FCPA Compliance and Ethics Blog

March 14, 2014

The Ides of March and Evaluation of Compliance Risk

Ides of MarchTomorrow, March 15 is enshrined as one of the most famous days of all-time, the “Ides of March”. On this day in 44 BC, the “Dictator for Life” Julius Caesar was assassinated by a group of Roman nobleman who did not want Caesar alone to hold power in the Roman Empire. It was however, this event, which sealed the doom of the Roman Republic as his adopted son Octavian first defeated the Republic’s supporters and then his rival Dictator Marc Anthony and became the first Emperor of the new Roman Empire, taking the name Augustus.

One of the more interesting questions in any anti-corruption compliance regime is to what extent your policies and procedures might apply in your dealings with customers. Clearly customers are third parties and in the sales chain but most compliance programs do not focus their efforts on customers. However, some businesses only want to engage with reputable and ethical counter-parties so some companies do put such an analysis into their compliance decision calculus.

However, companies in the US, UK and other countries who do not consider the corruption risk with a customer may need to rethink their position after the recent announcements made by Citigroup Inc. regarding its Mexico operations.

In an article in the New York Times (NYT), entitled “Fraud Exposes Challenges for Citi in Mexico”, reporters Michael Corkery and Jessica Silver-Greenberg wrote about the troubles which have befallen “the bank’s “crown jewel” – a sprawling retail lender called Banamex.” Citigroup recognized there was risk in Banamex, even having, what the reporters said was, a “little black book” which was stated by one un-named top executive to be the “book of redlined clients” and was also described as “an informal tally of Mexican companies” that could imperil the company’s Mexican operations. The bank has come to grief with its involvement in a $400MM fraud “that was discovered last month highlights the limitations of that kind of culling, and more broadly points to the challenges of finding solid lending clients in a country where the line between big business and political cronyism can become blurred.”

While Citigroup blamed this problem on “bad luck and bad actors” the article revealed a more complicated picture. The picture was one where “the bank had been placing large bets on a few risky corporate borrowers”. The $400MM loss involved an oil services company, Oceanografía SA de CV. But the bank also sustained other losses where loans were made to building contractors, which after a Mexican government a policy shift it “effectively killed the developers’ suburban projects” and they were not able to repay the loans.

Moreover, with regard to Oceanografía, the bank itself recognized the inherent danger of doing business with the entity. The article noted that Banamex has extended $585MM in short-term credit to a company that Citigroup itself had warned its own bond investors was “from time to time subject to various accusations, including accusations of corrupt practices.” Oceanografía is a company that provided construction, maintenance and vessel-chartering services to Pemex’s exploration and production subsidiary. However, as the article noted, “Oceanografía’s fortunes, however, changed sharply last month after it became the subject of a new government review that resulted in a suspension of government contracts to Oceanografía for the next 20 months. Banamex had advanced as much $585 million to Oceanografía through an accounts receivable program. The program was supposed to work like this: Banamex would advance money to Oceanografía to provide services to Pemex. The oil giant would then pay back Banamex, verifying invoices provided by Oceanografía to confirm that the work had been completed. In theory, Banamex was relying on Pemex’s ability to pay back the bank.”

Unfortunately for Banamex, much like the developers “which relied on government subsidies to finance their suburban developments, Oceanografía’s business relied on government contracts from Pemex. But when those ties were cut, the problems quickly surfaced. Shortly after the suspension of government contracts to the oil services company, Citigroup said it discovered the fraud at its Mexican unit, involving Oceanografía.”

These losses were coupled with the semi-autonomous relationship that Banamex had with its parent, Citigroup. The article stated, “the bank he [Mr. Medina-Mora] built has been considered something of a “black box” — a highly profitable but not especially transparent unit that was run with great autonomy by its leader, according to current and former bank executives. Sometimes, though, that autonomy rankled other executives in New York, the people said.” Citigroup denied that Banamex was semi-autonomous and in a statement in the article said, “We dispute assertions that the management team is autonomous,” Further, “While Banamex is a subsidiary of Citigroup, it is absolutely subject to the same risk, control, anti-money laundering and technology standards and oversight which are required throughout the company.”

For the compliance practitioner there are several lessons to be garnered from Citigroup’s reported problems and Julius Caesar’s demise on the Ides of March. In Caesar’s case, he wholly ignored the resentment that had been welling up in the Roman aristocracy for his high-handed action in becoming a Dictator. Even on the day in question, he dismissed his personal guard detail as he was going to the Roman Senate and finally, although he allegedly was handed a written communication warning him of his impending doom, he never took the time to read it. In other words, not only did he miss the red flags, he ignored specific warning signs and reduced his risk management capabilities by dismissing his security detail.

Similarly, as reported by the NYT, Citigroup would seem to have missed the warning signs about Oceanografía and if the NYT article is correct, might have actually internally ignored red flags while broadcasting them to bond holding investors. Lastly, whether the Banamex unit was semi-autonomous, as alleged in the article, or not as claimed by Citigroup’s statement, the point is that there must always be oversight. More than simply a ‘second set of eyes’ there should be internal controls which can be reviewed and vetted.

Finally, as noted in the article, the loans in question involved businesses that relied on government contracts, payments or some other form of support. While that may be of some comfort in developing countries, it can also be a source of risk. It also points to another analysis, which is not always considered, that being if a proposition is high reward, it is probably because it is also high risk in some area. While many companies can evaluate high financial risk and hope for attendant high financial reward, they also need to consider how a high corruption risk might factor into their analysis.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

February 11, 2014

More Lessons From Workplace Safety for the Compliance Practitioner

Trapped Under The SeaI have long believed that the compliance discipline has quite a bit to learn from the area of safety in the workplace. This is not only because I believe that the changes in corporate attitudes about safety presage many of the current debates about how to ‘do compliance’ but also because many of the processes and procedures that a safety professional utilizes can be translated into a process for the compliance professional. In a recent Compliance Week article, entitled, “Risk-Management Lessons From The Depths” Richard M. Steinberg reviewed the newly released book Trapped Under the Sea, by Neil Swidey, which is about a catastrophic accident that occurred during the construction of a waste treatment plant in Boston Harbor.

