Foeign Business Partner | FCPA Compliance and Ethics Blog

July 11, 2014

Friday Comings and Goings

Filed under: Corruption in Brazil,Department of Justice,Due Diligence,Ethical Leadership,Ethics,FCPA,FCPA Database,Foeign Business Partner,Michael Rasmussen,Paul McNulty — tfoxlaw @ 4:45 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, Due Diligence, ethical leadership, FCPA, FCPA Professor

I wish I could be there.

Next week, the FCPA Professor is leading his first FCPA Institute this summer over two days, July 16 and 17. The event will be held in Milwaukee and hosted by the law firm of Foley and Lardner.

The Professor’s stated goal in leading this first Institute is “to develop and enhance fundamental skills relevant to the FCPA and FCPA compliance in a stimulating and professional environment with a focus on learning. Information at the FCPA Institute is presented in an integrated and cohesive way by an expert instructor with FCPA practice and teaching experience.” Some of the topics, which will be covered, include the following:

An informed understanding of why the FCPA became a law and what it seeks to accomplish;
A comprehensive understanding of the FCPA’s anti-bribery and books and records and internal controls provisions and related enforcement theories;
Various realties of the global marketplace which often give rise to FCPA scrutiny;
The typical origins of FCPA enforcement actions including the prominence of corporate voluntary disclosures;
The “three buckets” of FCPA financial exposure and how settlement amounts in an actual FCPA enforcement action are typically not the most expensive aspect of FCPA scrutiny and enforcement;
Facts and figures relevant to corporate and individual FCPA enforcement actions including how corporate settlement amounts are calculated;
How FCPA scrutiny and enforcement can result in related foreign law enforcement investigations as well as other negative business effects from market capitalization issues, to merger and acquisition activity, to FCPA related civil suits; and
Practical and provocative reasons for the general increase in FCPA enforcement.

In other words, it is what you have come to expect from the FCPA Professor; well-thought out reasoned analysis, practical knowledge and learning, and provocative thinking and assessment. But more than all of the above I believe you will receive some great insight into and why the FCPA Professor continually challenges the status quo in many areas about the FCPA. He and I often look at the same thing and see different views but by seeing more than one view, I believe you will come away with a deeper overall understanding of the entire FCPA picture.

For complete information on the FCPA Institute, click here.

As Monty Python might say And Now For Something Completely Different. If you would like a much shorter view of some FCPA and anti-corruption related topics, check out some of my most recent podcasts, the FCPA Compliance and Ethics Report.

In Episode 74, I visit with Paul McNulty about his upcoming move to become the President of his alma mater, Grove City College.

In Episode 72, I visit with the GRC Pundit, Michael Rasmussen about why companies have such a disconnect when it comes to the theory and practice of their GRC practices.

In Episode 69, I visit with Joe Oringel about his company’s exciting new approach to transaction monitoring in the anti-corruption space.

In Episode 68, I interview Neil Swidey, author of Trapped Under the Sea about his experiences in researching and writing his book.

In Episode 66, the FCPA Professor shares his thoughts on the Esquenazi decision.

In Episode 63 and 64, I have a two-part discussion of the management of third parties under the FCPA.

For those few of you on the planet not aware of it, the World Cup final will be held this coming Sunday. Mike Brown and I have been discussing the World Cup, FIFA and anti-corruption in our World Cup Report series. You can check out Part I, Part II, Part III, Part IV, or Part V.

All of the episodes of the FCPA Compliance and Ethics Report are available for download on iTunes at no cost so if you want to catch up on all things FCPA and compliance related on the drive to work, you can do so. A happy Friday and enjoyable weekend to all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Leave a Comment

February 27, 2014

Alfred the Great, GE and the Management of Third Party Risk

Filed under: Agents,Best Practices,compliance programs,Culture,Department of Justice,Distributors,Due Diligence,Ethical Leadership,Ethics,FCPA,FCPA Guidance,Foeign Business Partner,Third parties — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA

I am currently studying Medieval England including the reign of Alfred the Great. As you might expect with someone monikered as ‘The Great’ he is certainly considered right up there with the greatest Kings of England. Not only did he largely drive out the Viking invaders from his country but he also set the stage for the unification of England under one crown, for the first time since the days of Roman Britain under the Caesars. One of the innovations he developed was fortified towns, called burgs, from which to resist Viking raids and incursion. But more than simply walled cities for defense, within these fortified towns was a wide road running down the middle of the town called the ‘High Street’ and a street situated next to the town’s walls appropriately called ‘Wall Street’. These streets were wider than the others in the town to facilitate the movement of troops in the time of crisis, such as a Viking raid. In other words, Alfred evaluated the risk to his kingdom and put multiple layers of steps into place to manage those risks.

In the Foreign Corrupt Practices Act (FCPA) compliance world, one of the key components that the Department of Justice (DOJ) wants to see is a risk assessment and a company managing its risks, based upon said risk assessment. One company’s response to a risk or set of risks does not necessarily mean that another company must follow it. The DOJ’s Ten Hallmarks of an Effective Compliance Program are broad enough to allow companies to manage their own risks, hopefully effectively. I thought about this concept when I was listening to a presentation by Flora Francis and Andrew Baird of GE Oil & Gas at the 2014 SCCE Utility and Energy Conference in Houston this week on GE’s third party risk management. First of all, if you have the chance to hear a couple of nuts and bolts compliance practitioners from GE like these two speak, run, don’t walk, to their presentation. GE’s commitment to compliance is well known but also the company’s willingness to share about their compliance program is a great boon to the compliance community. Lastly, is the gold-standard nature of the GE compliance program and while it may be more than your company needs to manage their own risks, the GE compliance regime does shine a light that we can all aspire to in our own compliance programs.

Both speakers made clear that GE’s program was the company’s response to its assessed risks. Further, the compliance program has evolved, not only as the company’s risks have evolved but also as the company has determined what works and does not work as well. Within the realm of third parties’ the prescient question from compliance to the business unit would be ‘What is your “Go To Market Strategy” and how will your use of third parties assist you in carrying out that strategy?’ Some of the factors the speakers cited could include your company’s market coverage strategy, product segmentation, pricing and margin expectation, an added capability which your company may not possess such as technology, and finally there could be local legal requirements for a local content third party in certain countries.

Some of the factors which GE considers, when evaluating a third party, include the following:

Business Model: Do we need third parties to reach our customers or can we build the organization ourselves?
In-house Capabilities: Do we already have the organization in place to handle these capabilities?
Overlap: Do we already have a third party in the region/country that can handle our needs?
Volume of Business: How much business will this third party bring to the company?
Compliance Risk: Where is the third party located? Will they interact with government officials? Do they have same commitment to compliance?
Regulatory Environment: Is it simple or strict? What are the chances of regulatory violations?
Reputation: What is the third party’s reputation in the market?

I was also intrigued to learn about the risk analysis process that GE uses with its third parties. Initially the process breaks the risks down into low risk and high risk. A low risk received a limited review and analysis, while a high risk receives an escalated review and analysis consisting of the following reviews: compliance, legal, business leadership and finance.

