation, J&J will conduct FCPA and anti-corruption due diligence subsequent to the acquisition and report to the Department any corrupt payments, falsified books and records, or inadequate internal controls as required by … the Deferred Prosecution Agreement.
  2. J&J will ensure that J&J’s policies and procedures regarding the anti-corruption laws and regulations apply as quickly as is practicable, but in any event no less than one year post-closing, to newly-acquired businesses, and will promptly, for those operating companies that are determined not to pose corruption risk, J&J will conduct periodic FCPA Audits, or will incorporate FCPA components into financial audits.
  3. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to J&J, on the anticorruption laws and regulations and J&J’s related policies and procedures; and
  4. Conduct an FCPA-specific audit of all newly acquired businesses within 18 months of acquisition.

These enhanced obligations agreed to by J&J in the M&A context were less time sensitive than those agreed to by Halliburton in 08-02. In the J&J DPA, the company agreed to the following time frames:

  1. 18 Month – conduct a full FCPA audit of the acquired company.
  1. 12 Month – introduce full anti-corruption compliance policies and procedures into the acquired company and train those persons and business representatives which “present corruption risk to J&J.”

III. Data Systems & Solutions LLC (DS&S)

In the DS&S DPA there were two new items listed in the Corporate Compliance Program, attached as Schedule C to the DPA, rather than the standard 13 items we have seen in every DPA since at least November 2010. The new additions are found on items 13 & 14 on page C-6 of Schedule C and deal with mergers and acquisitions. They read in full:

  1. DS&S will develop and implement policies and procedures for mergers and acquisitions requiring that DS&S conduct appropriate risk-based due diligence on potential new business entities, including appropriate FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. If DS&S discovers any corrupt payments or inadequate internal controls as part of its due diligence of newly acquired entities or entities merged with DS&S, it shall report such conduct to the Department as required in Appendix B of this Agreement.
  2. DS&S will ensure that DS&S’s policies and procedures regarding the anticorruption laws apply as quickly as is practicable to newly acquired businesses or entities merged with DS&S and will promptly:
  3. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to DS&S, on the anti-corruption laws and DS&S’s policies and procedures regarding anticorruption laws.
  4. Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable.

This language draws from and builds upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance and the J&J “Enhanced Compliance Obligations” incorporated into its DPA. While the DS&S DPA does note that it is specifically tailored as a solution to DS&S’s FCPA compliance issues, I believe that this is the type of guidance that a compliance practitioner can rely upon when advising his or her clients on what the DOJ expects during M&A activities.

 

FCPA M&A Box Score Summary

Time Frames Halliburton 08-02 J&J DS&S
FCPA Audit
  1. High Risk Agents – 90 days
  2. Medium Risk Agents – 120 Days
  3. Low Risk Agents – 180 days
18 months to conduct full FCPA audit As soon “as practicable
Implement FCPA Compliance Program Immediately upon closing 12 months As soon “as practicable
Training on FCPA Compliance Program 60 days to complete training for high risk employees, 90 days for all others 12 months to complete training As soon “as practicable

 

The Guidance, coupled with the 08-02 and the two enforcement actions, speak to the importance that the DOJ puts on M&A in the FCPA context. The time frames for post-acquisition integration are quite tight. This means that you should do as much work as you can in the pre-acquisition stage. The DOJ makes clear that rigor is needed throughout your entire compliance program, including M&A. This rigor should be viewed as something more than just complying with the FCPA; it should be viewed as just making good business sense.

Nat Edmonds, in an interview in the Wall Street Journal (WSJ) entitled, “Former Justice Official: How to Buy Corrupt Companies”, emphasized that if a company does not have the opportunity to make these types of inquiries in the pre-acquisition stage the “DOJ and SEC generally recognize that sometimes it’s not possible to do complete due diligence beforehand. However, if there are good faith efforts to conduct due diligence, integrate compliance programs and take remedial actions by removing those wrongdoers — if all of that is done on a quick basis [authorities] give very strong credit. The best example of this is the 2009 purchase by Pfizer of Wyeth. I was prosecutor on the Pfizer Wyeth [bribery] case. Pfizer was able to do some due diligence before the acquisition but because both are massive organizations it was not possible to do complete due diligence prior to acquisition. But after the acquisition within 180 days they had identified much of the wrongdoing at Wyeth and ensured it was halted. As a result of that we gave them credit. On the criminal side Pfizer was not held criminally liable for any of the conduct at Wyeth. Most of what Pfizer was held responsible for was as a result of a previous acquisition of Pharmacia, which they acquired in 2002 and 2003. At the time of the Pharmacia acquisition, acquirers did not typically conduct anti-corruption due diligence on targets. And during the investigation most of the violations of FCPA [Pfizer] was held criminally liable for began prior to the acquisition of Pharmacia –some was afterwards. Pfizer was held responsible for the misconduct at Pharmacia both before and afterwards. The Pfizer case is interesting because it shows both the good and bad.”