Steinberg’s article focused on the risk management issues, which led to the deaths of men working on a tunnel, dug far beneath Boston Harbor that transported waste out to sea before its release. Steinberg began by looking at the pre-operation factors which laid the “seeds of disaster” leading to the tragedy. (1) There were tight deadlines to be met, “with a federal judge ready to impose huge fines and penalties if they were not”; (2) An inexperienced executive director of the governmental water resources authority overseeing the project, who was suffering from a stress condition his doctor said was off the charts, who was most critically “clearly intimidated by the prime contractor’s chief executive”; and (3) The prime contractor was already in the red on the project, behind schedule and incurring millions of dollars in penalties, rising every day.

With the project, and many jobs on the line, the stress level on the management team grew. Swidey noted that as “organizational behavior research shows that, “As trust levels go down within a group, group members’ creativity and willingness to seek new options also decreases. When intense time pressures are added to the mix, opposing sides tend to become even more fixed in their positions, relying more on cognitive shortcuts. They’re unable to work collaboratively to solve a problem because they have become locked in an adversarial contest: if you win, I lose.”” The actual planning of the key event which led to the catastrophic failure “fell to sub-contractors, with two men calling the shots: Roger Rouleau, who relied on the technical capability of the other man he was to oversee, Harald Grob. The subs needed to please the prime contractor, or risk ruin. Ultimately, those overseeing the project ended up relying on these two men to make some critical final decisions.” As Steinberg noted, “although there was a major general contractor, several sub-contractors, the governmental water resources authority, and the Occupational Safety and Health Administration involved, with a number of smart and seasoned people, the key decisions were left to one sub-contractor, who wasn’t even properly supervised by his boss.”

Steinberg said that the post accident analysis discovered the following:

  • There were a series of small, bad decisions, none of which on its own would have been enough to produce a disaster, but together elevated risk to new heights.
  • There was a dangerous cocktail of time, money, stubbornness, and frustration near the end of an over-budget, long-delayed project. The major players desperately needed the project to be concluded. They closed their eyes and hoped the plan made sense.
  • Serious failings tend to happen late in projects, when confidence runs high and tolerance for delay dips especially low.
  • Another factor at play here is EQ, or emotional quotient, which is differentiated from IQ. EQ is the ability to read, process, and manage the emotions of people around you, as well as your own.
  • Executives with real authority put a higher value on Grob’s “fresh eyes and can-do attitude” than on their own intimate knowledge of the project and common sense. And doing so afforded them distance from the risks associated with the project.
  • It turns out there was a much safer and better approach that wasn’t even considered until much later. Why? The battling parties became so fixed in their positions they could no longer trust the other side’s intentions. They fell prey to the “availability bias” where decisions are based on what was most available to them—in this case, Grob’s plan.

For the anti-corruption practitioner, the lessons from this disaster and Swidley’s book are myriad. Beyond the simple ‘just get it done’ prescription that a Chief Compliance Officer (CCO) often hears about business deals are some clear and direct markers. The first and foremost is that when something is high reward, there is generally a high risk involved. In the case of the Boston Harbor disaster, the high risk was the technology used to supply air to the men working in the tunnel that collapsed, however it had never been adequately tested. In fact the technology was not even understood.

From this the next lesson is to always understand the complete parameters of the transaction. If a party’s role is not set out or well explained, you must make the appropriate inquiries to determine the role. If you have a third party, you should know its role and that role should be specified in its contractual duties so that any compensation payable to the third party can be assessed against some type of standard.

If someone will not answer the direct questions that you pose, you need to have the authority to get those answers. The sub-contractor involved, Grob, refused to brook any criticism of his clearly outlandish plan by refusing to even answer questions about it. Steinberg wrote, “Grob’s bristling when the men raised concerns about his plan, and stressing his rank in the organization chart, made matters much worse.” This means, as a compliance professional, if you cannot get the necessary answers, you have to be able to say No.

As a project moves towards its end, it sometimes takes on a life of its own, which seems to have happened here. This is the time that a compliance professional must remain ever vigilant; dotting every ‘i’ and crossing every ‘t’, to make certain that the company’s internal compliance protocols are followed. As Steinberg noted, “The more people do something without suffering a bad outcome, the harder it becomes for them to remain aware of the risks associated with that behavior.”

I have previously written that there are many lessons to be learned by the compliance discipline from the field of workplace safety. While I still believe that the biggest lesson is that an entire corporate culture can change, just as I have seen safety now become priority Number 1 in the energy industry; there are significant process lessons to be garnered from the study of catastrophic safety system failures. Steinberg’s article and Swidey’s book make an excellent starting point.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 22, 2014

Queen Victoria and Preparing for Your Risk Assessment

Queen VictoriaOn this day in 1901, Queen Victoria died, ending an era in which most of her British subjects know of no other monarch. She was born in 1819 and came to the throne after the death of her uncle, King William IV, in 1837. Her 63-year reign was the longest in British history. She oversaw the growth of the British Empire on which the sun never set. Queen Victoria restored dignity to the English monarchy and ensured its survival as a ceremonial political institution. She also brought a stability to the monarchy that has stayed with the country as well.

How can you bring stability to your compliance program? One of the most important steps that you can take is to regularly assess your risks through a risk assessment. I often hear some of the following questions posed by compliance practitioners regarding risk assessments: What should you put into your risk assessment? How should you plan it? What should be the scope of your risk assessment? These, and other, questions were explored in a recent article in the ACC Docket, entitled “Does the Hand Fit the Glove? Assessing Your Company’s Anti-Corruption Compliance Program” by a quartet of authors: Jonathan Drimmer, Vice President and Assistant General Counsel at Barrick Gold Corp.; Lauren Camilli, Director, Global Compliance Programs at CSC; Mauricio Almar, Latin American Regional Counsel at Halliburton; and Mara V.J. Senn, a partner at Arnold & Porter LLP.

The authors note that with all compliance programs, there is no ‘one-size-fits-all’ so your risk assessment should be tailored for your organization. In this article I will focus on the steps that you need to take leading up to the initiation of a risk assessment. The authors believe that the planning and layout of your risk assessment is a critical element for success by stating the importance of this issue cannot be over-estimated or over-emphasized.

To begin, the design of your risk assessment should be “guided by its scope and purpose.” So if this is your initial risk assessment to begin the implementation phase of a compliance program, one type of risk assessment may be needed. Conversely, if you have a mature compliance program, another type of risk assessment may be called for. If your company has moved into new or different geographic areas or has new product lines, it may require a different inquiry. The authors note, “knowing why you are conducting the assessment and what your goals are up front will make for a more efficient process and allow you to decide how in-depth your review should be.”

