FCPA Compliance and Ethics Blog

July 29, 2015

What Would Dr. Seuss Say about an Allowance?

What Pet Should I Get?Earlier this month we had the release of a second book by Harper Lee, “Go Set a Watchman”, which was miraculously discovered having been written some 50+ years ago. This week, there was another release from a (now deceased) author from a newly discovered source. I of course refer to the release yesterday of the new Dr. Seuss book “What Pet Should I Get?, published Random House, which informs today’s compliance lesson.

The book was discovered by Seuss’ widow, as noted in the Sunday New York Times (NYT) Book Review article, entitled “Dr. Seuss Book: Yes They Found it in a Box, when she decided to “have the rest of his notes and sketches appraised, that they closely examined the contents of that box. They found a set of brightly colored alphabet flash cards, some rough sketches titled “The Horse Museum,” and a manila folder marked “Noble Failures,” with whimsical drawings that he had been unable to find a place for in his stories. But alongside the orphaned sketches was a more complete project labeled “The Pet Shop,” 16 black-and-white illustrations, with text that he had typed on paper and taped to the drawings. The pages were stained and yellowed, but the story was all there, in Dr. Seuss’ unmistakable rollicking rhymes.” This finding became the book, What Pet Should I Get?

Reading this discovery made me ponder about how a child would pay for the pet they wanted and of course my thoughts turned to that age-old parenting quandary – the allowance. It is always a question of great interest for both parents and children. As with many things involving parent/child relationships, my views have evolved. As a teenager, I certainly had the view that an allowance was a God-given right and the more the better. I would only note that my parents did not share those views. As the father of a teenaged daughter, my views reached the much fuller expression of spoiling my daughter as often as possible. Which one is correct? I still do not have a final answer.

I thought about the ongoing debate and dialogue over the allowance when I read the Foreign Corrupt Practices Act (FCPA) enforcement action brought by the Securities and Exchange Commission (SEC) against Mead Johnson Nutrition Company (Mead Johnson). The matter was resolved via SEC Administrative proceeding that concluded with a Cease and Desist Order being agreed to by the parties. Mead Johnson agreed to pay a fine of $12.3MM which consisted of profit disgorgement of $7.7MM, prejudgment interest of $1.26MM and a civil penalty of $3MM. Kara Brockmeyer, Chief of the SEC Enforcement Division’s FCPA Unit, said in a SEC Press Release, “Mead Johnson Nutrition’s lax internal control environment enabled its subsidiary to use off-the-books slush funds to pay doctors and other health care professionals in China to recommend its baby formula and give the company marketing access to mothers.”

The enforcement action turned on violations of the accounting provisions of the FCPA. This is where the ‘allowance’ issue comes into the discussion. According to the Cease and Desist Order, “certain employees of Mead Johnson China improperly compensated HCPs, who were foreign officials under the FCPA, to recommend Mead Johnson’s infant formula to, and to improperly provide contact information for, expectant and new mothers.” One of Mead Johnson’s sales channels in China was through distributors. To facilitate this illegal conduct, funding to the distributors, called the “Distributor Allowance”, was diverted to make illegal payments. The Cease and Desist Order stated, “Although the Distributor Allowance contractually belonged to the distributors, certain members of Mead Johnson China’s workforce exercised some control over how the money was spent, and certain Mead Johnson China employees provided specific guidance to distributors concerning the use of the funds. Mead Johnson China staff also maintained certain records related to Distributor Allowance expenditure by distributors. In addition, Mead Johnson China used some of the funds to reimburse Mead Johnson China’s sales personnel for a portion of their marketing and other expenditures on behalf of Mead Johnson China.”

This tactic was clearly a violation of the company’s books and records obligations under the FCPA. By doing so, Mead Johnson was able to hide its payments to doctors and health care providers (HCPs) from not only regulators but the company’s shareholders as well. As the Cease and Desist Order noted, the company’s “records were incomplete and did not reflect that a portion of Distributor Allowance was being used contrary to Mead Johnson’s policies.” Finally, the Cease and Desist Order concluded, “Up through 2013, certain Mead Johnson China employees made payments to HCPs using funds maintained by third parties. These funds and payments from the funds were not accurately reflected on Mead Johnson China’s books and records. The books and records of Mead Johnson China were consolidated into Mead Johnson’s books and records. As a result of the misconduct of Mead Johnson China, Mead Johnson failed to make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflected its transactions as required by Section 13(b)(2)(A) of the Exchange Act.”

However Mead Johnson did not stop with books and records violations. The Distributor Allowance manipulation allowed the China business unit to “improperly compensate HCPs was contrary to management’s authorization and Mead Johnson’s internal policies. Mead Johnson failed to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that Mead Johnson China’s funding of marketing and sales expenditures through third-party distributors was done in accordance with management’s authorization.” Once again the Cease and Desist Order concluded, “Up through 2013, Mead Johnson failed to devise and maintain an adequate system of internal accounting controls to ensure that Mead Johnson China’s method of funding marketing and sales expenditures through third-party distributors was not used for unauthorized purposes, such as improperly compensating Chinese HCPs to recommend Mead Johnson’s products. As a result of such failure, the improper payments to HCPs occurred contrary to management’s authorizations, in violation of Section 13(b)(2)(B) of the Exchange Act.”

In an interesting twist Mead Johnson, based on an allegation of potential FCPA violations in China, performed an internal investigation on its China unit in 2011 and came up with no evidence. Somewhat dryly the SEC noted that the company did not make any self-disclosure around these allegations and “did not thereafter promptly disclose the existence of this allegation in response to the Commission’s inquiry into this matter.”

Yet after a second internal investigation in 2013 they turned up evidence of FCPA violations, the company “undertook significant remedial measures including: termination of senior staff at Mead Johnson China; updating and enhancing financial accounting controls; significantly revising its compliance program; enhancing Mead Johnson’s compliance division, adding positions including a second senior-level position; establishing new business conduct controls and third party due-diligence procedures and contracts; establishing a unit in China that monitors compliance and controls in China on an on-going basis; and providing employees with a method to have immediate access the company’s policies and requirements.”

While there was no statement regarding self-disclosure, the company did cooperate extensively with the SEC after the company was called to task. The Cease and Desist Order noted, “Mead Johnson subsequently provided extensive and thorough cooperation. Mead Johnson voluntarily provided reports of its investigative findings; shared its analysis of documents and summaries of witness interviews; and responded to the Commission’s requests for documents and information and provided translations of key documents. These actions assisted the Commission staff in efficiently collecting valuable evidence, including information that may not have been otherwise available to the staff.”

There are several lessons to be learned from the Mead Johnson enforcement action. If it was not clear from the GlaxoSmithKline PLC (GSK) imbroglio in China in 2013-14, your internal investigation must be thorough. Performing an investigation, finding no FCPA violations only to have a regulator sitting on your shoulder and later finding such evidence is never good. The SEC also reaffirmed its clear intention to continue to enforce the accounting provisions of the FCPA, with or without a parallel Department of Justice (DOJ) enforcement action. Companies must also take heed on their internal controls. Clearly certain China business unit employees had developed a work-around of the compliance internal controls by requiring the distributors to use their allowances to pay bribes. Internal controls must not only exist but they must be effective. That means you have to test their effectiveness, not simply tick the box that you have put them in place.

Finally, and I think Dr. Seuss’ compliance lesson is that when you give out an allowance, while you may restrict some of its uses, you certainly should not direct where the money is spent. Every kid knows that if you are told where to spend your allowance, it is really not your allowance. Perhaps Mead Johnson would do well to remember that long lost lesson from childhood.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 19, 2015

Tribute to John David Crow and an Innovation Strategy for Your Compliance Program

John David CrowJohn David Crow died Wednesday. Until Johnny Football, he was the only football player from Texas A&M University to win the Heisman Trophy. He played under the legendary Paul ‘Bear’ Bryant at A&M and for all of Bryant’s success, Crow was the his only player to win the award given annually to the nation’s best collegiate football player. Crow had a productive professional football career making the Pro-Bowl four times. He was also the Athletic Director at A&M from 1989 to 1993. So here’s to John David Crow, one of the Junction Boys and one of the greatest players in the history of Texas A&M. Finally, let me say something I almost never say, Gig ‘Em, John David.