But more than simply the level of review, I was interested in the ‘Risk Score Drivers’ that GE has developed. Once again, the speakers emphasized that these are GE’s risk score drivers and have been developed over time through the company’s internal analysis and processes. Nevertheless I found them to be a very useful way to think about third party risk. The risk score drivers listed were:

Country channel where the third party is located in or where it sells into;
Experience by the third party with the sales channel;
Type of third party involved; agent, reseller, distributor;
Commission rate, is it standard v. non-standard;
Will any sub-third party relationships be involved;
Will the third party sell to government entity or instrumentality;
Do any of the third party’s principals, Officers or Agents work for a foreign government, state owned enterprise or political party;
Was the third party mandated by customer or the end user;
What is the third party’s contract duration;
Is the third party involved in more than one project;
Does the third party have any historical compliance issues;
What is the percent of sales with products or services; and
What is GE’s annual revenue with the third party?

GE compliance then takes these scoring factors and puts them into an evaluation matrix when determining the amount of risk involved and whether or not the company should move forward with a proposed third party. If the decision is made to move forward and create a commercial relationship, the third part must agree to commit to the compliance standards of GE; stay current with and obey all applicable legal and regulatory provisions; comply with all contractual provisions; grant to GE audit rights; agree to report any compliance violations; certify to all compliance requirements on a regular basis; receive and complete compliance training and to allow regular site visits. GE also requires each third party to have a relationship manager assigned to it who is there to establish ongoing communication, provide ongoing training and to provide a platform for business improvement. Internally GE has processes in place to refresh due diligence; review, renew and update as appropriate contracts; conduct regular site visits and periodic audits.

Flora and Andrew ended their presentation with the following quote from the US Sentencing Guidelines about the question – ‘When is Enough, Enough?’ When you can show the government agency asking that you have taken appropriate steps to design, implement, and enforce a compliance program that is generally effective in preventing and detecting criminal conduct.

Their presentation was an excellent mechanism for the compliance practitioner to assess their third party management program. Although they made clear that this program was not for all companies, there is enough meat present for anyone to use in evaluating where you might be and where you might need to go in management of your third parties. And just as Alfred the Great constructed a defense-in-depth in his fortified towns, so the GE program for the management of third party risk has several layers of protection so that when the crisis does arise, they can adequately respond when the government comes knocking.

© Thomas R. Fox, 2014

Comments (1)

May 1, 2013

From the Compact Model to the Luxury Model – Managing Your Third Party Risk

Filed under: Agents,Best Practices,compliance programs,Department of Justice,Distributors,Due Diligence,FCPA,FCPA Guidance,Foeign Business Partner,Hanson Wade,Risk Assessment,SEC — tfoxlaw @ 5:12 am
Tags: best practices, compliance programs, DOJ, FCPA, Foreign Corrupt Practices Act, SEC

I am currently attending the Hanson Wade Oil and Gas Supply Chain Compliance conference in Houston. The event is excellent and the presentations have been ‘spot on’ for the nuts and bolts of how to do compliance. As the conference is in Houston, a number of the speakers and attendees are from energy companies but the concepts that are being discussed apply to all companies which have an anti-corruption or anti-bribery compliance program. One of the things that came through each of the presentations was that as compliance programs mature, many companies are developing programs which are more tailored towards the risks that companies face, which are ascertained through more sophisticated risk assessments and management of those risks.

This pattern is certainly consistent with the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) FCPA Guidance which says that a company should assess its risks and manage its risks. From this starting position, a company can then put together a well thought out and reasoned approach to Foreign Corrupt Practices Act (FCPA) compliance. Many of the presentations dealt with third parties and the differing responses and approaches companies have developed for the specific risks that they have uncovered.

Clearly third party risk mitigation through due diligence is key. How much due diligence is enough? One speaker said that it is a balancing call to determine the right amount. There were several presentations which spoke about the increasing use of technology to assist companies in this process. One speaker, a former federal prosecutor, said that one of the things that she looked for when a prosecutor was the ‘thoughtful analysis’ that the FCPA Guidance speaks about. To this end she believes that the human element will always be important because prosecutors want to see the thought process of not only how your program is designed but how you have crafted your risk mitigation based upon the information that you have assessed.

One of the speakers listed some of the factors to begin the review of your third parties. Recognizing that there is no one all-encompassing list, she suggested the following:

How many third parties do you have?
Where are these third parties located?
Industry or sector do you conduct business?
What is the relationship of the third party to a foreign government or state owned enterprise?
Are the owners of the third party related at all to government employees?
Is the use of the third party a business necessity or not? Why do you need to use sales representatives?
What are the reputations and qualifications of the third parties? Can they do what you need them to do from a commercial perspective?
How much control will you have over the third parties? Contrast the control that you have over sales agents with the lesser amount of control that you have over distributors and joint ventures.

From the answers to some of these questions you can begin to craft your third party due diligence inquiries. I was intrigued by one speaker who speech contrasted the steps that you might take with a lower risk third party with that of a higher risk third party. She likened the lower risk approach to that of a compact car and set out the following suggestions:

Rank each third party by the risk you have assessed;
Perform an Internet search on the third party;
Perform reference checks on the third party;
Interview control persons involved with the third party;
Agreement to abide by anti-bribery and anti-corruption laws;
Insert appropriate compliance terms and conditions in your third party contracts.

She contrasted the Compact model with what she termed the ‘Luxury model’ requirements of a third party program:

Prioritize your third parties by risk;
Appoint a Business Unit sponsor for each third party;
Develop a detailed third party application;
Perform an electronic records search on each third party;
Also perform independent screening of each third party;
Perform reference checks on each third party;
Perform site visits and interviews of each third party;
Have each third party acknowledgement your company’s Code of Conduct;
Require each third party to go through ethics training;
Create a company committee, consisting of internal business, legal and compliance representatives to review your high risk third parties;
Insert compliance terms and conditions into each third party contract;
Require both internal and external audits of each third party;
Perform annual updates on your third parties; and
Perform quarterly electronic database rescreening.

There was also a discussion of some common Red Flags that you should be on the outlook for. They included:

Excessive commissions paid to third parties;
Unreasonable discounts given to third parties such as distributors;
Vaguely described services in a third party contract or invoice back to your company;
A third party which is in a different line of business than the one you want to hire to assist your company;
Close association by the third party with a Foreign Official;
Retention of the third party is required by a Foreign Official;
The third party is a shell company located offshore; and
Payments made to the third party are in a country different from the location where the third party’s services are delivered.

The concepts I derived from this presentation is that you should assess and manage your risks. If you determine them to be low, the Compact Model may work for you. If your third party risks are high, then the Luxury Model may be more appropriate. If you use a thoughtful and reasoned approach, you can navigate this area. But always Document, Document and then Document what you have done and why.

© Thomas R. Fox, 2013

Leave a Comment

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

Many commentators are still mining the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, (the “Guidance”), which was released last November. I continue to find nuggets to provide to the compliance practitioner, as do others. But as we are a Base 10 culture, today I want discuss the 10 points listed as the ‘Hallmarks of Effective Compliance Programs”. They are a change in style, but not content, from the prior 13 point minimum best practices that the DOJ has in the Deferred Prosecution Agreements (DPAs) since at least November, 2010 and, indeed, from prior information made available by the DOJ.