The authors next explore the gathering of information and developing a methodology for analyzing the results because “how you choose to gather information and what questions to ask will determine how useful your risk assessment will be for understanding your company’s risks and appropriately responding to them.” You will need to determine the number of employees to interview and who these interviewees should be for the risk assessment. While a questionnaire can be useful, you will need to consider in-person interviews as well. If it is difficult to make an initial identification of who should be interviewed, you can perform a preliminary assessment from a wider audience and then “streamline and tailor the in-person interviews.”

It is important to speak with employees who are generally considered to be ‘high-risk’ for Foreign Corrupt Practices Act (FCPA) purposes. This would include “people who interact with the government, either as customers or as regulators; those responsible for internal financial controls, such as accounting and finance functions; and senior management with the authority to make significant and impacting decisions, such as a primary executive in a local market.” It is also important to include those employees who are the prime interactors with third parties, both on the sales and supply side. This should include employees who have a role in the selection of such third parties for business relations and those employees involved in managing those relationships.

You will need to garner a sense of the company’s structure and goals. Additionally in FCPA enforcement actions and in the FCPA Guidance, the Department of Justice (DOJ) laid out several factors to take into account, such as “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation, and oversight and exposure to customs and immigration in conducting business affairs.”

The authors end their section on risk assessment preparation by dividing the areas that they believe are most often visited into three categories: general corruption risks, specific commercial activity and existing corruption controls.

  • General corruption risks – this category includes the corruption perception risk in the geographic areas where the company does business, directly or indirectly, through third parties. It also includes government touch points whether as a customer or regulator. Finally, it should include the corruption and bribery-related concerns of your business personnel.
  • Specific commercial activities – this generally relates to third parties; how they are vetted, contracted with and managed. It also includes a review of travel, gifts, entertainment business courtesies, charitable donation and political contributions, mergers and acquisitions.
  • Existing corruption controls – this area looks at not only financial controls such as monitoring and auditing but also training, employee incentives and hotline.

By laying out this risk assessment plan, you will have a good road map to think through not only how to work across a risk assessment but to begin to think how you can use it going forward. You will need to review and assess your highest risks first and then use that information to remediate any deficiencies going forward. I think what the DOJ wants to see is a well thought out plan for moving forward and forward movement toward the plan’s goal. These steps should help you in this journey.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 8, 2014

Corruption in Turkey and Integrating Your Risk Assessment

One of the more public and ongoing corruption scandals in the world right now seems to be happening in Turkey. To say the events and facts are confused is an understatement. At this point there are not any international players who have been implicated but given the breadth and scope of what has come out of that country over the past month or so, it would only appear to be only a matter of time. It began in December when, according to the BBC, “The arrests were carried out as part of an inquiry into alleged bribery involving public tenders, which included controversial building projects in Istanbul. Those detained in the 17 December raids included more than 50 public officials and businessmen – all allies of the prime minister. The sons of two ex-ministers and the chief executive of the state-owned bank, Halkbank, are still in police custody.”

The Prime Minister claims that all of these arrests were simply political theater, generated by supporters of Fethullah Gulen, an influential Islamic scholar living in self-imposed exile in the US. Members of Mr. Gulen’s Hizmet movement are said to hold influential positions in institutions such as the police and the judiciary and the AK Party itself. Many believe the arrests and dismissals reflect a feud within Turkey’s ruling AK Party between those who back the Prime Minister, Recep Tayyip Erdogan. On Tuesday the Prime Minister and his supporters struck back at the police by removing approximately 350 police officers from their positions in the capital, Ankara. The Prime Minister and his supporters have also attacked the judiciary leading the investigation, claiming that it is all politically motivated.

In addition to the obvious turmoil based on the above, the country is feeling the fallout in the international monetary arena. In an article in the Financial Times (FT), entitled “Turkey warns of corruption probe risk”, reporter Daniel Dombey said that the country’s currency, the Turkish lira, had dropped 7.5% since the initial arrests back in December. He quoted the country’s Finance Minister, Mehmet Simsek, who said that there had been “some negative implications for the Turkish macro [economy].” Dombey also noted that the Turkish stock market had dropped almost 12% during the same time frame.

In the 2013 Transparency International (TI) Corruptions Perceptions Index (CPI), Turkey had a score of 50 which gave it a rank of 53 out of the 177 countries listed. It generally had better scores than other countries in southeastern Europe such as Greece and the Balkan countries. Other than Cyprus, it had better CPI scores than most other mid-eastern countries. But what about now and what does this mean for the US based multi-national who is currently doing business in Turkey or considering doing so?

One of the things that a compliance program must have is the flexibility to respond to changing events on the ground. Just as last summer’s GlaxoSmithKline PLC (GSK) corruption scandal in China brought attention to those issues in China, these very public events should bring the attention of your compliance team. My former This Week in FCPA co-host Howard Sklar said that a compliance program needed to be nimble in order to respond to such events in far-flung places. Risks change and they must be evaluated on a regular basis or in response to new facts on the ground, such as those which are present in Turkey.

There may also be more than anti-corruption risk at play in any given situation. If a company only looks at one type of risk, such as anti-corruption, rather than others such as export control or anti-money laundering (AML) it can lead to the concept of what is called the “functional trap” of labeling and compartmentalizing risk. In an article in the June issue of the Harvard Business Review (HBR), entitled “Managing Risks: A New Framework”, authors Robert Kaplan and Annette Mikes declare that good risk discussions must be integrative in order for risk interaction to be evaluated. If not, a business “can be derailed by a combination of small events that reinforce one another in unanticipated ways.”

The authors posit that it is difficult for companies to accurately and adequately discuss risk for a variety of reasons. One of these reasons is the aforementioned silo effect which can lead to a lack of discussion by a wide group regarding a number of risks, for example compliance risk; reputational risk; brand risk; credit risk; human resources risk are but a few of the types of risks mentioned in their article. The authors believe that one of the ways to knock down these silos when it comes to a more complete management of risk is to “anchor their discussions in strategic planning, one integrative process that most well-run companies already have” in place.

