FCPA Compliance and Ethics Blog

October 21, 2014

Carlton Fisk, The Homer and Oversight of a Profitable Subsidiary

Fisk HomerToday we celebrate one of the great moments in World Series history. At approximately at 12:34 AM on this date in 1975, Carlton Fisk came to bat at the bottom of the 12th, in Game 6 of the World Series between the Boston Red Sox and Cincinnati Reds. He hit a pitch down the left field line. He stood at the plate, bouncing up and down and flailing at the ball as though he was helping an airplane land on a dark runway. “I was just wishing and hoping,” he said at a ceremony some years later. “Maybe, by doing it, you know, you ask something of somebody with a higher power. I like to think that if I didn’t wave, it would have gone foul.” Whether or not the waving was responsible, the ball bounced off of the bright-yellow foul pole above the Green Monster for a home run. Fenway’s organist played the Hallelujah Chorus from Handel’s Messiah while Fisk rounded the bases. One for the ages indeed as it appeared the Baseball Gods might finally be smiling on the Red Sox nation. Alas, they lost the next game and it was not to be for another 30 years.

I thought about Fisk’s homer and the ultimate heartbreak of Red Sox nation once again in 1975 when I read about several recent issues involving corruption and corporate responsibility for oversight, or perhaps more appropriately, the lack thereof. The first was an article in the New York Times (NYT), entitled “Another Scandal Hits Citigroup’s Moneymaking Mexican Division”, by Michael Corkery and Jessica Silver-Greenberg. Their article spoke about the continuing travails of Citigroup’s Mexican subsidiary Banamex. Back in February, the company revealed “a $400 million fraud involving the politically connected, but financially troubled, oil services firm Oceanografía.”

However, company investigators have unearthed another problem at the Mexico unit. The article reported “An internal investigation, begun by Citigroup in July, found evidence that the security unit was overcharging vendors and may have been taking kickbacks, a person briefed on the investigation said. The internal inquiry also found shell companies that had been set up to look like vendors and receive payments from the Banamex unit.” In a statement reported in the piece, Citigroup’s Chief Executive Officer (CEO) Michael L. Corbat “called the conduct of the individuals in the security unit ‘appalling’”.

What I found most interesting in the article was the response of Citigroup and what its implications might mean for the compliance practitioner, particularly one whose company is under scrutiny for a Foreign Corrupt Practices Act (FCPA) violation by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC). The NYT piece made clear that the Mexico unit is so profitable that it figuratively “mints money” for the company. Moreover, “despite the latest headline-grabbing turmoil at Banamex, Citigroup does not want to cede any ground in Mexico where it dominates a large portion of the retail market.”

What is the responsibility for a US corporate parent when a foreign subsidiary ‘mints money’ for the company? Should the corporate parent pay closer attention to make sure the subsidiary is doing business in compliance with the FCPA and other relevant laws? In the past few posts, I have discussed some of the specific internal controls a compliance practitioner might consider for a company’s international operations. One of the problems Citigroup is facing with the conduct of its Mexico subsidiary is the company’s concern of “lax controls and oversight”. Moreover, there is concern that some part of the ongoing troubles in the Mexico unit relates to its head, Manuel Medina-Mora. Citigroup Chairman Michael O’Neill, was said to have “privately expressed concerns to board members that Mr. Medina-Mora, who is also co-president of the parent company, has not always relayed problems in the region to executives at the bank’s headquarters on Park Avenue, according to the people briefed on the matter. Instead of looping in executives in New York, Mr. Medina-Mora has at times chosen to handle the issues himself.”

How much oversight should a parent corporation have over a subsidiary? At a basic level it would seem that oversight should be enough to prevent and detect illegal conduct. Clearly, a Chief Compliance Officer (CCO) should be considering the entity-wide internal controls for a company. Under the FCPA accounting provisions, issuers can be held liable for the conduct of their foreign subsidiaries, even though the improper conduct occurred outside of the US. The scope of liability is based on the issuer’s incorporation of the subsidiary’s financial statements in its own records and SEC filings.

While a CCO should expect (and the DOJ & SEC for that matter) that internal controls at locations outside the US are of the same effectiveness as internal controls in US business units and at the US corporate office; unfortunately, that might not always be the case. It is often the case that corporate level internal controls are stronger than those in foreign business units. The Citigroup situation with its Mexican subsidiary would seem to be a clear example of the oft-cited reason that many companies were built through acquisitions, resulting in many business units (both in and outside the US) having completely different accounting and internal control systems than US corporate office. There is often a tendency to leave acquired companies in the state in which they were acquired, rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the profitability of the acquired company and nobody wants to be accused of negatively impacting profitability, especially one that ‘mints money’.