I. Where Have We Been

Beginning with at least the Metcalfe & Eddy Consent and Undertaking, filed in December, 1999, the DOJ has laid out its thoughts on what should go into a Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. In the Metcalfe & Eddy Consent and Undertaking, the DOJ laid out ten points of an effective FCPA anti-corruption compliance program. This was modified somewhat in Opinion Release 04-02, which laid out a best practices compliance program in 12 points, where the DOJ reviewed the proposal by an investment group who were acquiring certain companies and assets from ABB Ltd. ABB Vetco Gray Inc. and ABB Vetco Gray (UK) Ltd., two of the entities being acquired, had previously pled guilty to FCPA violations. The investment group desired to protect itself from further liability, to the extent possible, by proposing to the DOJ a comprehensive best practices compliance program. While the DOJ noted that this compliance program was not a shield against future violations, the DOJ would not “intend to take an enforcement action [against the investors] for violations of the FCPA prior to their acquisition from ABB.”

In the Panalpina DPA, issued in November, 2010, the DOJ laid out a 13 point minimum best practices compliance program. This number was changed this past summer when the Data Systems & Solutions LLC (DS&S) DPA was announced. In this enforcement action the DOJ listed 15 points on its minimum best practices FCPA anti-corruption compliance program. Then later in the summer, the DOJ moved to a 9 point compliance program in the Pfizer DPA. Even with all these changes in the number, the substance of each compliance program has remained the same.

II. Where Are We Now? Hallmarks of Effective Compliance Programs

The Guidance cautions that there is no “one-size-fits-all” compliance program. It recognizes that depending on a variety of factors such as size, type of business, industry and risk profile that a company should determine what is appropriate for its own needs regarding a FCPA compliance program. But the Guidance makes clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. The Guidance makes clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model. Some of the risks a company should assess include “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.”
Oversight, Autonomy, and Resources. This section starts with a discussion on whether a company has assigned a senior level executive to oversee and implement a company’s compliance program. Not only must a company assign such a person with appropriate authority but that person, and the overall compliance function, must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Additionally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
Risk Assessment. The Guidance states that “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”
Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
Incentives and Disciplinary Measures. This involves both the carrot and the stick. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” These incentives can take the form of a part of senior management’s bonuses or simply recognition on the shop floor.
Third-Party Due Diligence and Payments. Here the Guidance focuses on the ongoing problem area of third parties. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
Mergers and Acquisitions. Pre-Acquisition Due Diligence and Post-Acquisition Integration. Here the DOJ and SEC spell out what it expects in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information is not something that most companies had previously focused on. Basically, a company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

As I commented earlier in this article, the DOJ and SEC have communicated what they believe are the important parts of a risk based, anti-corruption compliance program for many years. I do not think that a compliance defense could be set out any more succinctly. However, I do like things set out in Base 10 and the “Hallmarks of Effective Compliance Programs” is an excellent compilation of where we are and what you need in place to go forward. I recommend this as a good a starting point for any compliance practitioner to implement a new compliance program or to evaluate the state of an ongoing compliance regime so assess your company’s risks and use these hallmarks as a basis to move forward.

© Thomas R. Fox, 2013

Leave a Comment

October 8, 2012

Won’t Get Fooled Again: An Atypical Exploration under Opinion Release 12-01

Filed under: Agents,compliance programs,Department of Justice,FCPA,FCPA Professor,Foeign Business Partner,Opinion Releases — tfoxlaw @ 1:01 am
Tags: compliance programs, Department of Justice, DOJ, DOJ. Opinion Release, FCPA, FCPA Professor, Foreign Corrupt Practices Act, foreign official, Opinion Release 12-01

As many readers of this blog know, I am an avid cyclist. I enjoy riding with rock and roll music blasting away in my ears. I even have lists on my iPod with such titles as 20 mile ride and 40 mile ride. Yesterday I decided to take pot luck and put it on ‘Shuffle’ and one of the songs selected for me was The Who classic “Won’t Get Fooled Again” from the timeless album Who’s Next. The ending line has stuck with me since I initially heard it back in the ’70s: “Meet the new boss, same as the old boss” which then follows with an ending crescendo of Keith Moon’s pounding drums, John Entwhisle’s sonic bass and Pete Townsend’s crashing electric guitar.

In a peculiar way that signature line crystalized my thinking about the latest Foreign Corrupt Practices Act (FCPA) Opinion Release from the Department of Justice (DOJ); that being Opinion Release 12-01 (12-01). As first noted by the FCPA Professor, in his post entitled “DOJ’s Recent Opinion Procedure Release Creates Additional “Foreign Official” Confusion”, 12-01 is dated September 18, 2012, but was apparently only publicly released last week. Pedaling away and listening to The Who it made me think of the evolving nature of not only best practices under the FCPA but also the DOJ’s thinking on the subject. So while the song’s ending line speaks of nothing changing, I realized the nature of FCPA analysis is and can be changing. So rather than being confused, I think that the DOJ has underlined again the fact intensive nature of the analysis required under the FCPA and how companies, if they used a reasoned approach for a specific FCPA issue or problem, can go a long way towards protecting themselves from potential FCPA liability or exposure.

I. The Underlying Representations

12-01 notes that a US lobbying firm, the Requestor desired to contract with a third party, the Consulting Company, which has, as one of its principals, a member of the Royal Family in a country where royalty exists. However, the country in question is not a monarchy and the Royal Family Member in question has only held one governmental position in the country’s government, in the late 1990’s. The work in question for which the Consulting Company would be hired is to lobby the country’s Foreign Embassy here in the US to represent the home country here in the US. The specific services that the Consulting Company would perform were stated as “strategic advice and counsel on public policy and business development issues of interest to the [Foreign Country Embassy], as well as make selected liaisons with U.S. and [Foreign Country] interlocutors on behalf of the [Foreign Country Embassy].”

1. Consulting Company Representations. 12-01 had three significant representations made by the Consulting Company. First, the Consulting Company represented that “none of its members, or principals are ‘foreign officials’ as that term is defined in the FCPA.” Second, the Consulting Company represented that it “principals and members are familiar with, and agree to abide by, the FCPA and all U.S. and [Foreign Country] anti-bribery and anticorruption laws.” Third, the Consulting Company has represented that it has “adopted the Good Practice Guidance on Internal Controls, Ethics and Compliance issued by the Organization for Economic Cooperation and Development (OECD) and have pledged that all partners and employees would be bound by the procedures covered in the Good Practices Guide.”

2. Transparency. Here the Requestor represented that there would be full transparency in not only the home country of the Consulting Company but in the US as well. This would be accomplished through publishing not only the names of the parties to any contract, but the actual contract that the principals of the Consulting Company would sign individually.

3. Compensation. Here there were some interesting provisions listed in 12-01 which provided a level of detail not usually seen in previous Opinion Releases regarding the issue of compensation. First, the parties would agree “in advance on the scope of the Consulting Company’s work” for any set of services the Consulting Company provided. Additionally, any fee would be “at or below the amount charged by other entities…for such services.”

Thereafter, the Requestor anticipated “paying to the Consulting Company twenty percent of what it receives from the Foreign Country Embassy, so long as that percentage accurately reflects the amount of work provided.” The Requestor even went so far as to list the amount of money it is expecting to pay each principal of the Consulting Company on a monthly basis; that being $2,000 per month to each principal. Taking the 20% figure noted above the fee would work out to be $6,000 per month, to the Consulting Company, which equates to a fee of $30,000 per month for lobby services that the Requestor would bill the Foreign Embassy.