The authors cautioned that beyond simply introducing a systematic process for identifying and mitigating key risks, companies should also employ a risk oversight structure. The authors discussed the experience of the Indian IT company, Infosys, which uses a dual structure. It consists of a central team that identifies general strategy risks and then establishes central policy, together with a specialized, decentralized functional team. This second team designs and monitors policies and controls in consultation with local business units. These decentralized teams have the authority and expertise to respond to changes in the company’s risk profile coupled with the nimbleness and agility of being in the field to deal with smaller issues before they become larger problems for the central team back in the corporate office.

I believe that the current political turmoil in Turkey provides an example of the diversity your compliance program and risk assessment must maintain. Just as it is important to perform due diligence on third party representatives, before execution of an appropriate contract, the real work is in managing the relationship. In risk management, you must identify and assess the risk but the real work begins in managing the risk. This is where the rubber meets the road.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

November 11, 2013

Honor Our Veterans and Compliance in the Supply Chain

Today is National Remembrance Day for Veterans who served their country and across the world. In the US we call it Veterans Day. In the UK, it is called Remembrance Day. Whatever it is called, it is designed so that we may never forget the sacrifices that the men and women made so that we can live in a free society. So today, I ask you to personally thank a veteran, buy them a cup of coffee or simply reflect on those who made the ultimate sacrifice to allow us all to go forward into the 21st Century.

My father is a veteran of both World War II and the Korean Conflict. I saw him this weekend and at 87 he is still kicking along, reading, studying and thinking about the relevant issues of the day. He gave to me a copy of the Fall 2013 issue of the University of Illinois, College of Law, Comparative Labor Law & Policy Journal which had an article, entitled “Toward Joint Liability in Global Supply Chains: Addressing the Root Causes of Labor Violations In International Subcontracting Networks”, by authors Mark Anner, Jennifer Bair and Jeremy Blasi. So to honor my father’s continuing interest in anti-corruption compliance, today I will write about this article and how it informs anti-corruption compliance in the Supply Chain.

The authors starting point is that of the Rana Plaza building collapse in Bangladesh, which killed at least 1129 workers, which has led to a “significant departure from the extant model of labor compliance that has developed over the past two decades”. The previous model of labor compliance had assumed that labor issues were a “factory-level problem and the only entity that needs to be regulated is the contractor factory.” This was enforced by companies adopting codes of conduct and then monitoring their suppliers for compliance. However, after the Rana Plaza tragedy, certain western corporations adopted the Bangladesh Accord, which anticipates joint responsibility for labor issues between both vendors and the purchasers of their goods and services. Further, the Bangladesh Accord is not merely like the prior general statements of intent but brings binding, contractually enforceable duties.

While the focus of the article was on labor issues such as pay, safety and retaliation for raising such concerns, the article did point to some interesting ideas which could be applied to this issue as it relates to anti-corruption compliance under laws such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Obviously both laws require a specified protocol for the hiring of third parties which represent companies. These concepts and techniques are now being used for third parties who develop relationships with companies through the supply chain. Companies such as freight forwarders, visa processors and customs brokers have foreign governmental touch points which clearly mandate a through due diligence process under the FCPA and Bribery Act. However, many companies may not recognize their potential exposure for companies which supply them but engage in bribery and corruption to fulfill their contracts.

Using the authors discussion of the regulatory scheme for compliance of labor and safety issues for suppliers under the Bangladesh Accord I have adapted them for anti-corruption compliance. The intention is to create stable, long term relationships and also to promote a stable core of suppliers who are FCPA or Bribery Act compliant in anti-corruption and anti-bribery. These points can incentive suppliers to not only become more compliant in anti-corruption and anti-bribery programs but also reward them for doing business with other like-minded sub-suppliers and sub-contractors. They include:

  • Requiring suppliers to designate all sub-suppliers and sub-contractors that they will use.
  • Restrict the subset of sub-suppliers and sub-contractors to those who have been certified, through a recognized Non-governmental organization (NGO) or company, in anti-corruption.
  • Prohibit retaliation against supplier employees who report, in good faith, allegations of bribery and corruption.
  • Require a supplier to register the number of sub-suppliers and sub-contractors that it intends to use for a company.

For US, and other western companies, I think that there are some lessons which might be drawn from the authors’ piece in connection with their compliance programs around the Supply Chain.

Know Your Suppliers

When it comes to anti-corruption compliance in the Supply Chain, many companies either fail to embrace this concept or, worse yet, do not understand how this concept is interwoven into an overall compliance program. Indeed, one of the perceived banes of compliance is that a company is responsible for the actions of its suppliers. Nevertheless, if companies understand that suppliers are a critical component of an overall compliance program it becomes much easier to understand how such a model can and should be used as a guidepost for the Supply Chain and compliance.

The Compliance Oversight Committee

The Oversight Committee is a key component of any best practices compliance program. Not only should it be used for reviewing and managing traditional high risk areas such as third party business representatives in the sales chain; a company can create such committees for other high risk issues particular to a company. Witness the Johnson & Johnson (J&J) Deferred Prosecution Agreement (DPA) and its “Enhanced Compliance Obligations”. In this J&J agreed to establish “a “Sensitive Issue Triage Committee” to review and respond to any such [Foreign Corrupt Practices Act] FCPA issues as may arise.” This is precisely the type of rigor which should be included in a best practices compliance program. Compliance Committees can serve to escalate compliance issues before they become violations of the FCPA or UK Bribery Act and are becoming a part of a best practices compliance program. If a company decides to disband such a committee it must clearly perform rigorous audits or place such safeguards in place to send a message to both vendors in the Supply Chain and employees that compliance is still held in the highest regard by the company.

Risk Assessments – Don’t Let Growth Overwhelm Your Compliance Program

The Department of Justice (DOJ) continually reminds us of the need for risk assessments. One of the areas often overlooked in risk assessments is growth. Growth and indeed explosive growth can be pursued or occur while not fully assessing or even appreciating the risks involved. This could mean that there were many new vendors in the Supply Chain that did not receive the rigorous due diligence and training in anti-corruption and anti-bribery compliance. A company can also hire huge numbers of new contract employees who do not receive the same anti-corruption training as previously hired employees. These can lead to organizational incentives that become skewered towards growth and not compliance.