The second example is one a bit closer to home and it is that of the General Motors (GM) legal department. In an article in the Wall Street Journal (WSJ) entitled “GM Says Top Lawyer to Step Down”, John D. Stroll and Joseph B. White, with contributions from Christopher Matthews and Joann S. Lublin, reported that GM General Counsel (GC) Michael Millikin will retire early next year. Millikin was criticized after the GM internal investigation found that he ran the GM legal department in such a hands off manner that he did not know about his legal department’s own settlements for product liability claims involving faulty ignition switches until February of this year. His defense was that his own lawyers “left him in the dark” even though there was evidence that he had been repeatedly warned, “GM could face punitive damage awards related to its failure to address the safety defect.” Missouri Senator Claire McCaskill summed up sentiment about Milliken with her statement “This is either gross negligence or gross incompetence.” In other words if you are a GC or CCO you had better know what is going on in your own department. What would it say about a CCO who did not know that compliance department members were dealing with violations of the FCPA without informing him or her? It would say that the CCO failed to exercise leadership and oversight.

And while you are watching things closely, you may want to check out a clip of Carlton Fisk’s famous homer by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

December 22, 2011

Boards of Directors and Compliance: Four Areas of Inquiry

In an article in the December 2011 issue of Compliance Week Magazine, entitled “Board Checklist: What Every Director Should Know”, author Jaclyn Jaeger reported on a panel discussion at the Association of Corporate Counsel’s 2011 Annual Meeting, held in October. The discussion was centered on four core areas upon which Directors should focus their attention: (1) structure, (2) culture, (3) areas of risk and (4) forecasts. The article focuses on each of these areas together with some questions proposed by panel participant Amy Hutchens, General Counsel and Vice President of Compliance and Ethics at Watermark Risk Management International, which she suggested a Board should ask of the company’s Chief Compliance Officer (CCO) or General Counsel.

Structure Questions

This area consists of questions which will aid in determining the fundamental sense of a company’s overall compliance program. The questions should begin with the basics of the program through to how the program operates in action. Hutchens believes that such inquiries should allow each Board member to communicate the main elements of a compliance program. With those concepts in mind, Hutchens suggests that Board members ask some of the following structure questions.

  • Who oversees the operation of the program?
  • What is in the Code of Conduct? Is each Board member aware of corporate standards and procedures?
  • How are complaints being received?
  • Who conducts investigations and acts on the results?
  • What corporate resources are being devoted to the compliance and ethics program?
  • How much money is allocated to the program?
  • What types of training is required? How effective is it?
  • Have any compliance failures been detected? If so, how was such detection made?
  • If a company’s compliance program is less mature, what are the charter compliance documents?
  • If a company’s compliance program is more mature, there should be queries regarding the roles of the General Counsel vs. a Chief Compliance Officer. If a CCO is required, where would such person sit in the organization and what is the CCO reporting structure?

Culture Questions

This area of inquiry should focus on the culture of the organization regarding compliance. Board members should have an understanding of what message is being communicated not only from senior management but also middle management. Equally important, the Board needs to understand what message is being heard at the lowest levels within the company. Hutchens suggests that Board members ask some of the following culture questions.

  • When did the company last conduct a survey to measure the corporate culture of compliance?
  • Is it time for the company to resurvey to measure the corporate culture of compliance?
  • If a survey is performed, what are the results? Have any deficiencies been demonstrated? If so, what is the action plan going forward to remedy such deficiencies?
  • Did any compliance investigations arise from a cultural problem?
  • Regardless of any survey results, what can be done to improve the culture of compliance within the company?
  • If there were any acquisitions, were they analyzed from a compliance culture perspective?
  • Are there any M&A deals on the horizon, have they been reviewed from the compliance perspective?

Areas of Risk

Here Hutchens recommends that Board members “need to know what process is being used to identify emerging risks.” Such risk analysis would be broader than simply a legal/compliance risk assessment and should be tied to other matters, such as “business continuity planning and crisis response plans”.

Another panel participant Jennifer MacDougal, Senior Counsel and Assistance Secretary of Jack-in-the-Box, noted that “the board of directors need to use their expertise and ask the right questions”. Hutchens suggested that in the areas of risk, questions which a Board should ask are some of the following.