4. Contract Review. In a footnote, 12-01 states that “The proposed agreement also provides that “[b]oth [the Requestor] and [the Consulting Company] agree that [the Requestor] will submit this proposed contract to the United States Department of Justice (‘DOJ’) for review under its Foreign Corrupt Practices Act (‘FCPA’) Opinion Procedure and that this agreement will not become effective until such approval is received.””

II. DOJ Analysis

After initially noting that “A person’s mere membership in the royal family of the Foreign Country, by itself, does not automatically qualify that person as a “foreign official” the DOJ goes on to reiterate its long held position that each question must turn on a “fact-intensive, case-by-case analysis” for resolution. The DOJ follows with a list of factors which should be considered. They include:

The structure and distribution of power within a country’s government;
A royal family’s current and historical legal status and powers;
The individual’s position within the royal family; an individual’s present and past positions within the government;
The mechanisms by which an individual could come to hold a position with governmental authority or responsibilities (such as, for example, royal succession);
The likelihood that an individual would come to hold such a position;
An individual’s ability, directly or indirectly, to affect governmental decision-making; and the (ubiquitous)
Numerous other factors.

In addition to the above, the DOJ also relied upon the factors from District Courts, such as those expressed in United States v. Carson:

The foreign state’s characterization of the entity and its employees;
The foreign state’s degree of control over the entity;
The purpose of the entity’s activities;
The entity’s obligations and privileges under the foreign state’s law, including whether the entity exercises exclusive or controlling power to administer its designated functions;
The circumstances surrounding the entity’s creation; and
The foreign state’s extent of ownership of the entity, including the level of financial support by the state (e.g., subsidies, special tax treatment, and loans).

Finally, the DOJ also reviewed the factors that it set forth in its prior Opinion Release 10-03 for the following factors of whether a Royal Family Member is a foreign governmental official. These 10-03 factors are: “(i) how much control or influence the individual has over the levers of governmental power, execution, administration, finances, and the like; (ii) whether a foreign government characterizes an individual or entity as having governmental power; and (iii) whether and under what circumstances an individual (or entity) may act on behalf of, or bind, a government.”

Based upon its analysis, the DOJ concluded, “The Department concludes that the Royal Family Member does not presently qualify as a foreign official” for the purposes of the FCPA.

III. Discussion

So how does all of the above relate to The Who and “Won’t Get Fooled Again”? I believe that 12-01 emphasizes that there is no ‘one-size-fits-all’ analysis under the FCPA. While I probably never would have made the determination that a Royal Family Member is not a foreign governmental official under the FCPA, 12-01 makes clear that every analysis stands on its own facts and circumstances. The reason I would not have ever opined that a Royal Family Member was not a foreign governmental official, is that I have only used the “status analysis” that was used by the Carson court

The FCPA Professor correctly points out that the DOJ has introduced a “duties analysis” into the mix. Where I disagree with him, is that I do not believe that the duties analysis is elevated above the status analysis from the Carson case, which focuses on the status of the entity within the foreign country itself. I think that both analyses were used by the DOJ in 12-01 and both analyses can be used going forward. So under the status analysis, the DOJ stated that “The Royal Family Member also cannot, by virtue of his membership in the royal family, ascend to a governmental position and has no benefits or privileges because of his status as a Royal Family Member.” But 12-01 goes onto incorporate a duties analysis as well when it stated “the Royal Family Member has no power to affect the Foreign Country government’s award of the engagement the Requestor seeks.”

One of the primary jobs of a lawyer is to take precedent from case law and apply them to the facts of a specific situation. In the FCPA arena there is a dearth of case law precedent but in most cases the DOJ has used two types of analysis of who is a foreign governmental official. It is not clear from 12-01 if the Requestor or the DOJ analyzed the facts as presented using both of these tests but, whether they were lawyers representing the Requestor or DOJ lawyers, kudos for coming up with a new legal argument to make by combining both the status analysis and the duties analysis.

But equally importantly to the novel argument made, is the use of the Opinion Release procedure itself. Recognizing that it took some seven months to obtain the formal Opinion Release does not take away from the power of the procedure. A lawyer was faced with what I would have termed an intractable problem; that being a Royal Family Member and the issue of a foreign governmental official. With some creativity in the legal argument and the use of the Opinion Release procedure, the Requestor was able to obtain a way forward which accomplished both its business goals and the goals of doing business in compliance with the FCPA.

I believe the ultimate takeaway from 12-01 is that the DOJ not only listens but it considers all the facts. In other words, not only does the analysis change as facts evolve but the final answer may change as well and it does not necessarily mean that the new boss will be the same as the old boss or you ‘won’t get fooled again’ into thinking there is absolutely, positively no way to manage a potential FCPA issue. One of your jobs as a lawyer is to be creative and Opinion Release 12-01 shows you that there is a way to do so.

———————————————————————————————————————————————————————

For a You Tube playing of the classic Who’s Next album cut of “Won’t Get Fooled Again” click here.

——————————————————————————————————————————————————————–

© Thomas R. Fox, 2012

Leave a Comment

June 27, 2012

2012 First Half FCPA Enforcement Round-Up: Part I

Filed under: Agents,Aon,Corporate Social Resonsibility,Deferred Prosecution Agreement,Distributors,Enforcement Actions,FCPA,Foeign Business Partner,Foreign Official,Internal Audit,JGC Corporation — tfoxlaw @ 4:44 am
Tags: Aon, compliance programs, Department of Justice, DOJ, FCPA, FCPA Blog, FCPA Professor

The first half of 2012 is reaching to a close and we have had several significant enforcement actions so far this year. So to commemorate all those June Bride and Bride-Grooms out there, including my parents who celebrate their 56^th wedding anniversary on June 30, I have put together a couple of posts reviewing my top 6 Foreign Corrupt Practices Act (FCPA) enforcement actions for the first 6 months of 2012. At this point I cannot see any clear trends but there are some key points that provide solid advice for the compliance practitioner going forward. In today’s blog, we take up the first three, in chronological order.

I. Aon

We begin with a Non-Prosecution Agreement (NPA) issued in the last week of 2011 where the insurance giant Aon received a NPA from the Department of Justice (DOJ) in settling enforcement actions against it by the DOJ and Securities and Exchange Commission (SEC). Aon agreed to total fines and penalties in an amount of $16.3 MM. This is in addition to a fine previously paid to the UK Financial Services Authority (FSA) in January, 2009, of £5.25 MM (approximately $8.2 MM at today’s exchange rate).

A. Aon’s Remedial Actions Which Led to the NPA

The DOJ stated that it entered into the NPA based “in part, on the following factors: (a) Aon’s extraordinary cooperation with the Department and the U.S. Securities and Exchange Commission (“SEC”); (b) Aon’s timely and complete disclosure of the facts described in Appendix A as well as facts relating to Aon’s improper payments in Bangladesh, Bulgaria, Egypt, Indonesia, Myanmar, Panama, the United Arab Emirates and Vietnam that it discovered during its thorough investigation of its global operations; (c) the early and extensive remedial efforts undertaken by Aon, including the substantial improvements the company has made to its anti-corruption compliance procedures; (d) the prior financial penalty of £5.25 million paid to the United Kingdom’s Financial Services Authority (“FSA”) by Aon Limited, a U.K. subsidiary of Aon, in 2009, covering the conduct in, Bangladesh, Bulgaria, Indonesia, Myanmar, the United Arab Emirates and Vietnam; and (e) the FSA’s close and continuous supervisory oversight over Aon Limited.”