If a company wants to move forward with an aggressive growth model, it should assess the compliance risks of doing so. Through a risk assessment, it might be determined that compliance might suffer through the increased use of new vendors. For the compliance practitioner, these risks might also be that new vendors in the Supply Chain need full and complete compliance training, that contract employees need the same compliance training as full-time employees; additionally new vendors need rigorous screening through a robust due diligence process to not only identify Red Flags regarding corruption but to help educate them that your company takes compliance very seriously.

So today I honor my father and all Veterans everywhere. And thanks to my father for continuing to be interested enough to read articles which help inform my knowledge of anti-corruption compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 7, 2013

Does Motive Matter in Anti-Bribery and Anti-Corruption Enforcement?

Do the intentions behind enforcement of domestic or international anti-corruption laws matter? Or is ‘the law the law’ and it really does not matter what a government’s motives are in enforcing laws that it has on the books. That question comes up for discussion from time-to-time. Some believe that motives and intentions do matter; others believe that enforcement of existing laws are motive and intention enough. This subject has been raised over the past several months in connection with the Chinese government and their anti-corruption enforcement efforts against western companies as exemplified by the GlaxoSmithKline PLC (GSK) enforcement action, announced last summer.

Trying to understand the motives of the Chinese Communist Party and the Chinese government have long been a subject for Americans. China watchers have pontificated and speculated for many years. I am not sure that the true motives are ever clear to us westerners. But simply because we may not always understand them does not mean that we cannot consider them, particularly now that China is so opened up to western businesses which desire to garner a part of the market share in a country with the world’s largest population.

This subject was explored in a recent Financial Times (FT) piece, entitled “China: Red restoration”. The article began with a short discussion about a recent meeting held by the President of China, Xi Jinping, with several prominent leader of western businesses; including Mike Duke, President and Chief Executive Officer (CEO) of Wal-Mart, Indra Nooyi, Chairman and CEO of PepsiCo., Muhat Kent, Chairman and CEO of Coca-Cola, David Rubenstein, co-founder of The Carlyle Group, and Maurice Greenberg, the former Chairman and CEO of American International Group (AIG). As reported by the FT, President Xi told the group, “Your suggestions are a very important source of inspiration for the Chinese government.” The FT believes that this statement and others made by President Xi “were intended to signal that the world’s second largest economy remains open for business.”

Contrast that last statement with what has happened to GSK over the past several months. Company executives have been arrested or detained; passports have been pulled so that company executives could not leave the country; company executives have been paraded in front of state television cameras to confess wrongdoings; a high company official went to China and publicly apologized for the company’s conduct. All of this from a company that was already under a Deferred Prosecution Agreement (DPA) in the United States for fraudulent conduct in marketing certain pharmaceuticals. Moving it from a compliance to a business perspective, the FT noted that GSK “recently revealed that its medicine and vaccine sales had fallen 61 per cent in the third quarter from a year earlier”. Talk about taking it ‘in the wallet’.

However GSK is not the only company to come under Chinese regulatory scrutiny for allegations of bribery and corruption. Since July approximately 15 western companies have heard their corporate names listed as being under investigation. These companies range from other pharmaceuticals, to baby-food and formula companies, as well as others in health care and medical products and supplies. Beyond these anti-corruption investigations, other companies have felt the heat from Chinese regulators. Apple CEO Tim Cook was forced to publicly apologize over poor customer service and “to promise to improve customer services policies.” The German car manufacturer Volkswagen was required to recall over 380,000 vehicles in China after media reports surfaced that they were “unsafe”. Still other companies faced media criticism which led reduced sales. For instance, stories in the media surfaced about Kentucky Fried Chicken (KFC) and food safety issues which led to a 10 per cent slump in sales.

The FT article noted that there may be several motives for these actions against western companies. One is obviously a strain of nationalism which holds that such markets should belong to Chinese enterprises. Bao Dike, managing editor of the PKU Business Review, summed up this view when he was quoted as saying “they also show how China doesn’t need these foreign enterprises any more”. Kerry Brown, Professor of Chinese Politics at Sydney University, was quoted as saying, “Politically it is also a very easy populist move to beat up on foreign companies; much easier than taking on big Chinese companies and their powerful backers.”

Another motive might be what is termed “killing the chicken to scare the monkey.” Under this motivation, Chinese regulators are investigating western companies in order to send a message to the entire market about pricing and competition. The FT stated, “they intend to clean up things in order to provide quality products at reasonable prices in industries about which the public is concerned.” The Chinese public was certainly concerned about the prices it was paying for pharmaceutical products and one response may have been for the Chinese to investigate, in a very public way, GSK. The same holds true for the makers of baby-formula and milk-powder makers. Li Huafang, an independent economist and newspaper columnist, was quoted as saying “I actually think the new administration wants to strengthen regulations for both foreign and domestic businesses.” Or as Peter Gabriel might say “Shock the Monkey”.

The final motive discussed in the FT article was that of consolidation of power by the new President, Xi Jinping. Wang Lixiong, a prominent political writer, said that “The rough treatment of some foreign businesses stems from Mr. Xi’s need to establish his authority; to impose his will; this is a very common tactic among new rulers. We need to wait until he has consolidated power to see what his real intentions are.”

All of this tells me that western companies need to factor all of the above into their risk assessments when deciding whether to engage in business in China. This is a broader risk assessment than you would normally do for anti-corruption such as under the Foreign Corrupt Practices Act (FCPA). This is a political risk assessment. But the key is that you look at your risks and measure them. The FT ends its article by noting that it appears that President Xi is still welcoming western businesses to China, and said, “As long as they can show that their investments and operations in China support or at least do not get in the way of efforts to garner support for the party and its leadership, they will probably be allowed to stay and even thrive.”

For a western company, from an anti-corruption perspective, this clearly means you need to investigate your Chinese operations now. If you detect problems, you should work expeditiously to remedy them now. The FT article makes clear that whatever the motivations of the Chinese regulators are; if you are in violation of Chinese domestic laws regarding bribery and corruption, your experiences could well be costly and the reputational damage immense.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 28, 2013

Risk Assessments in an Anti-Money Laundering Compliance Program

Today we celebrate that noted British comedian who made his fame in America – Bob Hope.  He had a successful film career largely thanks to the series of seven “Road” movies he made with Bing Crosby and Dorothy Lamour, including Road to Singapore (1940), Road to Morocco (1942), Road to Utopia (1946) and Road to Rio (1947). Hope is also known for his entertainment of US military forces overseas. In 1941, after America’s entrance into World War II, Hope began performing for US troops abroad; he would play shows for more than a million American servicemen by 1953. Some 65 million people watched him perform for troops in Vietnam on Christmas Eve in 1966, in his largest broadcast. Hope also became a legend for his countless TV specials, which he would perform over the course of some five decades. He hosted the Academy Awards ceremony a total of 18 times, more than any other Oscars’ host.

