FCPA Compliance and Ethics Blog

April 3, 2014

Life Cycle Management of Third Parties – Step 4 – The Contract

Five stepsThis post continues to outline what I believe are the five steps in the life cycle of third party management. Today I will look at Step 4, the contract. However, before we get to the contracting stage a word about what to do with Steps 1-3. You cannot simply obtain the information detailed in these first three steps; you must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, which have appeared, these Red Flags must be cleared or you must demonstrate how you will manage the risks identified. In others words you must Document, Document and Document that you have read, synthesized and evaluated the information garnered in Steps 1-3. As the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) continually remind us, a compliance program must be a living, evolving system and not simply a ‘Check-the-Box’ exercise.

After you have completed Steps 1-3 and then evaluated and documented your evaluation, you are ready to move onto to Step 4 – the contract. Obviously any commercial relationship should be governed by the terms and conditions of a written contract. Clearly your commercial terms should be set out in the contract. In the area of commercial terms the FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

In addition to the above analysis from the compliance perspective, you should incorporate compliance terms and conditions into your contracts with third parties. I would suggest that you begin with some type of compliance terms and conditions template, which can be used as a starting point for your negotiations. The advantages of such a template are several; they include: (1) the contract language is tested against real events; (2) the contract language assists the company in managing its compliance risks; (3) the contract language fits into a series of related contracts; (4) the contract language is straight-forward to administer and (5) the contract language helps to manage the expectations of both contracting parties regarding anti-bribery and anti-corruption.

What are the compliance terms and conditions that you should include in your commercial contracts with third parties? In the Panalpina Deferred Prosecution Agreement (DPA), Attachment C, Section 12 is found the following language, “Where necessary and appropriate, Panalpina will include standard provisions in agreements, contracts, and renewals thereof with all agents and business partners that are reasonably calculated to prevent violations of the anticorruption laws, which may, depending upon the circumstances, include: (a) anticorruption representations and undertakings relating to compliance with the anticorruption laws; (b) rights to conduct audits of the books and records of the agent or business partner to ensure compliance with the foregoing; and (c) rights to terminate an agent or business partner as a result of any breach of anti-corruption laws, and regulations or representations and undertakings related to such matters.” In the Johnson & Johnson (J&J) DPA, the same language as used in the Panalpina DPA is found in Attachment C, entitled “Corporate Compliance Program”. However, in Attachment D, entitled “Enhanced Compliance Obligations”, the following language is found: “Contracts with such third parties are to include appropriate FCPA compliance terms and conditions including; (i) representatives and undertakings of the third party to compliance; (ii) right to audit; and (iii) right to terminate.”

Mary Jones, in an article in this blog entitled “Panalpina’s World Wide Web”, suggested the following language be present in your compliance terms and conditions:

  • payment mechanisms that comply with this Manual, the FCPA [Foreign Corrupt Practices Act], the UKBA [UK Bribery Act] and other applicable anti-corruption and/or anti-bribery laws during the term of such contract;
  • the counterparty’s obligation to maintain accurate books and records in compliance with the Company’s Policy and Compliance Manual;
  • the counterparty’s obligation to certify on an annual basis that: (i) counterparty has not made, offered, or promised any payment or gift of money or anything of value, directly or indirectly, to any Government Official (or any other person or entity if UK Bribery Act applies) for the purpose of obtaining or retaining business or getting any improper business advantage; and (ii) counterparty has not engaged in any conduct or behavior prohibited by the Code of Conduct, Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law;
  • the Company’s right to audit the counterparty’s books and records, including, without limitation, any documentation relating to the counterparty’s interaction with any governmental entity (or any entity if UK Bribery Act applies) on behalf of the Company, and the counterparty’s obligation to cooperate fully with any such audit; and
  • remedies (including termination rights) for the failure of the counterparty to comply with the terms of the contract, the Code of Conduct, the Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law during the term of such contract.

Based on the foregoing experts and the research I have engaged in, I believe that compliance terms and conditions should be stated directly in the document, whether such document is a simple agency or consulting agreement or a joint venture (JV) with several formation documents. The compliance terms and conditions should include representations that in all undertakings the third party will make no payments of money, or anything of value, nor will such be offered, promised or paid, directly or indirectly, to any foreign officials, political parties, party officials, candidates for public or political party office, to influence the acts of such officials, political parties, party officials, or candidates in their official capacity, to induce them to use their influence with a government to obtain or retain business or gain an improper advantage in connection with any business venture or contract in which the company is a participant.

In addition to the above affirmative statements regarding conduct, a commercial contract with a third party should have the following compliance terms and conditions in it.