B. Non-Bona Fide Travel and Educational Expenses

The primary activity for which Aon was sanctioned was a travel and education fund, initially designed to provide funds for foreign government employees involved with insurance to travel to educational conferences. However, the funds evolved into personal use for entertainment of the officials, their wives and families. In one instance, involving a fund in Costa Rica, travel was booked through a travel agency which was owned or managed by the Costa Rican officials who were entertained with monies from the educational and training funds.

C. Books and Records

The largest portion of the Aon fine involved violations of the FCPA’s books and records requirements. The NPA noted, “With respect to the Costa Rican training funds, although Aon Limited maintained accounting records for the payments that it made from both the Brokerage Fund and the 3% Fund, these records did not accurately and fairly reflect, in reasonable detail, the purpose for which the expenses were incurred. A significant portion of the records associated with payments made through tourist agencies gave the name of the tourist agency with only generic descriptions such as “various airfares and hotel.” Additionally, to the extent that the accounting records did provide the location or purported educational seminar associated with travel expenses, in many instances they did not disclose or itemize the disproportionate amount of leisure and non-business related activities that were also included in the costs. In short, there was either no bona fide educational expense or not one which could be documented from Aon’s internal records.

Key Takeaway: You must completely document, document and document the basis of your expenditures. If there is no explanation, the assumption will be the payments are made for corrupt purposes.

II. Smith & Nephew

The landscape of the FCPA world is littered with cases involving both agents and resellers, who are most clearly acting as representatives of the companies whose goods or services they sell in foreign countries. Many US businesses believe that the legal differences between agents/resellers and distributors insulate them from FCPA liability should the conduct of the distributor violate the Act. Under this same analysis, many US companies believe that the FCPA risk has also shifted from the US company to the foreign distributor. However, such belief is sorely miss-placed as was shown in the Smith & Nephew (SNN) enforcement action.

The FCPA violations revolved around a Greek distributor of SNN who paid bribes to Greek doctors so that they would purchase and use SNN products. SNN paid a monetary penalty of $16.8MM to the DOJ and $5.4MM to the SEC as a civil penalty, all for a total of $22.2MM in fines and penalties.

Entity Designation	Domicile of Entity	Commission Rate	Services Provided	Actual Services
Shell Company A	UK	40% of sales of Greek distributor	Marketing	Did not perform any services
Shell Company B	UK	26% of sales of Greek distributor	Marketing	None listed
Shell Company C	UK	35% of sales of Greek distributor	Marketing	Did not perform any true services

A quick review of the above chart shows the FCPA problems; very high commissions were paid with no actual services provided. Or as stated by the FCPA Professor, SNN “falsely recorded or otherwise accounted for the payments to the shell companies on its books and records as ‘marketing services’ in order to conceal the true nature of the payments in the consolidated books and records of S&N.”

Key Takeaway: If your company uses a distributor model in its sales chain, I would suggest that you review and reassess your pricing structure in light of this enforcement action.

III. BizJet

In the bribery and corruption world, the facts of this enforcement action are about as bad as it can get. It was reported the senior company personnel had actual knowledge or approved of the payment of cash to bribe foreign governmental officials to obtain or retain business. There was also a deliberate attempt to hide the true nature of the payments. But even with these damaging facts, the company was able to receive a significant reduction on the low end of the fine range as suggested under the US Sentencing Guidelines. So how did the company achieve this?

A. Bribery Scheme

In this case, the company made a number of corrupt payments which were characterized as “commission payments” and “referral fees” on their books and records. Payments were made from both international and bank accounts here in the United States. In other words, this was as clear a case of a pattern and practice of bribery, authorized by the highest levels of the company, paid through US banks and attempts to hide all of the above by mis-characterizing them in their books and records.

BizJet Bribery Box Score

BizJet Executive or Employee Named	Payment Made To	Amount of Payment	Others Involved
Sales Manager A	Official 6	Cell Phone and $10K	Executive B and C
Sales Manager A	Official 3	$2K	Executive B
Executive B, C and Sales Manager A	Official 2	$20K
Executive C	Official 2	$30K	Sales Manager A
Executive B	Mexican Federal Police Chief	$10K	Executive C and Sales Manager. A
Executive C	Official 5	$18K	Sales Manager A
Sales Manager A	Official 4	$50K
Sales Manager A	Mexican Federal Police	$176	Executive C
Sales Manager A	Official 4	$40K
Sales Manager A	Mexican Federal Police	$210K	Executive C
Sales Manager A	Official 5	$6K	Executive C
Executive C	Official 5	$22K

B. Reduction in Monetary Fine

I set out these facts in some detail to show the serious nature of enforcement action. However, the clear import is that a company can make a comeback in the face of very bad facts. The calculation of the fine, based upon the factors set out in the US Sentencing Guidelines, ranged between a low of $17.1MM to a high of $34.2MM. The final agreed upon monetary penalty was $11.8MM. This is obviously a significant reduction from the suggested low or high end, or as was noted by the FCPA Blog “BizJet’s reduction was 30% off the bottom of the fine range, and a whopping 65% off the top of the fine range.”

How did BizJet achieve this reduction and avoid an external monitor? As reported by the FCPA Professor, the following were factors:

(a) following discovery of the FCPA violations during the course of an internal audit of the implementation of enhanced compliance related to third-party consultants, BizJet initiated an internal investigation and voluntarily disclosed to the DOJ the misconduct …;

(b) BizJet’s cooperation has been extraordinary, including conducting an extensive internal investigation, voluntarily making US and foreign employees available for interviews, and collecting, analyzing, and organizing voluminous evidence and information for the DOJ;

(c) BizJet has engaged in extensive remediation, including terminating the officers and employees responsible for the corrupt payments, enhancing its due diligence protocol for third-party agents and consultants, and instituting heightened review of proposals and other transactional documents for all BizJet contracts;

(d) BizJet has committed to continue to enhance its compliance program and internal controls, including ensuring that its compliance program satisfies the minimum elements set forth in the” corporate compliance program set forth in an attachment to the DPA; and

(e) “BizJet has agreed to continue to cooperate with the DOJ in any ongoing investigation of the conduct of BizJet and its officers, directors, employees, agents, and consultants relating to violations of the FCPA.

C. Reports to the DOJ

The company avoided an external monitor. However, it agreed that it would report “at no less that twelve-month intervals during the three year term” [of the DPA] to the DOJ on “remediation and implementation of the compliance program and internal controls, policies and procedures” which were listed in Attachment C to the DPA (the DOJ guidelines for a minimum best practices compliance program). The initial report was required to be delivered one year from the date of the DPA and would also include BizJet’s proposals “reasonably designed to improve BizJet’s internal controls, policies and procedures for ensuring compliance with the FCPA and other applicable anti-corruption laws.”

Key Takeaway: What you do after you discover the bribery and corruption will go a long way towards determining your penalty. No matter how bad the facts are, if you provide ‘extraordinary cooperation’ to the enforcement agencies, you can significantly reduce your final monetary penalty.