What does Bob Hope have to do with compliance? First he was a comedian and second he reinvented himself several times. The anniversary of his birthday reminded me of an article written by Carole Switzer, the co-founder and President of the Open Compliance and Ethics Group (OCEG), for Compliance Week Magazine entitled “Analyze This: The Value of Business Risk Assessments.” In her article, one in a continuing of her series of GRC Illustrated articles, Switzer says that anti-money laundering (AML) compliance programs, like therapy are “difficult to define and relatively easy to avoid.” She quoted Larry David, co-creator of Seinfeld and creator of “Curb Your Enthusiasm” for the following thought on therapy, “I know enough about myself now to know that I really don’t need to know anymore.” Unfortunately, as Switzer notes, many companies have the same problem when it comes to their AML programs.

Switzer discusses a recent report by the UK Financial Services Authority (FSA) which highlighted four general reasons that UK banks failed to have effective AML programs. The same four reasons hold true for non-banking sector US companies in the area of AML.

(a) Denial. The FSA reported that one-third of the banks “failed to review their business-risk assessment program on a regular basis. Additionally, about one-third of the companies scrutinized also failed to alter their risk assessments in response to new developments and insights, such as when allegations of major corruption were levied against a customer or when a country’s risk profile spiked due to regime change.”

(b) Grandiose delusions (imagine a bank with grandiose delusions!). The FSA found that too many “customer-facing “relationship managers” could override customer risk scores produced by the risk-assessment program—without sufficient evidence to support the decision to disregard the score.”

(c) Borderline suspicious. Bank personnel did not understand how the AML risk assessment was generated and indicated that they were “confused” regarding what score indicated that a customer was a high risk.

(d) Avoidance coping. The FSA noted that institutions “inappropriately low risk weightings for high-risk factors, “sometimes overtly”; while “other banks chose to ignore well-known high-risk indicators and other adverse information from a variety of sources, “such as links to certain business activities commonly associated with higher levels of corruption.”

Fortunately Switzer laid out her thoughts on what an effective business risk assessment program should contain. From this risk assessment, you can identify where your company should focus its AML resources, determine how changes might affect your company, and where your program may need enhancement. She is quite clear that without an effective risk assessment, “your AML program will be inefficient as well as ineffective.” She sets our five steps to take.

  1. Define the Risk. Switzer says that “At the forefront of any good business risk assessment program is an executive vision. The executive sponsorship must ask themselves diffi­cult, critical questions.” This is largely because while there are certainly known risks to a business there are also risks you and your company may not be aware of so it is important to define what you know but leave it flexible enough to cover the unknown when it becomes known to you. Switzer lists some of the questions that you might begin with, which include: What are the inherent risks in our current business? What controls do we have in place? How much risk, after the business risk assessment process is instituted, remains? Should we close business locations? Should we add additional controls? Should we put spending restrictions in place? Are other industries at the same level of risk?
  2. Gather Intelligence. In this step, after executive sponsorship has set the strategy in motion, you must gather intelligence to truly understand the exposure across the organization’s products, services, and customer base. The AML team should consult local business and compliance leaders to gain key insight. The specific steps include: (1) Develop the business risk assessment questionnaire. (2) Determine what controls are currently in place. (3) Review the external risk. (4) Understand the magnitude of each risk factor. (5) Gather and normalize all data for review.
  3. Review the Findings. Once a full business assessment has been conducted and all the data collected, a full analysis of the data is performed at multiple levels. The overall picture of risk is reported to business line, regional leaders, and enterprise leaders. Switzer’s specific steps include (1) Creation of full evaluation reports of all measured data. (2) Involve AML staff, regulators, and critical business leaders in your review. (3) Utilize external, unbiased consultation to determine product and service risk for remediation.
  4. Decide How to Proceed. Switzer advises that after you come to an understanding of your exposure and risk, your vision has been set, and you have gathered data and reviewed it, you can set a course to move ahead. However, she cautions that “continual review of the plan’s impact on the business, even at this stage, is critical.”
  5. Implement the Plan. At this final step, after your company has defined its strategy, determined, by measurement, the exposure to AML risk, understood and evaluated the areas of potential risk and then “determined a path to accept, resolve and eliminate, it’s time to go to work setting the plan into motion—however, just because you are now implementing doesn’t mean you can relax. Constant scrutiny, learned best practices, and ongoing monitoring are critical.”

Switzer concludes by stating that “Risk assessment programs must evolve quickly as risks and crimes do. Building in a good system of correction and monitoring that can flex with your organization is critical.” So just as Bob Hope reinvented himself as the tastes of society changed, your risk assessment should be a “living, breathing process.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 15, 2013

Scam Artists from Texas and Compliance Risk Management

Billie Sol Estes died yesterday and when it comes to scam artists from the great state of Texas, before there was Allen Stanford and his magical Certificates of Deposits located in his private bank in Antigua, there was Billie Sol Estes. Before Sir Allen came along, Billie Sol had a 50 year run as the King of Texas Swindlers. He was most well-known for his scam involving phony financial statements and non-existent fertilizer tanks to loot a federal crop subsidy program. He went to jail for mail fraud over this scheme, although his conviction was later over-turned. But his lasting legacy may be the following quote by former Associated Press (AP) correspondent Mike Cochran, who recalled writing how Estes made millions of dollars in phone fertilizer tanks scam and noted “how many city slickers from New York or Chicago can make a fortune selling phantom cow manure?”

Billie Sol’s risk tolerance was quite high and his implementation of a risk management plan may have seemed, well, rather 1950ish. Hopefully your company is a tad more mature in this process. But after you have identified a compliance risk, what should the next steps be for a company’s Chief Compliance Officer (CCO)? This question was explored in an article by C. J. Rathbun, in the May/June issue of Compliance and Ethics Professional Magazine, in an article entitled “You’ve identified a corporate risk—what next?”. Rathbun believes that any consideration of such an identified risk will be in the context of three key questions:

  1. The severity of the risk weighed against the company’s appetite for risk.
  2. How the company has performed in the past on managing similar risks and if so, what the impact might be on the company if the risk actually occurred.
  3. The probability or likelihood of the risk event occurring.