I thought about John David Crow and his legacy of greatness when I read an article in the June issue of the Harvard Business Review (HBR), entitled “You Need an Innovation Strategy”, by Gary P. Pisano. While Pisano’s article dealt more generally with innovation in marketing, I found it highly relevant for the Chief Compliance Officer (CCO) or compliance practitioner, particularly in the context a Foreign Corrupt Practices Act (FCPA) compliance program. Earlier this week, the Department of Justice (DOJ) announced the resolution of a FCPA investigation involving IAP Worldwide Services, Inc. (IAP) via a Non-Prosecution Agreement (NPA). In the NPA, the company committed to implementing and enhancing a best practices FCPA compliance program. Listed at element 18 of its compliance program is the following: “The Company will conduct periodic reviews and testing of its anti-corruption compliance code, policies, and procedures designed to evaluate and improve their effectiveness in preventing and detecting violations of anti-corruption laws and the Company’s anti-corruption code, policies, and procedures, taking into account relevant developments in the field and evolving international and industry standards.”[Emphasis supplied]

This means that the DOJ expects innovation in your compliance program to keep up with evolving international and industry standards. This requires you to implement an innovation strategy. While Pisano’s article does not specifically focus on compliance, I found that its concepts would help a CCO or compliance practitioner sustain the mandate for innovation in a compliance regime. Pisano’s article begins by stating the problem that many companies face is that “innovation remains a frustrating pursuit.” While acknowledging that failure to execute is an issue, Pisano believes the issue is deeper than simply a failure to execute, he believes there is a “lack of an innovation strategy.”

I found some of his basic definitions most useful for the compliance practitioner to think through innovation in the compliance function. Pisano wrote, “A strategy is nothing more than a commitment to a set of coherent, mutually reinforcing policies or behaviors aimed at achieving a specific competitive goal. Good strategies promote alignment among diverse groups within an organization, clarify objectives and priorities, and help focus efforts around them. Companies regularly define their overall business strategy (their scope and positioning) and specify how various functions – such as marketing, operations, finance, and R&D – will support it. But during my more than two decades studying and consulting for companies in a broad range of industries, I have found that firms rarely articulate strategies to align their innovation efforts with their business strategies.”

The key to success is something that every CCO or compliance practitioner should take to heart. Paraphrasing Pisano for the compliance practitioner is that the compliance function “should articulate an innovation strategy that stipulates how their [compliance] innovation efforts will support the overall business strategy.” Moreover, “creating an innovation strategy involves determining how innovation will create value for customers [of compliance, i.e. Employees], how the company will capture that [compliance] value, and which types of [compliance] innovation to pursue.”

Pisano posed several questions around this key area of connecting innovation to strategy. Initially he asked, “How will innovation create value for potential customers?” In my formula, customers become employees or others who will make use of your compliance innovation going forward. Here you should focus on the benefit for your end-using customer. Your innovation can make compliance faster, easier, quicker, more nimble and so on. But focus on that creation of value going forward. Pisano’s next question was “How will the company capture a shore of the value its innovations generate?” He suggests companies think through how to “keep their own position in the [compliance] ecosystem strong” through innovation. Pisano next asked, “What types of innovation will allow the company to create and capture value, and what resources should each type receive?” Here Pisano notes two major forms of innovation equally applicable to the CCO or compliance practitioner. They are a change in technology and a change in a business process. Both are equally valid.

Another problem that Pisano addresses is termed “overcoming prevailing winds” and this means that innovation can be driven downward or backward if there is not sufficient management support. This means not only must there be sufficient resource allocations but management must also incentivize the business units to proceed with implementing the innovations, particularly “when an organization needs to change its prevailing patterns.”

Another area Pisano addresses is “managing trade-offs” because it is inherent in any innovation strategy that there will be trade-offs. Here he terms the two key differences as “supply-push” and “demand-pull”. The supply-push approach comes when your innovation is focused on something that does not yet exist, for example if you are initially implementing a FCPA compliance regime. The demand-pull approach works more closely with your existing customer base to determine what they might need and work to implement innovation around those needs.

Interestingly Pisano ends his article with a discussion about “the leadership challenge”. I say interestingly because I would have thought that was required up front as it is the function of senior management to create the capacity for innovation in the first instance. Pisano writes, “There are four essential tasks in creating and implementing an innovation strategy.” Task 1 is to “answer the question “How are we expecting innovation to create value for customers and for our company?” and then explain that to the organization.” Task 2 “is to create a high-level plan for allocating resources to the different kinds of innovation.” Task 3 is “to manage trade-offs. Because every function will naturally want to serve its own interests, only senior leaders can make the choices that are best for the whole company.” Finally, task 4 dovetails with what almost every DOJ/SEC speaker I have ever heard say when they talk about the basics of any best practices compliance program. It is that “innovation strategies must evolve. Any strategy represents a hypothesis that is tested against the unfolding realities of markets, technologies, regulations, and competitors. Just as product designs must evolve to stay competitive, so too must innovation strategies. Like the process of innovation itself, an innovation strategy involves continual experimentation, learning, and adaptation.”

Pisano’s article provides the CCO or compliance practitioner with a framework to think through to help bring the innovation to a compliance program. I would have put leadership first, both in the compliance department and at senior management level. But however you go about it, you must recognize that your compliance program will have to evolve. That is one of the key differences between those who advocate static compliance standards embodied in a written compliance program and those who advocate that it is Doing Compliance that creates an active, vibrant and effect compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 18, 2015

The War of 1812 and the IAP Worldwide Services Non-Prosecution Agreement

Battle of New OrleansOn this day, 203 years ago, President James Madison signed a Declaration of War against Great Britain inaugurating the War of 1812. The cause of the war was multi-faceted; the formal reason given was the British impressment of American sailors and the economic blockade of Europe. But the real reason may have simply been the warmongers who had been agitating for war against Britain for several years as an excuse to attack (and hopefully take over) Canada. For those of you who did not study geography too closely, that latter hope was forlorn as Canadians twice repulsed American invasions during the war.

That does not mean the War of 1812 was ultimately unsuccessful for the ‘War Hawks’. America got two great songs out of the war. The first was our National Anthem, the Star Spangled Banner, which celebrated victory over the British at Baltimore. The second was the top hit single of 1959, The Battle of New Orleans, which celebrated Andrew Jackson’s defeat of the British in the Battle of New Orleans, which was fought after the signing of the peace treaty that ended the war. Also that peace treaty, which America and Great Britain signed has remained unbroken to this day.

I thought about this view of the results of the War of 1812 when I read the Foreign Corrupt Practices Act (FCPA) enforcement action involving IAP Worldwide Services, Inc. (“IAP” or “the company”) and its former Vice President (VP), James Rama. The company received a Non-Prosecution Agreement (NPA) as a result of the enforcement action but agreed to a fine of $7.1MM. Rama pled guilty to a single count of conspiracy to violate the FCPA and is awaiting sentencing but his sentence will be capped out at “five years of imprisonment, a fine of the greater of $250,000 or twice the gross gain or loss, full restitution, a special assessment, and three years of supervised release” according to his Plea Agreement.