  • What is the risk assessment process?
  • How effective is this risk assessment process? Is it stale?
  • Who is involved in the risk assessment process?
  • Does the risk assessment process take into account any new legal or compliance best practices developments?
  • Are there any new operations that pose substantial compliance risks for the company?
  • Is the company tracking enforcement trends? Are any competitors facing enforcement actions?
  • Has the company moved into any new markets which impose new or additional compliance risks?
  • Has the company developed any new product or service lines which change the company’s risk profile?

 Forecast

Hutchens believes that “a truly effective and informed board knows where the company stands not only at the present moment, but also has the strategic plan for how the compliance and ethics program can continue to grow.” My colleague Stephen Martin suggests that such knowledge is encapsulated in a 1-3-5 year compliance game plan. However, a compliance program should be nimble enough to respond to new information or actions, such as mergers or acquisitions, divestitures or other external events. If a dynamic changes, “you want to get your board’s attention on the changes which may need to happen with the [compliance] program.”  Hutchens believes that such agility is best accomplished by obtaining buy-in from the Board through it understanding the role of forecasting the compliance program going forward.

The four-part approach suggested by Hutchens lays out a clear and logical program for a Board of Directors not only to understand its role in the compliance function but to play an active role. Any best practices compliance program has several moving parts, a CCO to lead the compliance program, a Compliance Department to execute the strategy and an engaged Board of Directors who oversee and participate. We applaud Hutchens approach and commend it for use by a company’s Board of Directors.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

November 9, 2011

Louis XIV, the Old Pretender and Splitting the GC/CCO Roles

Most people think that England went to war against France in the War of the Spanish Succession to prevent French King Louis XIV’s attempt to place his son on the Spanish throne after the death of the final Spanish Habsburg, Carlos II. Clearly the uniting of the crowns of France and Spain at that time would have dramatically shifted the balance of power in Europe in favor of the French ruling family, the Bourbons. However, this was not the reason that England went to war against France. Louis XIV also recognized ‘The Old Pretender’ James III, as the King of England and had France been successful in this war, all of the rights gained in England from the Glorious Revolution of 1688 forward would have been lost.

So how does this relate Foreign Corrupt Practices Act (FCPA) compliance? It is the lesson that that all is not as it may appear at first blush. In an article in the November issue of the ACC Docket, entitled “Wearing Two Hats-In-House Counsel and Compliance Officer”, author Amy Hutchins joins the continuing debate of whether a General Counsel (GC) should also be a company’s Chief Compliance Office (CCO). She reviews certain cases involving the health care industry and touches upon the Federal Sentencing Guidelines which require that “High-level personnel shall ensure that the organization has an effective compliance and ethics program.”

Going beyond all of the legal requirements, Hutchins focuses on some of the practical realities of a GC also acting as a CCO. She believes that while the skills needed to be a good GC are widely understood, the compliance function is not as well understood. She likens it to a “program that needs management.” This is because compliance may be more closely akin to program management, with coordination needed across multiple functions or divisions. The implementation of major initiatives requires skills that are not necessarily essential to an in-house counsel, but are mandatory for an effective compliance officer. Hutchins adds that some of the skills necessary for a CCO include strong interpersonal skills, the ability to listen and discretion but, most importantly, the compliance practitioner must be more proactive than reactive. They must stay away from what Mike Volkov calls the “Dr. No perception” which he characterizes as taking “refuge in mechanical, non-creative thinking.”

Hutchins recognizes that in smaller companies the roles of GC and CCO may be united out of necessity. However, this joining of the two roles may not allow said person to perform the full panoply of services required by a CCO; drafting policies and procedures and a Code of Conduct; performing Risk Assessments; handling investigations; developing and conducting training; all while fulfilling the role of GC. I would argue that the same is true in a larger company as well. The GC already has a day job. If you give the GC another day job you run the risk of neither being done as well as is needed.

Yet Hutchins raises another issue that may not be as well recognized or as well thought through. Hence the War of the Spanish Succession and all may not be as it appears at first blush. This is because a GC often prefers to keep issues in-house and “not take on the responsibility of reporting to an enforcement agency.” Recognizing that such a decision is not made lightly or without thorough discussions, if the GC is also the CCO, “In difficult situations, a CCO’s perspective about a controversial transaction or event would obviously go unnoticed, if that person was also serving as the GC who happened to agree with executive management.” Hutchins concludes by noting, even the attorney who balances the two roles “will face the challenges of conflicts and the consequences of the silent compliance voice when defaulting to the professional responsibility obligations of the legal profession.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Blog at WordPress.com.