© Thomas R. Fox, 2012

Comments (1)

March 7, 2012

How FATF Recommendations on Anti-Money Laundering Inform Your Compliance Program

Filed under: Agents,Anti-Money Laundering,Best Practices,compliance programs,Due Diligence,Ethics,FCPA,Foeign Business Partner,Internal Controls,Risk Assessment — tfoxlaw @ 1:09 am
Tags: best practices, compliance programs, Due Diligence, FAFT

The Financial Action Task Force (FATF) is an inter-governmental body established in 1989 by the Ministers of its Member jurisdictions. Its mandate is to set standards and to promote effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and the financing of proliferation, and other related threats to the integrity of the international financial system. In collaboration with other international stakeholders, it also works to identify national-level vulnerabilities with the aim of protecting the international financial system from misuse. FATF recently released a new document, entitled “International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation”.

While most of the recommendations in the document were directed at financial institutions, I found several of them to converge over and into the area of anti-corruption. Further, several of the recommendations will be of high value to companies in evaluating or enhancing their own compliance programs. They include some of the following recommendations which I have adapted for anti-corruption and anti-bribery compliance programs.

Risk Assessments

Companies should identify, assess, and understand the money laundering and terrorist financing risks for the country in which they seek to do business, and should take action, including designating an authority or mechanism to coordinate actions to assess risks, and apply resources, aimed at ensuring the risks are mitigated effectively. Based on that assessment, companies should apply a risk-based approach to ensure that measures to prevent or mitigate compliance risks are commensurate with the risks identified. This approach should be an essential foundation to efficient allocation of resources across the anti-money laundering and countering the financing of terrorism (AML/CFT) regime and the implementation of risk based measures throughout the FATF recommendations. Where companies identify higher risks, they should ensure that their AML/CFT regime adequately addresses such risks and here lower risks are identified, they may decide to allow simplified measures for some of the FATF recommendations under certain conditions.

Customer Due Diligence

Companies should be prohibited from keeping anonymous accounts or accounts in obviously fictitious names. Companies should be required to undertake customer due diligence measures when:

(i) establishing business relations;

(ii) carrying out occasional transactions, above the applicable designated threshold (USD/EUR 15,000);

(iii) there is a suspicion of money laundering or terrorist financing; or

(iv) the company has doubts about the veracity or adequacy of previously obtained customer identification data.

FAFT recommends the following due diligence is performed by companies:

(a) Identifying the customer and verifying that customer’s identity using reliable, independent source documents, data or information.

(b) Identifying the beneficial owner, and taking reasonable measures to verify the identity of the beneficial owner, such that the financial institution is satisfied that it knows who the beneficial owner is. For legal persons and arrangements this should include an understanding of the ownership and control structure of the customer.

(c) Understanding and, as appropriate, obtaining information on the purpose and intended nature of the business relationship.

(d) Conducting ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution’s knowledge of the customer, their business and risk profile, including, where necessary, the source of funds.

FAFT recommends the following additional due diligence for politically exposed persons (PEPs), including family members and close associates, whether as customer or beneficial owner, in addition to performing normal customer due diligence measures, including:

(a) have appropriate risk-management systems to determine whether the customer or the beneficial owner is a politically exposed person;

(b) obtain senior management approval for establishing, or continuing for existing customers, such business relationships;

(d) conduct enhanced ongoing monitoring of the business relationship.

Record Keeping

Companies should be required to maintain, for at least five years, all necessary records on transactions, both domestic and international, to enable them to comply swiftly with information requests from the applicable authorities. Such records must be sufficient to permit reconstruction of individual transactions (including the amounts and types of currency involved, if any, so as to provide, if necessary, evidence for prosecution of criminal activity.

Companies should be required to keep all records obtained through customer due diligence (e.g. copies or records of official identification documents like passports, identity cards, driving licenses or similar documents), account files and business correspondence, including the results of any analysis undertaken (e.g. inquiries to establish the background and purpose of complex, unusual large transactions), for at least five years after the business relationship is ended, or after the date of the original transaction.

Companies should be required by law to maintain records on transactions and information obtained through the customer due diligence measures. The customer due diligence information and the transaction records should be available to applicable domestic authorities upon appropriate authority.

New Technologies

One of the areas which many companies do not consider is that of new and cutting edge technologies to combat corruption. FAFT clearly makes use of new technologies as a part of its overall efforts. It states that companies should identify and assess the money laundering or terrorist financing risks that may arise in relation to (a) the development of new products and new business practices, including new delivery mechanisms, and (b) the use of new or developing technologies for both new and pre-existing products. In the case of financial institutions, such a risk assessment should take place prior to the launch of new products, business practices or the use of new or developing technologies and they should take appropriate measures to manage and mitigate those risks.

Wire Transfers

On wire transfers and related messages which a company may send out to a third party, it should include originator information, and required beneficiary information and that the information remains with the wire transfer or related message throughout the payment chain. Companies should also monitor wire transfers for the purpose of detecting those which lack required originator and/or beneficiary information and take appropriate measures.

Many of the above areas are currently covered in more traditional anti-corruption/anti-bribery compliance programs, such as those covered by the US Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. However, these FAFT recommendations, with their focus on anti-money laundering, can be of useful guidance to companies to make their compliance programs more robust. I recommend that you read the entire report and adapt some of their suggestions into your compliance regime.

Leave a Comment

February 15, 2012

The Mercury 7, Chuck Duross and Continuous Improvement to Your Compliance Program

Filed under: Agents,compliance programs,Coverage of FCPA,Deferred Prosecution Agreement,Department of Justice,Facilitation Payments,FCPA,Foeign Business Partner,Governmental Official,Howard Sklar,Internal Controls,New York Times — tfoxlaw @ 10:01 am
Tags: compliance programs, Department of Justice, DOJ, FCPA, Howard Sklar

Next Monday, February 20, 2012 is the 50^th anniversary of the first American manned orbital space flight. It made John Glenn a national hero and heralded America’s move into direct competition with the (then) Soviet Union for the race to put the first man on the moon. In an article in the New York Times, entitled, “At 90, John Glenn Looks Back” reporter John Noble Wilford wrote about this flight, the Mercury program and Glenn based upon two interviews with the ex-astronaut and former Senator from Ohio. This coming Saturday, Glenn will be honored at Cape Canaveral at a celebration of the remaining members of the Mercury space team.

These original seven astronauts, known as the “Mercury 7” were true American heroes. Anyone interested in science in the slightest bit in the 60s knew who these men were. They were featured in Life Magazine with their families and each of their space flights were covered on live television by all three networks. Glenn is one of two of the original Mercury astronauts still alive, the other being Scott Carpenter, who will also be honored on Saturday. The remaining astronauts of the Mercury 7 were Deke Slayton, Gus Grissom, Alan Sheppard, Gordon Cooper and Wally Schirra. They were immortalized for a later generation by Tom Wolfe, in his book, “The Right Stuff”.

So what is the compliance angle here? It is that NASA created an entire system, consisting of processes and procedures to put a man on the moon. Were there setbacks? Yes, the Apollo 1 tragedy still resonates at NASA today. However NASA moved forward and fulfilled President Kennedy’s vow to put a man on the moon by the end of the decade. NASA did this largely by continuous improvement of its system.