What it is difficult to determine from the company NPA and Rama Plea Agreement is what conduct the company engaged in which led to the NPA because clearly both the company and Rama engaged in conduct that violated the FCPA. In its Press Release the Department of Justice (DOJ) said, “Based on a variety of factors, including but not limited to IAP’s cooperation, the Criminal Division entered into a non-prosecution agreement with the company.” In the NPA these factors were given some meat with the following boilerplate language, “(a) the Company has cooperated with the Offices, including conducting an extensive internal investigation, voluntarily making U.S. and foreign employees available for interviews, and collecting, analyzing, and organizing voluminous evidence and information for the Offices; (b) the Company has engaged in remediation, including disciplining the officers and employees responsible for the corrupt payments or terminating their employment, enhancing its due diligence protocol for third-party agents and consultants, and instituting heightened review of proposals and other transactional documents for relevant Company contracts; (c) the Company has committed to continue to enhance its compliance program and internal controls, including ensuring that its compliance program satisfies the minimum elements set forth in Attachment C to this Agreement; and (d) the Company has agreed to continue to cooperate with the Offices in any ongoing investigation of the conduct of the Company and its officers, directors, employees, agents, and consultants relating to possible violations under investigation by the Offices.”

Since I cannot determine from beyond the above description what the company did to achieve its NPA, I will use the same analysis that I did in ascertaining what we Americans got out of the War of 1812. For the NPA did go into detail about the bribery scheme used by the company and Rama, which were clearly violative of the FCPA. Rama was a VP of the company until he signed and became an independent contractor to the organization, through his consulting entity, Ramaco. Ramaco was created, in part, to hide the involvement of IAP in the bidding process with the Kuwaiti Ministry of the Interior to provide nationwide surveillance for the country.

The bid for this project had two phases. In Phase I, a consultant would assist the Kuwaiti government to select the final contractor who would implement the nationwide surveillance for the country in Phase II. By hiding its involvement through Ramaco, IAP could reap the benefits of winning both phases, which it did. However the illegals acts of IAP and Ramaco did not end with this subterfuge but were in fact just beginning.

The Phase I contract awarded to Ramaco was worth $4MM. IAP and Ramaco agreed to rebate one-half of the amount, through a Kuwaiti third party agent back to certain representatives of the Kuwaiti government as bribe payments. In addition to this 50% figure of the contract price, IAP and Ramaco understood that this Kuwaiti third party contractor would “inflate its invoices to IAP by charging IAP for the total amount of both the legitimate services that Kuwaiti Company was providing and the payments that Kuwaiti Company was funneling to Kuwaiti Consultant without listing or otherwise disclosing the payments that were funneled to Kuwaiti Consultant.” According to the NPA, these monies were specifically “provided as bribes to Kuwaiti government officials to assist IAP in obtaining and retaining the KSP Phase I contract and to obtain the Phase II contract.”

The NPA also specified meetings which were held in the company’s headquarters in Arlington VA and that monies to be paid as bribes were wired out of a company bank account in the US to Kuwait.

All of these facts would lead me to opine that this case was egregious. There was a US company, setting up a scheme to pay bribes through both a US person, who was a former employee, and a foreign third party agent. Meetings to facilitate the scheme were held in the US and monies to fund bribes were wired out of a US bank account. There was nothing reported in the NPA which indicated that the company self-disclosed this FCPA violation. While there were statements of cooperation and remediation going forward, there was nothing other than the standard boilerplate language generally seen in NPAs.

So while the NPA does provide the Chief Compliance Officer (CCO) or compliance practitioner a good set of facts to test against in their organization, that would appear to be about it. Other than, of course, it is always better to cooperate than not. So much like what we Americans got out of the War of 1812, not much substance can be ascertained from the company’s NPA and Rama’s Plea Agreement.

For a YouTube clip of Johnny Horton singing The Battle of New Orleans, on the Ed Sullivan Show, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 26, 2015

Economic Downturn Week, Part I – Mapping of Your Internal Compliance Controls

Economic DownturnThis week I will present a series on steps that you can take in your compliance program if you find yourself, your company or your industry in an economic downturn. All of the recommendations I will make are ideas that have been put into action by companies currently facing these issues. They are ideas that you can use if you have scarce or lessened economic resources for your compliance function. Today I will take my cue from the recent Securities and Exchange Commission (SEC) enforcement action against BHP Billiton (BHP) as a key indicator of where greater and more rigorous SEC enforcement is heading. That is in the area of the enforcement of internal controls and steps that you can take right now, even with reduced head count and budgetary resources, to improve your Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption compliance program.

However, before we get to that subject, I want to remember Marques Haynes, who died last week. Haynes was a basket baller extraordinaire who played with the Harlem Globetrotters off and on for 40 years. As was set out in his New York Times (NYT) obituary last week, Haynes “whose dazzling ball-handling skills, exhibited for more than 40 years as a member of the Harlem Globetrotters and other barnstorming black basketball teams, earned him a place in the Naismith Basketball Hall of Fame and an international reputation as the world’s greatest dribbler”. He was the first Globetrotter inducted into the Naismith Memorial Basketball Hall of Fame. I saw Haynes play in the later stages of his career with the Globetrotters; both on ABC’s Wide World of Sports and through their non-stop touring when they came to even my Podunk hometown. So here’s to you Marques and I am sure you have called ‘Next’ for that great pickup game in the sky several times now.

As they made clear with several FCPA enforcement actions from last fall, the SEC has placed a renewed interest in the accounting provisions of the FCPA, specifically the internal controls provisions. The BHP enforcement continued this trend, where there was no evidence that bribes were paid or offered in violation of the FCPA, tet the poor internal compliance controls at BHP led to a $25MM fine. Indeed Kara Brockmeyer, the Chief, FCPA Unit; Division of Enforcement of the SEC, who spoke at the recently concluded Compliance Week 2015, in a session entitled “A New Look at FCPA Enforcement”, reiterated that the SEC was committed to protecting investors in US public companies and those which list other securities in the US, through enforcement of the accounting provisions, including internal controls provisions of the FCPA. It would seem that the reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur.

So, in the midst of an economic downturn, what can you do around the FCPA’s requirements for internal controls and current SEC emphasis? I would suggest that you begin with an exercise where you map the internal controls your company has in place to the indicia of the Ten Hallmarks of an Effective Compliance Program, as set out in the FCPA Guidance. While most compliance practitioners are familiar with the Ten Hallmarks, you may not be as familiar with standards for internal controls. I would suggest that you begin with the COSO 2013 Framework as your starting point.

As a lawyer or compliance practitioner you may not be familiar with all the internal controls that you have in place. This exercise would give you a good opportunity to meet with the heads of Internal Audit, Finance and Accounting (F&A), Treasury or any other function in your company that deals with financial controls. Talk with them about the financial controls you may already have in place. An easy example is employee expense reports. Every company I have ever worked at or even heard about requires expenses for reimbursement to be presented, in documented form on some type of expense reimbursement form. This is mandatory for IRS reporting; so all entities perform this action. See how many controls are in place. Is the employee who submits the expense reimbursement required to sign it? Does his/her immediate supervisor review, approve and sign it? Does any party in the employee’s direct reporting chain review, approve and sign? Does anyone from accounts payable review and approve, both for accuracy and to make sure that all referenced expenses are properly receipted? Is there any other review in accounts payable? Is there any aggregate review of expense reports? Is there a monetary limit over which additional reviews and approvals occur?

Now if an employee has submitted expenses for activities that occurred outside the US are there are any foreign government officials involved? Were those employees identified on the expense reimbursement form? Was the business purpose of the meal, gift or other hospitality recorded? Can you aggregate the monies spent on any one foreign official or by a single employee in your expense reporting system? All of these are internal controls that can be mapped to the appropriate prong of the Ten Hallmarks or other indicia of your compliance program.