I.                   The Compliance Report

Rathbun explained that a CCO needs to consider several questions when shaping the report which will go to the management group or Chief Executive Officer (CEO) to make any decision on whether a new risk should be accepted. These questions include:

  • Who is the audience for the report? Will it be the CEO, Board of Directors or some other senior management group or council? Further, what is the level of trust between the CCO and those constituent groups? Has the CCO been elevated to a C-Suite level position within the company? Could the audience be a regulatory body or perhaps even a Judge?
  • What is your company’s organizational structure? In this question you need to consider how decisions of this dimension are usually made in your company.
  • What reputational risk for the company should be anticipated? This is the Wall Street Journal (or New York Times) questions. How would your CEO feel if he woke up to read about your company and its decision being on the front page of the Wall Street Journal?
  • What should be incorporated into the report? Should other business concerns be incorporated into the report, such as financial or other legal issues?
  • How should the report be presented? In what format or with what technology should the report be presented? Will the group or person tasked with making the decision accept a written report or will it simply be a high-level PowerPoint presented to a Board of Directors?

 II.                Weighing the Options

Once the report is considered and the options weighed, what are some of the possible outcomes that a company may utilize? Rathbun breaks the options down to four. The first is risk avoidance, where a company decides that the risk is simply too great. The second option is risk management, where the company implements procedures to manage the risk and then monitors the risk closely. The third is risk shifting where some portion of the risk is transferred through insurance or other mechanism. Fourth, and finally, is that the company can simply accept the risk, so risk acceptance.

III.             Implementation

Rathbun believes that the risk management choice is the one which may well take the most work, particularly for a CCO. You may be required to create new policies and procedures to assist in the risk management process. Any new policies and procedures will need to be implemented with attendant training for the affected employees. There will need to be follow-up monitoring to ensure engagement and accountability.

IV.              Confirming Changes in Behavior

Rathbun articulates that are two mechanisms by which a “checkback” can be performed on policies, procedures, actions and employee accountability. These two mechanisms are monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, more aggressive approaches may be required such as the addition of follow-up assessments to confirm effective management of the new risk.

Rathbun cautions that the use of more standard tools to “checkback” should also be utilized. These include compliance by third parties, testing or otherwise gauging employee knowledge regarding the risk management program and even hotline complaints. Rathbun also suggests that relatively new tools such as transaction monitoring, relationship monitoring and real-time party monitoring of third parties should be considered.

V.                 End Goal

Rathbun believes that the end goal should be “to allow the company to identify a growing concern before it becomes an issue—before consumers are harmed or regulators become concerned.” While a well-structured program does require vigilance it also allows the opportunity for continuous improvement for your company. Rathbun concludes by stating that your goal should be to “help ensure that you and your company ‘will get the first crack’ at addressing a problem, if one occurs.”

I found the Rathbun article to provide a good method for the compliance practitioner to think through, then design and implement a risk management plan, within the context of your overall compliance program. Although she never states it, a key component that she outlined is the Document, Document, Document component of any compliance program. The Department of Justice and Securities and Exchange Commission said in their FCPA Guidance “In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.” I believe that you can achieve such a carefully designed and earnestly implemented risk management program by using Rathbun’s suggestions.

Finally, if a long, tall Texan comes to you wanting to borrow money against some fertilizer tanker; do not just turn and walk, run in the other direction.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 1, 2013

From the Compact Model to the Luxury Model – Managing Your Third Party Risk

I am currently attending the Hanson Wade Oil and Gas Supply Chain Compliance conference in Houston. The event is excellent and the presentations have been ‘spot on’ for the nuts and bolts of how to do compliance. As the conference is in Houston, a number of the speakers and attendees are from energy companies but the concepts that are being discussed apply to all companies which have an anti-corruption or anti-bribery compliance program. One of the things that came through each of the presentations was that as compliance programs mature, many companies are developing programs which are more tailored towards the risks that companies face, which are ascertained through more sophisticated risk assessments and management of those risks.

This pattern is certainly consistent with the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) FCPA Guidance which says that a company should assess its risks and manage its risks. From this starting position, a company can then put together a well thought out and reasoned approach to Foreign Corrupt Practices Act (FCPA) compliance. Many of the presentations dealt with third parties and the differing responses and approaches companies have developed for the specific risks that they have uncovered.

Clearly third party risk mitigation through due diligence is key. How much due diligence is enough? One speaker said that it is a balancing call to determine the right amount. There were several presentations which spoke about the increasing use of technology to assist companies in this process. One speaker, a former federal prosecutor, said that one of the things that she looked for when a prosecutor was the ‘thoughtful analysis’ that the FCPA Guidance speaks about. To this end she believes that the human element will always be important because prosecutors want to see the thought process of not only how your program is designed but how you have crafted your risk mitigation based upon the information that you have assessed.

One of the speakers listed some of the factors to begin the review of your third parties. Recognizing that there is no one all-encompassing list, she suggested the following:

  1. How many third parties do you have?
  2. Where are these third parties located?
  3. Industry or sector do you conduct business?
  4. What is the relationship of the third party to a foreign government or state owned enterprise?
  5. Are the owners of the third party related at all to government employees?
  6. Is the use of the third party a business necessity or not? Why do you need to use sales representatives?
  7. What are the reputations and qualifications of the third parties? Can they do what you need them to do from a commercial perspective?
  8. How much control will you have over the third parties? Contrast the control that you have over sales agents with the lesser amount of control that you have over distributors and joint ventures.

From the answers to some of these questions you can begin to craft your third party due diligence inquiries. I was intrigued by one speaker who speech contrasted the steps that you might take with a lower risk third party with that of a higher risk third party. She likened the lower risk approach to that of a compact car and set out the following suggestions:

  • Rank each third party by the risk you have assessed;
  • Perform an Internet search on the third party;
  • Perform reference checks on the third party;
  • Interview control persons involved with the third party;
  • Agreement to abide by anti-bribery and anti-corruption laws;
  • Insert appropriate compliance terms and conditions in your third party contracts.