I thought about this article while reading the tweets coming from my “This Week in FCPA” co-host Howard Sklar last night. Howard is in Hong Kong, chairing the Anti-Corruption Asia Congress this week. Yesterday, Chuck Duross, Deputy Chief, Foreign Corrupt Practices Act (FCPA) Unit, United States Department of Justice (DOJ) spoke to the event and Howard tweeted some of the highlights of Chuck’s remarks. They included:

To combat anti-corruption, there needs to be political will, as it requires prosecution of bribe takers as well as bribe payers.
Do not assume that your company is immune from FCPA liability just because you are not a US company. Here you should note that 9 out of the 10 FCPA settlements of all-time are with non-US based companies.
Charging individuals leading to more trials. Last year the DOJ tried 3,000 cases last year and there were 4 FCPA trials. In Chuck’s words, (as tweeted by Howard) “Let’s all take a breath”.
There was a FCPA trial first: a Foreign official, charged with money laundering, testified against the business bribe-payer. Here it is important to note that the DOJ can and will be charge foreign government offices.
Turning to some specifics of compliance programs, Duross remarked that companies using half-measures to prevent bribery are at risk.
Companies will receive a significant benefit for having robust compliance programs: lower fines, DPA/NPA, even not having a monitor. He gave some examples; Noble got an NPA, paid $2.6 MM, no monitor. Pride which sustained substantial cooperation with the DOJ, received below-the-guideline range penalty of 55%.
Turning to the facilitation payment exception, Duross said that it is a narrow one: it’s usually illegal locally where it is paid, discouraged in US, illegal internationally.
He emphasized that third party agents need to be properly vetted.
He noted that other violations of US law often accompany FCPA violations, such as anti-competitive behavior, trade violations, embezzlement, and money laundering.
He emphasized that your company should do what it can do regarding your compliance program. If necessary, at first, change the tone at the top. Make it clear that illegal acts will not be tolerated. But you must mean it. Vocal support is necessary, but management’s commitment cannot end there. Compliance is a cost center: management must back up vocal support of compliance with budget and resources.
Next Duross suggested that companies reevaluate internal controls. They should take the time to review and test, think critically about risk.
The DOJ looks at proactive compliance efforts when deciding how and whether to prosecute. He also suggested that your company might consider joining an integrity pact.
Howard’s tweets ended with this suggestion; that it is important to TEST your compliance program. You can run a fake invoice through your system which has information which should raise has red flags. You can run information through the hotline and see what happens. That impresses the DOJ.

The last few points raised by Duross emphasized to me the process of compliance. But as important as putting the program in place is testing the program and using the lessons learned to upgrade and update your compliance program. While we celebrate John Glenn, the Mercury 7 and NASA for what they achieved, we should remember that NASA used continuous improvement in its space program. These same techniques can be brought to bear in your compliance program. Based upon the remarks of Chuck Duross, such monitoring, improvement and upgrades will be counted in a positive light by the DOJ if you are involved in a FCPA enforcement action.

Leave a Comment

February 1, 2012

Third Party Checkup

Filed under: Bribery Act,compliance programs,Due Diligence,FCPA,Foeign Business Partner,New York Times,Red Flags,This Week in FCPA,Training — tfoxlaw @ 1:23 am
Tags: compliance programs, Department of Justice, FCPA, Howard Sklar, SEC

In a January 29, 2012 editorial in the New York Times (NYT), entitled “Made in the World”, columnist Thomas Friedman wrote about the end of ‘outsourcing’; his thesis being the “world is now so integrated that there is no “out” and no “in” anymore. In their businesses, every product and many services now are imagined, designed, marketed and built through global supply chains that seek to access the best quality talent at the lowest cost, wherever it exists.” However, the ‘cheapest’ does not necessarily mean the best for your company.

What are your company’s risks for not knowing such information? Clearly anti-corruption legislation has remedies for civil and criminal liability. However, equally great may be reputational damage, “even from public investigations into a third party.” Put another way, how do you think the folks at Apple felt when they woke up on the morning of January 25, 2012 to find the following headline on the front page of the NYT “In China, Human Costs are Built into an iPad”?

In a recent White Paper, entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, authors Marjorie Doyle and Diana Lutz posit that in most foreign business partner relationships, your company will be held responsible for the actions of third parties which work for and with your company. The new global expectation is that “you know who they are, you have vetted them and you are in control of the activities for which you hired them.” They further believe that such is even more important when anti-corruption and anti-bribery laws, such as the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other OECD based legislation, are applicable. They note, “Gone are the days when organizations could wash their hands of liability or damage to reputation from outsourced work due to ethics and compliance failure.”

To help companies navigate through the issues, the authors have prepared a checklist to test an “organizations health status concerning your relationship to your third parties.” It is as follows:

Do you have a list or database of all your third parties and their information? Does your company have a full list of all third parties including such basic information as name, location, type of services provided, contract files and dates, principals of the third party and primary contact, due diligence files and any other information you might need to manage the third party relationship going forward?
Have you done a risk assessment of your third parties and prioritized them by level of risk? You need to know which third party services present the greatest risk to your company by asking some of the following questions: (a) Is the third party’s service critical to your business?; (b) Is the third party’s service performed with little company supervision or oversight?; (c) Does the third party have access to any company funds, resources or assets?; (d) Can the third party fund the company contractually?; and (e) Does the third party obtain any foreign governmental licenses, certifications or other approvals for your company?
Do you have a due diligence process for the selection of third parties, based on the risk assessment? You should use the information determined through the risk assessment to “tailor the level of diligence to the level of risk.” Assign a risk profile to categories, such as high, medium and low. The higher the risk, the more due diligence will be required to vet the third party.
Once the risk categories have been determined, create a written due diligence process. Here you need to have a written policy and defined procedures to implement that policy. The policy should include the following: (a) who is responsible for implementation; (b) list of red flags and how such red flags are to be dealt with and cleared; (c) a procedure to pay for any due diligence performed; (d) reference checks on third parties; (e) procedures for in-person interviews for third parties in a high risk category; (f) conflicts of interest checks, and (g) process for documentation and storage of all of the above information.
Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations? In addition to your standard commercial terms, your third party contract should also include compliance terms and conditions, which should including the following: (a) anti-corruption and anti-bribery certification; (b)requirement that the third party maintain accurate books and records and that your company has audit rights; (c) indemnity rights; (d) anti-corruption and anti-bribery training for the third party’s employees; (e) an anonymous reporting mechanism for ethics complaints; (f) require the third party to obtain pre-approval to subcontract out any of its work for your company; (g) require the third party to report any ownership change back to your company, and lastly (h) clear termination rights.
Is there someone in your organization who is responsible for the management of each of your third parties? Just as your company would never have an employee who is not supervised, your company should not have a third party which does not have company oversight. You should designate a manager to maintain the third party relationship with your company. Such relationship manager should maintain and update documentation on the third party, work with Internal Audit to schedule and perform audits, meet regularly with the third party and oversee adherence to the third party’s contract with your company.
What are “red flags” regarding a third party? Red flags are generally recognized as signs or situations which should give rise to further investigation by your company. While there are innumerable questions which can be asked and answered, I believe that red flags are generally organized into some or more of the following categories: (a) something seems out of the ordinary; (b) reluctance of party to supply information/difficulty of verifying information; (c) the company/services/principals are not verifiable by data, only anecdotally; and (d) mismatch in business experience with the product or services offered. Whatever red flags you list, if they are undiscovered or left unresolved, it could certainly cost a reputational loss or worse for your company.

Many companies understand the maxim “Know Your Customer (KYC)”, nevertheless, in today’s global economy this maxim may well need to be expanded to “Know Your Third Party”. The authors conclude by agreeing with Thomas Friedman’s observation in his Op-Ed piece “that there is no “out” and no “in” anymore” and that “the rule is: Source everywhere, manufacture everywhere, sell everywhere.” However, with this opportunity brings potential costs. Your company should “apply the same rigor in selecting, training and managing third parties” as it does for its own employees. A good place to start is with a third party checkup.