You can take this exercise through each of the five objectives under the COSO 2013 Framework and its attendant 17 Principles. From this mapping you can then perform a gap analysis to determine where you might need to implement internal compliance controls into your anti-corruption compliance program. This can lead to remedial steps that you can take. For example you can recommend procedures be written for all key compliance areas in which there are currently no procedures and your existing procedures can be updated to include compliance issues and clear definition how controls are to be evidenced. Through this you can move from having detect controls in place, to having prevent controls, whenever possible.

As a Chief Compliance Officer (CCO) or compliance practitioner, this is an exercise that you can engage in at no cost. You simply investigate and note what internal controls you have in place and how they may be a part of your anti-corruption efforts going forward. As I said last week, compliance is a straightforward exercise. This does not mean that it is easy; you do have to work at it so that you will simply not have a paper, “check the box”, program. But using the excuse that you have limited resources is simply an excuse and a rather poor one at that. While the clear lesson from the BHP enforcement action is that you are required to have effective internal controls in place, by engaging in this mapping exercise you can then figure out what you have and, more importantly, what internal compliance controls that you do not have and need to institute.

Finally, if you do have resources and need some help, you can reach me at the email below.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 22, 2015

On the Oregon Trail: the BHP Enforcement Action and High-Risk Hospitality

Oregon TrailToday we celebrate American exceptionalism. As noted in ‘This Date in History’, on this date in 1834 the first wagon train, made up of 1,000 settlers and 1,000 head of cattle, set off down the Oregon Trail from Independence, Missouri, on the Great Emigration. After leaving Independence, the giant wagon train followed the Santa Fe Trail for some 40 miles and then turned to its northern route to Fort Laramie, Wyoming. From there, it traveled on to the Rocky Mountains, which it passed through by way of the broad, level South Pass that led to the basin of the Colorado River. The travelers then went southwest to Fort Bridger and on to Fort Boise, where they gained supplies for the difficult journey over the Blue Mountains and into Oregon. The Great Emigration finally arrived in October, completing the 2,000-mile journey from Independence in five months.

The settlers who took off on this Great Emigration on the Oregon Trail did not have anything in the way of a road map. Fortunately for the modern day anti-corruption compliance practitioner, you do have road maps that can guide your compliance with the Foreign Corrupt Practices Act (FCPA) going forward. Over the past few years the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have put out significant and detailed information on compliance failures, which have led to FCPA enforcement actions. For any Chief Compliance Officer (CCO) or compliance practitioner, these enforcement actions provide solid information of lessons learned which can be used as teaching points for companies. Further, these lessons can be used as road maps to review compliance programs to see what gaps, if any, may exist and how to implement solutions.

This trend continued with the release of the SEC FCPA enforcement action involving BHP Billiton Ltd. (BHP) this week. First and foremost to note is that it was a SEC enforcement action involving violations of the internal controls provision of the FCPA. There was no evidence of bribery leading to any DOJ enforcement action. Yet as I have been writing and saying for almost one year, SEC enforcement of the internal controls provision of the FCPA is increasing and companies need to pay more attention to this part of the FCPA. A bribe or offer to bribe does not have to exist for an internal controls violation to occur. CCOs and compliance practitioners need to be cognizant of compliance internal controls and put effective compliance internal controls in place that can be audited against to test their effectiveness.

The BHP enforcement action revolved around the company’s hospitality program for the Beijing 2008 Olympics. Every CCO and compliance practitioner should study this enforcement action in detail so that they can craft appropriate compliance internal controls for high dollar entertaining for big time sporting events. For any company that may be planning for high dollar hospitality spends for the 2016 Brazil Olympics, this enforcement action lays out what you should and should not do in your compliance program. But this holds true for any major sporting event such as the Super Bowl, World Cup or you name the event.

BHP had a paper program that appeared robust. As laid out in the Cease and Desist Order, “BHPB developed a hospitality application which business managers were required to complete for any individuals, including government officials, whom they wished to invite.” The application included these questions to be fully answered:

  • “What business obligation exists or is expected to develop between the proposed invitee and BHP Billiton?”,
  • “Is BHP Billiton negotiating or considering any contract, license agreement or seeking access rights with a third party where the proposed invitee is in a position to influence the outcome of that negotiation?”
  • “Do you believe that the offer of the proposed hospitality would be likely to create an impression that there is an improper connection between the provision of the hospitality and the business that is being negotiated, considered or conducted, or in any way might be perceived as breaching the Company’s Guide to Business Conduct? If yes, please provide details.”; and
  • “Are there other matters relating to the relationship between BHP Billiton and the proposed invitee that you believe should be considered in relation to the provision of hospitality having regard to BHP Billiton’s Guide to Business Conduct?”

So the right forms were in place and some of them were fully filled out. However, as the Cease and Desist Order made clear, an effective compliance program does not end at that point. Now would be an appropriate time to recall that high risk does not mean you cannot engage in certain conduct. High risk means that to have an effective compliance program, you have to manage that risk. A basic key to any effective compliance program is oversight or a second set of eyes baked in to your process. BHP formally had this oversight or second set of eyes in the form of an Olympic Sponsorship Steering Committee (OSSC) and Global Ethics Panel Sub-Committee.

Where BHP failed was that “other than reviewing approximately 10 hospitality applications for government officials in mid-2007 in order to assess the invitation process, the OSSC and the Ethics Panel subcommittee did not review the appropriateness of individual hospitality applications or airfare requests. The Ethics Panel’s charter stated that its role simply was to provide advice on ethical and compliance matters, and that “accountability rest[ed] with business leaders.” Members of the Ethics Panel understood that, consistent with their charter, their role with respect to implementation of the hospitality program was purely advisory. As a result, business managers had sole responsibility for reconciling the competing goals of inviting guests – including government officials – who would ““maximize [BHPB’s] commercial investment made in the Olympic Games” without violating anti-bribery laws.”

But there was more than simply a failure of oversight by BHP. The Cease and Desist Order noted that not all of the forms were filled out with the critical information around a whether a proposed recipient might have been a government official. Even more critically missing was information on whether the proposed recipient was in a position to exert influence over BHP business. Moreover, BHP did not provide training to the business unit employees who ended up making the call as to whether or not to provide the hospitality on payment of travel and hospitality for spouses. The Cease and Desist Order stated that BHP “did not provide any guidance to its senior managers on how they should apply this portion of the Guide when determining whether to approve invitations and airfares for government officials’ spouses.” Finally, there were no controls in place to update or provide ongoing monitoring of the critical information in the forms.

All of this led the SEC to state the following, “As a result of its failure to design and maintain sufficient internal controls over the Olympic global hospitality program, BHPB invited a number of government officials who were directly involved with, or in a position to influence, pending negotiations, efforts by BHPB to obtain access rights, or other pending matters.” This led to the following, “BHPB violated Section 13(b)(2)(B) because it did not devise and maintain internal accounting controls over the Olympic hospitality program that were sufficient to provide reasonable assurances that access to assets and transactions were in executed in accordance with management’s authorization.” Perhaps it was stated most succinctly by Antonia Chion, Associate Director of the SEC’s Division of Enforcement, in the SEC Press Release announcing the enforcement action when he said, “A ‘check the box’ compliance approach of forms over substance is not enough to comply with the FCPA.”

There is also clear guidance from the SEC about how BHP was able to obtain the reduced settlement it received. BHP “provided significant cooperation with the Commission’s investigation”. Moreover, the Cease and Desist Order laid out the remedial steps the company took. These steps included: (1) creation of compliance group independent of the business units; (2) review of its anti-corruption program and implementation of certain upgrades; (3) embedding of anti-corruption managers into the business units; (4) enhancements of “its policies and procedures concerning hospitality, gift giving, use of third party agents, business partners, and other high-risk compliance areas”; (5) enhancement of “financial and auditing controls, including policies to specifically address conducting business in high-risk markets”; and (6) enhanced anti-corruption compliance training.