She contrasted the Compact model with what she termed the ‘Luxury model’ requirements of a third party program:

  • Prioritize your third parties by risk;
  • Appoint a Business Unit sponsor for each third party;
  • Develop a detailed third party application;
  • Perform an electronic records search on each third party;
  • Also perform independent screening of each third party;
  • Perform reference checks on each third party;
  • Perform site visits and interviews of each third party;
  • Have each third party acknowledgement your company’s Code of Conduct;
  • Require each third party  to go through ethics training;
  • Create a company committee, consisting of internal business, legal and compliance representatives to review your high risk third parties;
  • Insert compliance terms and conditions into each third party contract;
  • Require both internal and external audits of each third party;
  • Perform annual updates on your third parties; and
  • Perform quarterly electronic database rescreening.

There was also a discussion of some common Red Flags that you should be on the outlook for. They included:

  • Excessive commissions paid to third parties;
  • Unreasonable discounts given to third parties such as distributors;
  • Vaguely described services in a third party contract or invoice back to your company;
  • A third party which is in a different line of business than the one you want to hire to assist your company;
  • Close association by the third party with a Foreign Official;
  • Retention of the third party is required by a Foreign Official;
  • The third party is a shell company located offshore; and
  • Payments made to the third party are in a country different from the location where the third party’s services are delivered.

The concepts I derived from this presentation is that you should assess and manage your risks. If you determine them to be low, the Compact Model may work for you. If your third party risks are high, then the Luxury Model may be more appropriate. If you use a thoughtful and reasoned approach, you can navigate this area. But always Document, Document and then Document what you have done and why.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

April 4, 2013

Three Compliance Interviews on April 3

I attended the Dow Jones Global Compliance Symposium over the past couple of days. It was a great conference and kudos to the entire Dow Jones team for putting on a truly memorable event. Day 2 had some interesting speakers and I thought that I might highlight some of the note-worthy things that they said. I should initially note that they did not present prepared remarks but were interviewed by Wall Street Journal (WSJ) reporters. Frustratingly, all three were very good at not answering some of the more pointed questions they were posed but they did have some thought-provoking answers to some of the questions posed to them.

Jeff Benjamin

Benjamin was retired and living in Cape Cod, when he was lured out of retirement to take over as the Senior Vice President (SVP) and General Counsel (GC) for Avon Products, Inc., in September of last year. He used this late entry into the company as a way not to answer questions about the ongoing investigation or the company’s amount of legal and investigative fees incurred to-date. He did answer a question generally around the company using two law firms which I found fascinating. He said that more law firms do not necessarily mean more lawyers working on an assignment or project. He said that by using two law firms, he can use “the best people in the best roles” rather than simply the best people. For all you Chief Compliance Officers (CCO’s) or GC’s out there you might want to think about that concept.

I was a bit frustrated that he was cut off when answering the question of his thoughts on what differentiated an elite compliance program from merely a functional one. The first point was that the compliance program seeks continual improvement. The second is that each of a company’s employees takes personal responsibility for establishing and retaining a culture of compliance and ethics in a company. I wish he had been able to give us the final two but he got side-tracked on another point.

I asked Benjamin the role that compliance plays in reconstituting employee morale after a catastrophic compliance failure that (apparently) occurred at Avon. Benjamin initially noted that he believes that the compliance function has a large role to play in rebuilding employee morale. He said a key for Avon was to look at the compliance failures and to use those as teaching moments for the work force. He coupled this with a very intensive construction of the compliance architecture for the company, communicated thoroughly to all employees. He ended with some out of the box thinking like bringing in Cynthia Cooper, the employee who blew the whistle at WorldCom, to speak to company employees on the need to ‘Speak Up and Speak Out’.

Gerson Zweifach

Zweifach is the General Counsel and Chief Compliance Officer for News Corp. He is former federal prosecutor and holds himself very much with that bearing and demeanor. He was asked about his dual roles as GC and CCO and he said that given where the company is, in the middle of a multi-jurisdiction, multi-law investigation, he believed that combining both roles was appropriate, at least for the next couple of years. He also noted that he was told by the News Corp’s Chief Executive Officer (CEO) that “I don’t want this to happen again” and he took that as another reason that the roles should be combined, at least for the foreseeable future.

Zweifach said the biggest change that he had to effect on the company was to elevate problems to the corporate headquarters, if they involved “the core integrity” of the company. News Corp is a very decentralized business with assets all over the world. Prior to their current legal imbroglio, they did not handle such problems in the US but Zweifach has learned that this must be done to help ensure that the company gets a full picture of the facts as soon as possible. Further, any core integrity issue can become global very quickly so there needs to be central management of this issue as soon as possible.

As a former prosecutor and white collar defense lawyer, he was not too familiar with the concept of risk assessments as a corporate tool, so he had a fair amount to learn on the subject. But he learned something very interesting and that was simply because a business is located in a high-risk country it may not be high risk. Conversely, simply because a business is in a perceived low risk country, such as the UK, the business may be high risk. I found this to be a very interesting insight and  something that Foreign Corrupt Practices Act (FCPA) compliance practitioners could consider when doing their overall risk assessments.

Alberto Gonzales

Gonzales is the former Attorney General of the United States and is currently Of Counsel to the law firm of Waller Lansden Dortch & Davis LLP. Gonzales spoke about the FCPA and potential change of the law. Initially he noted that reform of the FCPA in Congress is dead, although he tried to blame it on the Democratic administration, forgetting perhaps that the greatest increase in FCPA enforcement occurred while he was Attorney General (oops!). But he did say that perhaps there could be some different interpretations by regulators, such as the Department of Justice (DOJ) and Securities and Exchange Commission (SEC). Leaving aside the subtle distinction that the DOJ are prosecutors and not regulators (oops again!) he said that he believed business groups were right to continue to clamor for additional FCPA guidance, as he clearly demeaned the November-released FCPA Guidance as “so-called guidance”.

He also said that greater transparency would be of assistance to the compliance practitioner and here he talked about further information on declinations. He said that he believed the DOJ could strip out the indemnity markers but the key information would be for the DOJ to itemize the information which went into their decision making calculus as to why a declination was granted as opposed to an enforcement action. This is certainly something that I do agree with Gonzales on.

The Dow Jones Global Compliance Symposium continues to be one of the premier compliance events annually. If you did not attend this year and can do so next year, I urge you to try and get yourself up to DC for the conference.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Next Page »

Customized Rubric Theme. Create a free website or blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,229 other followers