============================================================================================
Episode 29 of This Week in FCPA is up. Howard Sklar and I visit with the winning defense lawyers in the O’Shea case.

============================================================================================

Leave a Comment

January 30, 2012

Apollo 1 and a Compliance Dozen – How to Design a Program for Foreign Business Partners

Filed under: Agents,compliance programs,Corruption Perceptions Index,Department of Justice,Due Diligence,FCPA,Foeign Business Partner,Investigations,Local Law,SEC,Transparency International,World Check — tfoxlaw @ 1:12 am
Tags: compliance programs, Department of Justice, FCPA, SEC

Friday, January 27 was the 45^th anniversary of the Apollo 1 disaster. As reported by Brian Vastag, in an article in the Washington Post entitled “45 years after America’s first space tragedy, lessons linger”, it was a “launchpad fire which killed three NASA astronauts during testing of the then-new Apollo capsule. Reviews found that the early design of the craft was fatally flawed. Faulty wiring probably sparked the blaze that killed Roger Chaffee, Gus Grissom and Ed White. Among other problems, engineers saved weight by filling the capsule with pure, low-pressure oxygen instead of air, which is 80 percent inert nitrogen.”

One of the clear pieces of guidance from the Department of Justice (DOJ) is that a ‘tick-the-box’ compliance program is not only insufficient; it will not protect a company if a Foreign Corrupt Practices Act (FCPA) violation is discovered. However, many compliance practitioners do not know what should be analyzed regarding foreign business partners. I recently attended the ACI FCPA Boot Camp in Houston, home of the Johnson Space Center. One of the presentations dealt with how to design an overall program to evaluate, contract with, and manage foreign business partners. Furthermore, the presentation focused on how to assess the information obtained through the due diligence process. The presenters discussed a 12 point evaluation process for reviewing, assessing, then contracting with and managing foreign business partners. The steps are as follows:

Consider reputation for corruption in the country. You clearly need to review information from governmental organizations, such as the US Department of Commerce and State. A widely used source is from non-governmental organizations, such as Transparency International. Additionally, there are private sources such as World Check’s Country Check and the FCPA Database that you can use to review and determine a country’s overall reputation for corruption.
Competence of foreign business partner. This is a two-part analysis. It includes a review of the qualifications of the candidate for subject matter expertise and the resources to perform the services for which they are being considered. However, it also in includes an identification of the representative’s expected activities for your company.
Determine the integrity of the foreign business partner. There are several different methods that can and should be employed for this inquiry. Initially there should be an internal point of contact with the potential foreign business representative who can be used to obtain documents and financial, commercial and compliance references. After obtaining this initial information, you should review US and non-US restricted party lists and other media/internet searches. Next you should, at a minimum, obtain comments back from all references and if needed interview these references. Lastly, you should consider conducting an interview with the candidate. This can be done in house or through a company which specializes in investigations.
Identify relationships between agent and foreign governmental official. This inquiry requires a detailed review of the ownership and officers/directors and key employees of the foreign business partner. You will need to obtain and review entity information and documentation. If this is in a foreign language you will need to have it translated. One last point here is that you may now need to look at customers as well to ascertain past and present relationships with government agencies.
Business justification for use of agent and reasonableness of compensation. Here you should begin the entire process by requiring the relevant business unit which desires to obtain the services of any foreign business partner to provide you with a business justification including current opportunities in territory, how the candidate was identified and why no currently existing foreign business relationships can provide the requested services. Your next inquiry should focus on the terms of the engagement, including the commission rate, the term of the agreement, what territory may be covered by the agreement and if such relationship will be exclusive.
Ensure that answers provided by the representative or business partner to due diligence questions are accurate and complete. This is the old Ronald Reagan maxim of ‘trust but verify’. You must verify information received from the prospective foreign business partner with interviews of business references and background searches.
Ensure compliance with local laws. This means that both the relationship that you envision is legal within the foreign jurisdiction and that the foreign business partner will comply with all local laws.
Integrate FCPA contract safeguards. You will need to incorporate the DOJ required language, listed in its 13 point minimum best practices compliance program. These compliance terms and conditions are found in Attachment C of all Deferred Prosecution Agreements (DPAs), entered into by the DOJ since at least November, 2010.
Provide for continuing oversight. After you have performed your due diligence, evaluated it and then entered into the contract for services, now the real work begins. You must manage that relationship. I suggest that you do so through a business unit sponsor for all foreign business partners. Such person must be assigned to and be responsible for ensuring continuing oversight of the foreign business partner.
Maintenance of books and records. This requirement also has two parts. Clearly your company must maintain appropriate internal controls over all its foreign business partners but your foreign business partner must also maintain such accurate records. I would go further to add that you should audit these records to ensure compliance.
Seek guidance from DOJ. As I mentioned above there are several different resources available to the compliance practitioner for information relating to foreign business partners. These include the minimum best practices as set forth in Attachment C to each DPA; DOJ Opinion Releases; Securities and Exchange (SEC) enforcement actions. Also remember your company can avail itself of the Opinion Release procedure and request guidance from the DOJ via that mechanism.
Use consistent standards and common sense. You should not check your common sense at the door when you become a compliance officer. The surest way to get into trouble is by ignoring your own internal warning signs. If a relationship feels bad to you, or something does not quite ‘smell right’ about a proposed foreign business partner, listen to that sensation. It may be a situation where more due diligence is required or a situation where you should walk away. Additionally, you should use consistent terms and conditions across industries and services, such as with customs brokers and freight forwarders.

The Apollo 1 tragedy still haunts NASA today. Vastag noted that “The tragedy is still etched on NASA’s collective psyche.” One NASA veteran, Travis Thompson, worries that the commercial companies which now lead most of American’s space efforts “have not absorbed the prime lesson of Apollo 1 — that bad design begets tragedy.” The 12 point program set out above will help your company to work through any issues with foreign business partners and by following it, you may well prevent your company from having its own compliance failure.

Comments (1)

FCPA Compliance and Ethics Blog

July 11, 2014

Friday Comings and Goings

February 27, 2014

Alfred the Great, GE and the Management of Third Party Risk

May 1, 2013

From the Compact Model to the Luxury Model – Managing Your Third Party Risk

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

October 8, 2012

Won’t Get Fooled Again: An Atypical Exploration under Opinion Release 12-01

June 27, 2012

March 7, 2012

How FATF Recommendations on Anti-Money Laundering Inform Your Compliance Program

February 15, 2012

The Mercury 7, Chuck Duross and Continuous Improvement to Your Compliance Program

February 1, 2012

Third Party Checkup

January 30, 2012

Apollo 1 and a Compliance Dozen – How to Design a Program for Foreign Business Partners

January

Blogroll

Pages

Admin

Read by Email

Recent Posts from FCPA Compliance and Ethics Report: FCPA Compliance and Ethics Report

Episode 240-Bill Coffin on Compliance Week 2016

Episode 239-Jonathan Armstong On EU Privacy Shield

Episode 238-John Allen on HR Touch Points in Compliance

Episode 237-Steve McCalmont on the Avior Risk Management Platform

Episode 236-Adam Turteltaub and SCCE CCO Survey