FCPA compliance is a relatively simply exercise. That does not mean it is easy. For travels on the Great Emigration on the Oregon Trail, travel was neither simple nor easy. If you want to send government officials to high profile sporting events or provide other high dollar hospitality, the FCPA does not prevent you from doing so. But it is a high risk and to be in compliance you must to manage those high risks appropriately, all the way through the process. The BHP enforcement action provides you a detailed road map of what to do and what not to do.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 20, 2015

The Intersection of the FCPA, TI-CPI and Tax Appeals in Brazil

Three Way IntersectionThe Transparency International-Corruptions Perceptions Index (TI-CPI) is released each year in November. The TI-CPI rates Brazil as 69th out of 175 countries on its index, coming in with a score of 43 out of 100. I wonder if TI might consider an interim report this year on Brazil? As things keep going, more and more corruption is alleged to be a part of the everyday fabric of the country. While the Petrobras and related scandals have been well chronicled, the overall stench of corruption just keeps spreading and spreading.

Recently it was announced yet another set of investigations around corruption has begun. This time it involves the Brazilian Finance Ministry’s Administrative Council for Tax Appeal. In an article in the Wall Street Journal (WSJ), entitled “Brazil Probes New Bribery Allegations”, Paulo Trevisani reported that this is an “arbitration board that hears appeals from taxpayers who dispute how much they owe the [Brazilian] government.” The investigation would appear to be widespread as “Prosecutors said 74 companies and 24 individuals are under investigation.”

Interestingly not only is the Finance Ministry investigating the allegations but also the Brazilian internal revenue service, the Brazilian federal police and the Brazilian federal prosecutors office. In what would seem to indicate the inherent conflict of interest in the Finance Ministry investigating itself, Trevisani reported the “Finance Ministry said the alleged scheme wasn’t systematic but rather, involved “isolated acts” carried out by a small group of government tax officials. When prosecutors announced the investigation on March 26 they said that losses to the nation’s treasury totaled $6.1 billion over 15 years.” Oops.

While the entities and individuals under investigation have not been named, “a leading investigator on the case said companies under investigation include Ford Motor Brazil, a unit of Ford Motor Co.; JBS, the world’s largest meatpacker, the Brazilian unit of the Spanish bank Banco Santander SA; and Brazil’s second largest private-sector bank, Bradesco SA.” You may recall from an earlier blog post I noted that Brazil’s third largest state-owned bank Caixa Econômica Federal (Caixa) is also under investigation for corruption.

However, this new corruption scandal is the first time that non-Brazilian companies have come under investigation outside of the Petrobras scandal. The WSJ article noted, “Brazil’s tax system is among the most onerous and complex in the world. Penalties can be steep. That has fostered an environment where corruption can flourish, [un-named] experts say. “Taxes in Brazil are so high and complicated that it is easy for companies to get in trouble with the taxman,” the leading investigator told The Wall Street Journal. The investigator said frequent tax disputes created opportunities for ill-intentioned public servants to profit by helping firms circumvent red tape. Prosecutors say the probe began in 2013 after they received an anonymous letter describing details of the alleged scheme.”

An article in forbes.com, entitled “Ford On List Of Companies Suspected Of Brazilian Tax Fraud” by Kenneth Rapoza, went further than the WSJ article when it laid out the list of “companies are under investigation for taking part in various tax bribery schemes” and then listed the amounts they allegedly avoided paying. The Top Ten list is:

  • Santander: R$3.3 billion
  • Bradesco: R$2.7 billion
  • Ford: R$1.7 billion
  • Gerdau: R$1.2 billion
  • Light: R$929 million
  • Banco Safra: R$767 million
  • RBS: R$672 million
  • Camargo Correa: R$668 million
  • Mitsubishi: R$505 million
  • Banco Industrial: R$436 million

An article in businessinsider.com, entitled “Brazil uncovers multibillion-dollar tax fraud”, reported that this investigation, dubbed Operation Zeal, had uncovered that “the [tax] body managed to obtain tax appeals board rulings in the companies’ favor by either cutting penalties or waiving them altogether. In return, officials allegedly received bribes from some 70 companies believed to have benefited from the scheme. A written statement issued by Brazilian federal police stated “The investigations, begun in 2013, showed the organization acted within the body sponsoring private interests, seeking to influence and corrupt advisors with a view either to securing the cancellation or reduction of penalties from tax authorities”. Moreover, “Police said the scam could have netted the companies as much as 19 billion reais ($5.9 billion) but evidence uncovered so far amounts to around a third of that amount.” Finally, and perhaps most ominously, the article said, “Federal police organized crime chief Oslain Campos Santan said the total sums could end up being “as much” as that involved in the Petrobras scam”.

This new Brazilian corruption scandal recalls the Foreign Corrupt Practices Act (FCPA) enforcement action against the Houston-based Parker Drilling Company. According to the Department of Justice (DOJ) Press Release issued at the time of the announcement of the conclusion of the matter, the company was issued a tax assessment on its drilling rigs. The Press Release went on to state, “According to court documents, rather than pay the assessed fine, Parker Drilling contracted indirectly with an intermediary agent to resolve its customs issues. From January to May 2004, Parker Drilling transferred $1.25 million to the agent, who reported spending a portion of the money on various things including entertaining government officials. Emails in which the agent requested additional money from Parker Drilling referenced the agent’s interactions with Nigeria’s Ministry of Finance, State Security Service, and a delegation from the president’s office. Two senior executives within Parker Drilling at the time reviewed and approved the agent’s invoices, knowing that the invoices arbitrarily attributed portions of the money that Parker Drilling transferred to the agent to various fees and expenses. The agent succeeded in reducing Parker Drilling’s TI Panel fines from $3.8 million to just $750,000.”

So with all of the above that has been written about in the past few weeks, where do you think Brazil should be on the TI-CPI? While its rating of 43 out of 100 may not seem too low or perhaps more accurately too much perceived corruption, it may be time for a mid-year reassessment. Certainly if you are a Chief Compliance Officer (CCO) or compliance practitioner you may wish to perform your own reassessment. If you have any dealings with the Brazilian Finance Ministry’s Administrative Council for Tax Appeal, you need to perform an internal investigation starting today on all information you can find about the process and results. For if the results were extremely favorable the reason for the achievement may have violated both Brazilian law and the FCPA.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 18, 2015

The Blue Geranium – SEC Enforcement of the FCPA – Part III

Blue GeraniumIn Christie’s The Blue Geranium a difficult and cantankerous semi-invalid wife is looked after by a succession of nurses. They changed regularly, unable to cope with their patient, with one exception Nurse Copling who somehow managed the tantrums and complaints better than others of her calling. The wife had a predilection for fortunetellers and one announced that the wallpaper in the wife’s room was evil; pronouncing she should “Beware of the Full Moon. The Blue Primrose means warning; the Blue Hollyhock means danger; the Blue Geranium means death.” Four days later, one of the primroses in the pattern of the wallpaper in the wife’s room changed color to blue in the middle of the night, when there had been a full moon.

On the morning after the next full moon, the wife was found dead in her bed with only her smelling salts beside her. Once again Miss Marple has the solution remembering that potassium cyanide resembled smelling salts in odor. The wife took what she thought were smelling salts but was in reality potassium cyanide. The flowers on the wallpaper had been treated with litmus paper which the turned the geranium in question blue, which unmasked the killer.

I found this story to be an interesting way to introduce the topic of the Securities and Exchange Commission’s (SEC’s) damage remedies. While some are obvious, such as the fines and penalties which are listed in the text of the Foreign Corrupt Practices Act (FCPA), another one, that being profit disgorgement must be seen through the lens of multiple legislations.