I believe that he information is out there for the steps to take in a merger or acquisition to avoid FCPA liability. You should place emphasis on both the pre and post acquisition phases; equally because as with most FCPA compliance program components, they just make good business sense.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 11, 2014

Friday Comings and Goings

7K0A0032I wish I could be there.

Next week, the FCPA Professor is leading his first FCPA Institute this summer over two days, July 16 and 17. The event will be held in Milwaukee and hosted by the law firm of Foley and Lardner.

The Professor’s stated goal in leading this first Institute is “to develop and enhance fundamental skills relevant to the FCPA and FCPA compliance in a stimulating and professional environment with a focus on learning. Information at the FCPA Institute is presented in an integrated and cohesive way by an expert instructor with FCPA practice and teaching experience.” Some of the topics, which will be covered, include the following:

  • An informed understanding of why the FCPA became a law and what it seeks to accomplish;
  • A comprehensive understanding of the FCPA’s anti-bribery and books and records and internal controls provisions and related enforcement theories;
  • Various realties of the global marketplace which often give rise to FCPA scrutiny;
  • The typical origins of FCPA enforcement actions including the prominence of corporate voluntary disclosures;
  • The “three buckets” of FCPA financial exposure and how settlement amounts in an actual FCPA enforcement action are typically not the most expensive aspect of FCPA scrutiny and enforcement;
  • Facts and figures relevant to corporate and individual FCPA enforcement actions including how corporate settlement amounts are calculated;
  • How FCPA scrutiny and enforcement can result in related foreign law enforcement investigations as well as other negative business effects from market capitalization issues, to merger and acquisition activity, to FCPA related civil suits; and
  • Practical and provocative reasons for the general increase in FCPA enforcement.

In other words, it is what you have come to expect from the FCPA Professor; well-thought out reasoned analysis, practical knowledge and learning, and provocative thinking and assessment. But more than all of the above I believe you will receive some great insight into and why the FCPA Professor continually challenges the status quo in many areas about the FCPA. He and I often look at the same thing and see different views but by seeing more than one view, I believe you will come away with a deeper overall understanding of the entire FCPA picture.

For complete information on the FCPA Institute, click here.

As Monty Python might say And Now For Something Completely Different. If you would like a much shorter view of some FCPA and anti-corruption related topics, check out some of my most recent podcasts, the FCPA Compliance and Ethics Report. 

In Episode 74, I visit with Paul McNulty about his upcoming move to become the President of his alma mater, Grove City College.

In Episode 72, I visit with the GRC Pundit, Michael Rasmussen about why companies have such a disconnect when it comes to the theory and practice of their GRC practices.

In Episode 69, I visit with Joe Oringel about his company’s exciting new approach to transaction monitoring in the anti-corruption space.

In Episode 68, I interview Neil Swidey, author of Trapped Under the Sea about his experiences in researching and writing his book.

In Episode 66, the FCPA Professor shares his thoughts on the Esquenazi decision.

In Episode 63 and 64, I have a two-part discussion of the management of third parties under the FCPA.

For those few of you on the planet not aware of it, the World Cup final will be held this coming Sunday. Mike Brown and I have been discussing the World Cup, FIFA and anti-corruption in our World Cup Report series. You can check out Part I, Part II, Part III, Part IV, or Part V.

All of the episodes of the FCPA Compliance and Ethics Report are available for download on iTunes at no cost so if you want to catch up on all things FCPA and compliance related on the drive to work, you can do so. A happy Friday and enjoyable weekend to all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

June 11, 2014

Private-to-Private – How Business is Driving FCPA Compliance

Ben HoganToday we celebrate greatness. On this day in 1950, Texan Ben Hogan fully returned to the world of professional golf by winning the US Open, just 16 months after sustaining near fatal injuries in a car crash. His injuries were indeed horrific. Hogan suffered a broken collarbone, ankle, ribs and a double fracture to his pelvis. While in the hospital, a blood clot appeared in his leg, forcing doctors to tie off the surrounding veins to keep the clot from reaching his heart. Hogan’s legs atrophied, and doctors worried he would never walk again, let alone play golf at a professional level. Yet Hogan was able to walk 36 holes on the final day of regulation play and win the tournament the next day in an 18-hole playoff. Hogan is one of two golfers to win three of golf’s major championships in one year, won after his 1949 automobile accident.