Monetary Fines

The damages that are available to the SEC differ in some significant aspects from those available to the Department of Justice (DOJ) in its enforcement of the criminal side of the FCPA. According to the FCPA Guidance, “For violations of the anti-bribery provisions, cor­porations and other business entities are subject to a civil penalty of up to $16,000 per violation. Individuals, including officers, directors, stockholders, and agents of companies, are similarly subject to a civil penalty of up to $16,000 per violation, which may not be paid by their employer or principal. For violations of the accounting provisions, SEC may obtain a civil penalty not to exceed the greater of (a) the gross amount of the pecuniary gain to the defendant as a result of the violations or (b) a specified dollar limitation. The specified dollar limitations are based on the egregious­ness of the violation, ranging from $7,500 to $150,000 for an individual and $75,000 to $725,000 for a company.”

As straightforward as these monetary amounts may seem, the totals can become very large very quickly. As noted by Russ Ryan in a guest post on the FCPA Professor’s blog, entitled “Former SEC Enforcement Official Throws The Red Challenge Flag, the SEC significantly multiplied those amounts in a default judgment context against former Siemens executives by claiming that “four alleged bribes should be triple-counted as three separate securities law violations – once as a bribe, again as a books-and-records violation, and yet again as an internal-controls violation – thus artificially multiplying four violations to create twelve.” Further, under the specific books-and-records and internal-controls allegations “the SEC was super aggressive, taking the position that these classically non-fraud violations involved “reckless disregard” of a regulatory requirement, thus allowing the SEC to demand the maximum $60,000 per violation in “second-tier” penalties rather than the $6,000 per violation in the “first-tier” penalties ordinarily associated with non-fraud violations.”

Profit Disgorgement

In addition to the above statutory fines and penalties, “SEC can obtain the equitable relief of disgorgement of ill-gotten gains and pre-judgment interest and can also obtain civil money penalties pursuant to Sections 21(d)(3) and 32(c) of the Exchange Act. SEC may also seek ancillary relief (such as an accounting from a defendant). Pursuant to Section 21(d)(5), SEC also may seek, and any federal court may grant, any other equitable relief that may be appropriate or necessary for the benefit of investors, such as enhanced remedial measures or the retention of an independent compliance consultant or monitor.” These remedies can be sought in a federal district court of through the SEC administrative process.

As explained by Marc Alain Bohn, in a blog post on the FCPA Blog entitled “What Exactly is Disgorgement?” profit “Disgorgement is an equitable remedy authorized by the Securities Exchange Act of 1934 that is used to deprive wrong-doers of their ill-gotten gains and deter violations of federal securities law. The Act gives the SEC the authority to enter an order “requiring accounting and disgorgement,” including reasonable interest, as part of administrative or cease and desist proceedings”. In another article Bohn co-authored with Sasha Kalb, entitled “Disgorgement – the Devil You Don’t Know” published in Corporate Compliance Insights (CCI), they set out how such damages are calculated. They said, “In calculating disgorgement, the SEC is required to distinguish between legally and illegally obtained profits. The first step in such calculations is to identify the causal link between the unlawful activity and the profit to be disgorged. Once this causal link is established, the SEC may assert its right to disgorge illicit profits that stem from this wrong-doing. Because calculations like these often prove difficult, courts tend to give the SEC considerable discretion in determining what constitutes an ill-gotten gain by requiring only a reasonable approximation of the profits which are causally connected to the violation.”

However if you read the FCPA quite closely you will not find any language regarding profit disgorgement as a remedy. Nevertheless a simple reading of the statute does not limit our inquiry as to this remedy. In a Note, published in the University of Michigan Journal of International Law, entitled “The Foreign Corrupt Practices Act, SEC Disgorgement of Profits and the Evolving International Bribery Regime: Weighing Proportionality, Retribution and Deterrence”, author David C. Weiss explained the development of the remedy of profit disgorgement. As noted by Bohn, profit disgorgement was always available to the SEC from the very beginning of its existence, through the enabling legislation of 1934. But as explained by Weiss, in the completely unrelated legislation entitled The Penny Stock Reform Act of 1990, profit disgorgement was “authorized by statute [as a remedy to the SEC] without a limitation to the FCPA.”

Finally, and what many compliance practitioners do not focus on for SEC enforcement of the FCPA, was the enactment of Sarbanes-Oxley Act of 2002 (SOX). Weiss said, “The most recent change to the way in which the SEC enforces the FCPA—and a critical development to consider—is SOX, which affects virtually all of the SEC’s prosecutions, including those under the FCPA. When assessing penalties, the SEC draws on SOX to provide great latitude in determining the types of penalties it enforces. While SOX did not amend the FCPA itself, it did amend both civil and criminal securities laws relating to compliance, internal controls, and penalties for violations of the Exchange Act. Since the enactment of SOX, the SEC has possessed the power to designate how a particular penalty that it assesses will be classified.” [citations omitted]

There has been criticism of the SEC using profit disgorgement as a remedy. As far back as 2010, the FCPA Professor criticized this development in his article “The Façade of FCPA Enforcement” where he found fault with the remedy of profit disgorgement for books and records violations or internal controls violations only, where there is no corresponding “enforcement action charging violations of the anti-bribery provisions.” He wrote “It is difficult to see how a disgorgement remedy premised solely on an FCPA books and records and internal controls case is not punitive. It is further difficult to see how the mis-recording of a payment (a payment that the SEC does not allege violated the FCPA’s anti-bribery provisions) can properly give rise to a disgorgement remedy.”

Bohn and Kalb said, “Over the last six years, disgorgement has served to significantly increase the financial loss that companies are exposed to in FCPA enforcement matters. In addition to the considerable civil penalties often imposed by the SEC as part of FCPA settlements, the SEC has made clear that it will not hesitate to seek recovery of large sums through disgorgement provided they are reasonably related to the alleged misconduct. Yet the methodology used by the SEC to support the amounts it seeks to disgorge has not been much discussed.  In the absence of adequate guidance as to how these sums are calculated, disgorgement poses an even greater risk in the current aggressive FCPA enforcement climate.” I would only add to their conclusion that profit disgorgement is here to stay.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

January 29, 2015

Welcome to COSO and the World of Internal Controls – Part I

Internal ControlsI have intentionally avoided a Top Five or Top Ten prediction list for Foreign Corrupt Practices Act (FCPA) enforcement going forward from 2014 into 2015. However there is one area of FCPA enforcement, which I think underwent a sea change in 2014 and has significant implications for the Chief Compliance Officer (CCO) and compliance practitioner in 2015 and far beyond. That change will be in the enforcement by the Securities and Exchange Commission (SEC) of the internal controls provisions of the FCPA. Last fall we saw three SEC enforcement actions, where there was no corresponding Department of Justice (DOJ) enforcement action yet there was a SEC enforcement action around either the lack or failure of internal controls. Those enforcement actions were Smith & Wesson, Layne Christensen and Bio-Rad.

Coupled with this new found robust enforcement strategy by the SEC, is the implementation of the COSO 2013 Framework, which became effective in December 2014. COSO stands for Committee of Sponsoring Organizations of the Treadway Commission, which originally adopted, in 1992, a framework for basis to design and then test the effectiveness of internal controls. It was deemed necessary to update this more than 20-year old COSO Framework, as modified in 2013, so that it provides a very supportable approach when adversarial third parties challenge whether a company has effective internal controls. While the COSO Framework is designed for financial controls, I believe that the SEC will use the 2013 Framework to review a company’s internal controls around compliance. This means that you need to understand what is required under the 2013 Framework and be able to show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.

Because I believe this single area of FCPA enforcement is so important and will increase so much, I am going to dedicate several posts to an exploration of internal controls, focusing on the COSO 2013 Framework. In Part I, I begin with a review of internal controls under the FCPA.

What are internal controls?

What are internal controls in a FCPA compliance program? The starting point is the law itself. The FCPA itself requires the following:

Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to:

devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any

differences ….

The DOJ and SEC, in their jointly released FCPA Guidance, stated, “Internal controls over financial reporting are the processes used by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.”

Aaron Murphy, a partner at Foley and Lardner in San Francisco and the author the most excellent resource entitled “Foreign Corrupt Practices Act”, has said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Well-know internal controls expert Henry Mixon has said that internal controls are systematic measures such as reviews, checks and balances, methods and procedures instituted by an organization that performs several different functions. These functions include allowing a company to conduct its business in an orderly and efficient manner; to safeguard its assets and resources, to detect and deter errors, fraud, and theft; to assist an organization ensuring the accuracy and completeness of its accounting data; to enable a business to produce reliable and timely financial and management information; and to help an entity to ensure there is adherence to its policies and plans by its employees, applicable third parties and others. Mixon adds that internal controls are entity wide; that is, they are not just limited to the accountants and auditors. Mixon also notes that for compliance purposes, controls are those measures specifically to provide reasonable assurance any assets or resources of a company cannot be used to pay a bribe. This definition includes diversion of company assets, such as by unauthorized sales discounts or receivables write-offs as well as the distribution of assets.

The FCPA Guidance goes further to specify that internal controls are a “critical component” of a best practices anti-corruption compliance program. This is because the design of an entity’s “internal controls must take into account the operational realities and risks attendant to the company’s business, such as the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption. A company’s compliance program should be tailored to these differences.” After a company analyzes its own risk, through a risk assessment, it should design its most robust internal controls around its highest risk.

COSO and Internal Controls

Larry Rittenberg, in his book COSO Internal Control-Integrated Framework said that the original COSO framework from 1992 has stood the test of time “because it was built as conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based upon four general principles which including the following: (1) the updated Framework should be conceptual which allows for updating as internal controls (and compliance programs) evolve; (2) internal controls are a process which is designed to help businesses achieve their business goals; (3) internal controls applies to more than simply accounting controls, it applies to compliance controls and operational controls; and (4) while it all starts with Tone at the Top, “the responsibility for the implementation of effective internal controls resides with everyone in the organization.” For the compliance practitioner, this final statement is of significant importance because it directly speaks to the need for the compliance practitioner to be involved in the design and implementation of internal controls for compliance and not to simply rely upon a company’s accounting, finance or internal audit function to do so.

So why will all of the above be a sea change for FCPA enforcement since after all, the requirement for internal controls has been around since 1977. The Smith & Wesson case shows the reason. In its Administrative Order, the SEC stated, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” Additionally, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization.” All of this was laid out in the face of no evidence of the payment of bribes by Smith & Wesson to obtain or retain business. This means it was as close to strict liability as it can be without using those words. Kara Brockmeyer, chief of the SEC Enforcement Division’s FCPA Unit, was quoted in a SEC Press Release on the matter that “This is a wake-up call for small and medium-size businesses that want to enter into high-risk markets and expand their international sales.” When a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.”

In Part II we will begin our exploration of the COSO 2013 Framework and what it requires in the way of internal controls for your FCPA compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

January 6, 2015

Byzantium and the Alstom FCPA Settlement – Part III

ByzantiumPorphyry is a type of stone that was much favored in the Roman world. In a review of several books in the New York Review of Books, entitled “The Purple Stone of Emperors”, Peter Brown looked into the history of the lithic in the context of Byzantium as the true heir of the Roman Empire. He theorized that if “porphyry was the blood of ancient empire, then it must be to Constantinople that we should look (and not to Western Europe) if we wish to understand the heritage of Rome in the Middle Ages.” I found that an appropriate way to think about an apparent anomaly in the recent Alstom Foreign Corrupt Practices Act (FCPA) enforcement action. In Part III of my series on the Alstom natter I consider the accounting records violations that the French parent, Alstom SA, agreed to in this enforcement action.

The FCPA Professor noted in his second blog post on this matter, entitled “Issues to Consider from the Alstom Action”, “The charges against Alstom S.A. are a real head-scratcher. The conventional wisdom for why the Alstom action involved only a DOJ (and not SEC) component is that Alstom ceased being an issuer in 2004 (in other words 10 years prior to the enforcement action). Yet, the actual criminal charges Alstom pleaded guilty to – violations of the FCPA’s books and records and internal controls provisions – were based on Alstom’s status as an issuer (as only issuers are subject to these substantive provisions). In other words, Alstom pleaded guilty to substantive legal provisions in 2014 that last applied to the company in 2004.”

The Professor had also raised this issue in his first blog post on the resolution, entitled “All About the Alstom Enforcement Action”. After considering his thoughts on this issue, I decided to look into it a bit more deeply. Alstom SA was charged with several different FCPA violations including the following, 15 U.S.C. 78m(b)(2)(A), 15 USC §78m(b)(2)(B) and 78m(b)(5) which read in whole,

15 U.S.C. § 78m [Section 13 of the Securities Exchange Act of 1934] 

(b) Form of report; books, records, and internal accounting; directives

(2) Every issuer which has a class of securities registered pursuant to section 78l of this title and every issuer which is required to file reports pursuant to section 78o(d) of this title shall—

(A) make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer;

(B) devise and maintain a system of internal accounting controls sufficient

to provide reasonable assurances that—

(5) No person shall knowingly circumvent or knowingly fail to imple­ment a system of internal accounting controls or knowingly falsify any book, record, or account described in paragraph (2).

These provisions are generally referred to as the ‘accounting provisions’ of the FCPA. As stated in the FCPA Guidance, “In addition to the anti-bribery provisions, the FCPA contains accounting provisions applicable to public companies. The FCPA’s accounting provisions operate in tandem with the anti-bribery provisions and prohibit off-the-books accounting. Company management and investors rely on a company’s financial statements and internal accounting controls to ensure transparency in the financial health of the business, the risks undertaken, and the transactions between the company and its customers and business partners. The accounting provisions are designed to “strengthen the accuracy of the corporate books and records and the reliability of the audit process which constitute the foundations of our system of corporate disclosure.””

Moreover, these accounting provisions, including both the books and records and internal control provisions, are defined to apply to “issuers”. As set out in the FCPA Guidance, “The FCPA’s accounting provisions apply to every issuer that has a class of securities registered pursuant to Section 12 of the Exchange Act or that is required to file annual or other periodic reports pursuant to Section 15(d) of the Exchange Act.244 These provisions apply to any issuer whose securities trade on a national securities exchange in the United States, including foreign issuers with exchange traded American Depository Receipts. They also apply to companies whose stock trades in the over-the-counter market in the United States and which file periodic reports with the Commission, such as annual and quarterly reports. Unlike the FCPA’s anti-bribery provisions, the accounting provisions do not apply to private companies.”

Charging Box Score

Alstom Entity Charges Time of Criminal Conduct Issuer Status
Alstom SA 15 USC §78m(b)(2)(A)15 USC §78m(b)(2)(B)15 USC §78m(b)(5)

15 USC §78ff(a)

18 USC §2

1998-2004 Issuer until 2004
Alstom Power Inc. 18 USC §371-conspiracy to violate the FCPA 2002-2009 Subsidiary of Issuer until 2004
Alstom Grid Inc. 18 USC §371-conspiracy to violate the FCPA 2000-2010 Subsidiary of Issuer until 2004
Alstom Network Schweiz AG 18 USC §371-conspiracy to violate the FCPA 2000-2011 Subsidiary of Issuer until 2004

While I agree with the above, I do disagree with the Professor’s final statement that “This free-for-all, anything goes, as long as the enforcement agencies collect the money nature of FCPA enforcement undermines the legitimacy and credibility of FCPA enforcement.” The reason I disagree is that this was a negotiated settlement, not a dictat or court proceeding. With no doubt excellent FCPA defense counsel involved, Alstom must have had its own reasons for agreeing to such a settlement. Without any further comment by the company, we will have to speculate as to some of the reasons for this component of the resolution.