A few weeks ago I wrote and put out a podcast about how the Houston energy community had developed a business solution to Foreign Corrupt Practices Act (FCPA) compliance. In the energy industry, the exploration and production companies (E&P) are usually thought of as existing at the top of the food chain (i.e. Mega-Big). Below them are the service companies, which actually do the work of exploration (i.e. Very-Big). The next level down are companies who work with the service companies, from the multi-billion chemical production firm down to the $15MM company which has a piece of software which does something useful. All of these companies down the chain are required to have a compliance program.

In practice it works something like this. A service company needs a product or service. As part of the regular contracting process, the service company will inquire into the contractor’s compliance function and policy. If the contractor provides a service which deals with a foreign government in any way or has foreign government touch points, the service company may well come and audit the contractor’s compliance program prior to executing the contract. Thereafter the contractor is subject to being audited for not only the execution of the contract but also the continued maintenance of its compliance program. All of this is done for business reasons. It is a business response to a legal issue, that being compliance with the FCPA.

Last week I received a copy of a paper by Scott Killingsworth, one of the true great practitioners in the field of compliance. Last year, he was listed by Ethisphere as one of its “Attorneys Who Matter” in ethics and compliance. His 2013 paper, “article, “Modeling the Message: Communicating Compliance through Organizational Values and Culture”” received a 2013 Burton Award for Distinguished Legal Writing. Killingsworth’s latest article is entitled “The Privatization of Compliance” and in it he sets out the legal and theoretical underpinnings for what I call the business solution to FCPA compliance. In his introduction he stated, “Embodied in contract clauses and codes of conduct for business partners, these obligations often go beyond mere compliance with law and address the methods by which compliance is assured. They create new compliance obligations and enforcement mechanisms and touch upon the structure, design, priorities, functions and administration of corporate ethics and compliance programs. And these obligations are contagious: increasingly accountable not only for their own compliance but also that of their supply chains, companies must seek corresponding contractual assurances upstream. Compliance is becoming privatized, and privatization is going viral.” And he calls this “private-to-private or P2P compliance.”

Killingsworth says this is a change from a “vertical, state-imposed” mandate to “an integral adoption of best practices both as a cultural norm and critically, as a path to profit”. [Italics mine] He notes that when such obligations come from a business partner, “This message has the potential to re-orient some attitudes and remove some ethical blinders. As more businesses are forced by their counterparties to examine their compliance processes and routinely accept business and legal consequences for them, we can expect increases in overall investment in compliance, in the scope and robustness of the average compliance program, and in ambient awareness of compliance issues outside the compliance, audit, and legal staffs. The viral nature of the process, in which each participant can exert pressure on a large number of direct and indirect upstream or downstream parties, while simultaneously fielding demands from other members of its value chain, suggests that the trend will continue and its influence will grow.”

Specifically in the area of anti-bribery/anti-corruption compliance programs, he writes “The debates about best practices are settled, save for skirmishes over when they can be practically applied.” Such best practices can be seen in the area of third-party due diligence and anti-bribery provisions, which are written into contracts with “domino-style flow-down requirements.” These obligations can arise through directly incorporating anti-corruption compliance obligations or by reference to one party’s compliance regime, or both. Such contractual provisions can cover a variety of issues, such as “ethical rules governing relationship issues such as conflicts of interest and gifts and entertainment; requirements to obey specific laws of concern and laws generally; and procedural rules such as the right to audit the partner’s records or train its personnel. Process and structural rules may be imposed on the partner’s compliance activities, such as requirements to establish management accountability, develop appropriate policies and procedures, maintain an anonymous reporting system and an anti-retaliation policy, train employees, conduct periodic audits, risk assessments and remediation, and of course, sometimes to cascade these program elements to downstream associates.”

Killingsworth details several areas that compliance professionals and contract lawyers should look for when confronted with P2P clauses and he does warn that some negotiators “will always be zero-sum business partners whose prime goal is risk transfer and who will do everything within their power to achieve it through contracts and P2P Codes.” However, he ends his paper with an upbeat note that he believes P2P codes and contract clauses can further the goals of greater compliance with anti-corruption laws.

I found his paper to be a ‘must read’ for anyone in the compliance field. He lays out a theoretical framework, coupled with some of the practical issues which need to be addressed moving forward for what I believe is a business solution to a legal problem. Kudos to Killingsworth for his continued contributions to the field of compliance and ethics where he is truly one of the greats.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

 

© Thomas R. Fox, 2014

Next Page »

Blog at WordPress.com.