First and foremost is that clearly Alstom did engage in conduct which substantially violated the FCPA. It would further appear that the conduct reached right up into the corporate home offices in France. By agreeing to the books and records and internal control violations, Alstom may have avoided any direct admission of guilt under French law, which we now know from the Total FCPA enforcement action is significant for a French company, because what is illegal bribery and corruption under US law is not necessarily illegal under French law.

Other than the anomalous French law issue, there may be another important consideration going on here. Alstom is under acquisition by General Electric (GE). Not only does GE pride itself and very publicly inform about its anti-corruption compliance program, GE has a large number of contracts with the US and other governments which might looks askance at doing business with a business unit that admitted to substantive FCPA violations of bribery and corruption. While I do not think that GE would be in danger of being debarred, it might well be that certain governments might not want to do business with a new subsidiary which made such a court admission. I find this to be more than simply a distinction without a difference. Consider the trouble that Hewlett-Packard (HP) is in north of the border in Canada regarding potential debarment by the Canadian government for its FCPA violations as set forth in its FCPA resolution of last April. So perhaps from Alstom’s perspective, the company believed it received benefits from settling based upon accounting violations.

But whatever the reason, it is clear that Alstom did engage in substantive FCPA violations. It’s settlement is that, a settlement of outstanding issues, which the company was a willing participant. It may not have been what the company wanted but I do not find that by charging Alstom for books and records and internal controls violations for the time frame it was clearly liable in any way demeans, degrades or lessens FCPA enforcement going forward. But just as we need to look to Byzantium to determine the heritage of Rome through the Middle Ages, by looking at the facts and circumstances around Alstom’s FCPA from the Alstom perspective and what it hoped to obtain in the settlement, we might be able to glean some insights.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

January 2, 2015

The Alstom FCPA Enforcement Action – Part I

Welles at 100As the first blog post of 2015, I thought it appropriate to highlight two outstanding confluences. The first is that this year is the centenary of the birth of Orson Welles. While not occurring in 2015, near the end of 2014 we had the settlement of the long-standing Alstom Foreign Corrupt Practices Act (FCPA) enforcement action announced. Both are worthy on note this second day of our mid-decade mark. First Welles. Many consider him one of the most talented directors ever to come through the American film industry. Almost any cinema-goer will recognize the names of Citizen Kane and The Magnificent Ambersons as two of greatest films of all-time. But I found The Lady from Shanghai, Macbeth and most particularly Touch of Evil all to be excellent films for their respective genres. And do not forget his acting; not only in the aforementioned Citizen Kane and Touch of Evil but also as Harry Lime in The Third Man. Welles could also be a philosopher. Kristin M. Jones, writing in the Wall Street Journal (WSJ), in an article entitled “Welles at 100”, quoted him for the following, “Art is the lie that makes us realize the truth.” She ended her piece with the observations that “Searching for the truth beyond Welles’s beautiful lies is still a journey worth taking.”

All of which brings us to Alstom and the resolution of its FCPA enforcement action. Over the next couple of posts, I will be looking the enforcement action for it is certainly ‘a journey worth taking’ to try and glean nuggets for the compliance practitioner. Today I will review the amounts of money involved and some of the larger concepts that I see at play in this matter. Next I will review the specifics of the Deferred Prosecution Agreements (DPAs) and see what lessons we may draw from them. Beyond that, we will have to see where the journey takes us.

First, and foremost, is how did Alstom find itself in the position that it now occupies as Number 2 on the all-time hit parade of FCPA enforcement actions? Particularly, as noted by the FCPA Professor in his post, entitled “All About the Alstom Enforcement Action”, that “Alstom employed approximately 110,000 employees in over 70 countries. The information contains specific allegations as to 9 individuals associated with Alstom and 9 consultants associated with Alstom.”

Usually when someone comes in at Number 2, the ranking comes with some ignominy. Though for Alstom it is not because they did not win but because they now have the second highest total FCPA monetary fine in the history of the world at a stunning $772,290,000. I say total because the current Number 1, Siemens, is at $800MM and included both a Department of Justice (DOJ) component of $450MM and Securities and Exchange Commission (SEC) component of $350MM. However with the Alstom fine, the entire amount was paid to DOJ as a fine and no monies were paid to the SEC because at the time of the resolution, Alstom was not an ‘issuer’ under the FCPA and the SEC had no jurisdiction. This makes Alstom the largest criminal FCPA fine of all-time. One interesting note is that two other French companies, Total SA and Technip SA, join Alstom on the all-time Top 10 list. Somewhere I am sure Mr. French is shaking his very well coiffured head in shame in the great TV Land in the sky.

I would say the amounts paid out and benefits received by Alstom were stunning but it might do a disservice to the word stunning. So below I have laid out information below.

Alstom Bribery Box Score

Country Bribe Amount Paid Benefit Received
Indonesia (not listed) $378MM
Saudi Arabia $51.2MM $3bn
Egypt ‘Millions and millions’ $175MM
Bahamas $1MM (not listed)
Taiwan (not listed) $15MM
Total $75MM $4bn in contracts with $296MM in profits

The FCPA Professor also noted, “at its core, the Alstom enforcement action involved inadequate controls concerning the engagement, monitoring and supervision of the consultants.” However it is most difficult to believe that Alstom suffered from a corporate culture which was at best make your numbers or at worst something much more nefarious. The amounts paid were simply so large and the bribery schemes so pervasive that there had to be much more than simply 9 persons lying, cheating and stealing all while merrily skipping home to Grandmother’s house in the woods. Indeed, as noted by WSJ reporters Joel Schechtman and Brent Kendall, in their article entitled “Alstom to Pay $772 Million to Settle Bribery Charges”, “The record criminal bribery penalty comes after more than six years of investigations into Alstom from law enforcement in 10 countries. The company and its subsidiaries’ schemes lasted for more than a decade, into at least 2011”.

Also of note is that the Alstom enforcement action was the first in 2014 where the fine was not at either the low range or even lower than calculations the Sentencing Guidelines would have suggested. The range for the fine was calculated to be between $592MM and $1.184bn. This range was a direct result of the failure of Alstom to take the investigation seriously, to cooperate with the DOJ or to even put anything like a positive step forward in the way of remedial actions during a large part of the investigative process. The DOJ Press Release quoted Assistant Attorney General Leslie R. Caldwell that “This case is emblematic of how the Department of Justice will investigate and prosecute FCPA cases – and other corporate crimes. We encourage companies to maintain robust compliance programs, to voluntarily disclose and eradicate misconduct when it is detected, and to cooperate in the government’s investigation. But we will not wait for companies to act responsibly. With cooperation or without it, the department will identify criminal activity at corporations and investigate the conduct ourselves, using all of our resources, employing every law enforcement tool, and considering all possible actions, including charges against both corporations and individuals.”

Finally, from a big picture perspective was the international scope of the investigation. In the DOJ Press Release, FBI Executive Assistant Director Robert Anderson Jr. said that “This investigation spanned years and crossed continents, as agents from the FBI Washington and New Haven field offices conducted interviews and collected evidence in every corner of the globe.” Further, the DOJ acknowledged significant cooperation from “the law enforcement colleagues in Indonesia at the Komisi Pemberantasan Korupsi (Corruption Eradication Commission), the Office of the Attorney General in Switzerland, the Serious Fraud Office in the United Kingdom, as well as authorities in Germany, Italy, Singapore, Saudi Arabia, Cyprus and Taiwan.” Truly worldwide in scope.

Next, I will look at some of the specifics in the various Alstom DPAs to determine where best practices compliance program may be headed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

 

 

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 5,412 other followers