  • Indemnification: Full indemnification for any FCPA violation, including all costs for the underlying investigation.
  • Cooperation: Require full cooperation with any ethics and compliance investigation, specifically including the review of foreign business partner emails and bank accounts relating to your Company’s use of the foreign business partner.
  • Material Breach of Contract: Any FCPA violation is made a material breach of contract, with no notice and opportunity to cure. Further, such a finding will be the grounds for immediate cessation of all payments.
  • No Sub-Vendors (without approval): The foreign business partner must agree that it will not hire an agent, subcontractor or consultant without the Company’s prior written consent (to be based on adequate due diligence).
  • Audit Rights: An additional key element of a contract between a US Company and a foreign business partner should include the retention of audit rights. These audit rights must exceed the simple audit rights associated with the financial relationship between the parties and must allow a full review of all FCPA related compliance procedures such as those for meeting with foreign governmental officials and compliance related training.
  • Acknowledgment: The foreign business partner should specifically acknowledge the applicability of the FCPA to the business relationship as well as any country or regional anti-corruption or anti-bribery laws, which apply to either the foreign business partner or business relationship.
  • On-going Training: Require that the top management of the foreign business partner and all persons performing services on your behalf shall receive FCPA compliance training.
  • Annual Certification: Require an annual certification stating that the foreign business partner has not engaged in any conduct that violates the FCPA or any applicable laws, nor is it aware of any such conduct.
  • Re-qualification: Require the foreign business partner re-qualify as a business partner at a regular interval of no greater than every three years.

Many will exclaim, “What an order, I can’t go through with it.” By this they mean that they do not believe that they will be able to get the third party to agree to such compliance terms and conditions. I have found that while it may not be easy, it is relatively simply to get a third party to agree to these, or similar, terms and conditions. One approach to take is that they are not negotiable. When faced with such a position on non-commercial terms many third parties will not fight such a position. There is some flexibility but the DOJ will require the minimum terms and conditions that it has suggested in the various Attachment Cs to the DPAs I have discussed. But the best position I have found is that if a third party agrees with these terms and conditions, they can then use that as a market differentiator from other third parties who have not gone through the life cycle management of a third party as this series has discussed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

June 20, 2012

The DOJ Listens: the Evolution of FCPA Compliance in M&A

Earlier this week the US Department of Justice (DOJ) released a Deferred Prosecution Agreement (DPA) with the company Data Systems & Solutions (DS&S). I explored the factual allegations against DS&S and the highlights of the DPA in yesterday’s post. Today I want to discuss the DS&S DPA in the context of the DOJ’s evolution in thinking regarding what a company can do to protect itself under the Foreign Corrupt Practices Act (FCPA) when it purchases another entity or otherwise engages in mergers and acquisitions (M&A) work. In other words, forces the evolution of best practices.

Previously many compliance practitioners had based decisions in the M&A context on DOJ Opinion Release 08-02 (08-02), which related to Halliburton’s proposed acquisition of the UK entity, Expro. In the spring of 2011, the Johnson & Johnson (J&J) DPA changed the perception of compliance practitioners regarding what is required of a company in the M&A setting related to FCPA due diligence, both pre and post-acquisition. On June 18, the DOJ released the DS&S DPA which brought additional information to the compliance practitioner on what a company can do to protect itself in the context of M&A activity.

Opinion Release 08-02 began as a request from Halliburton to the DOJ from issues that arose in the pre-acquisition due diligence of the target company Expro. Halliburton had submitted a request to the DOJ specifically posing these three questions: (1) whether the proposed acquisition transaction itself would violate the FCPA; (2) whether, through the proposed acquisition of Target, Halliburton would “inherit” any FCPA liabilities of Target for pre-acquisition unlawful conduct; and (3) whether Halliburton would be held criminally liable for any post-acquisition unlawful conduct by Target prior to Halliburton’s completion of its FCPA and anti-corruption due diligence, where such conduct is identified and disclosed to the Department within 180 days of closing.

I.                   08-02 Conditions

 

Halliburton committed to the following conditions, if it was the successful bidder in the acquisition:

Within ten business days of the closing, Halliburton would present to the DOJ a comprehensive, risk-based FCPA and anti-corruption due diligence work plan which would address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. The Halliburton work plan committed to organizing the due diligence effort into high risk, medium risk, and lowest risk elements.

a)      Within 90 days of Closing. Halliburton would report to the DOJ the results of its high risk due diligence.

b)      Within 120 days of Closing. Halliburton would report to the DOJ the results to date of its medium risk due diligence.

c)      Within 180 days of Closing. Halliburton would report to the DOJ the results to date of its lowest risk due diligence.

d)     Within One Year of Closing. Halliburton committed full remediation of any issues which it discovered within one year of the closing of the transaction.

Many lawyers were heard to exclaim, “What an order, we cannot go through with it.” However,  we advised our clients not to be discouraged because 08-02 laid out a clear road map for dealing with some of the difficulties inherent in conducting sufficient pre-acquisition due diligence in the FCPA context. Indeed the DOJ concluded 08-02 by noting, “Assuming that Halliburton, in the judgment of the Department, satisfactorily implements the post-closing plan and remediation detailed above… the Department does not presently intend to take any enforcement action against Halliburton.”

II.                Johnson & Johnson “Enhanced Compliance Obligations”

Attachment D of the J&J DPA, entitled “Enhanced Compliance Obligations”, is a list of compliance obligations in which J&J agreed to undertake certain enhanced compliance obligations for at least the duration of its DPA beyond the minimum best practices also set out in the J&J DPA. With regard to the M&A context, J&J agreed to the following:

 

7. J&J will ensure that new business entities are only acquired after thorough FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. Where such anti-corruption due diligence is not practicable prior to acquisition of a new business for reasons beyond J&J’s control, or due to any applicable law, rule, or regulation, J&J will conduct FCPA and anti-corruption due diligence subsequent to the acquisition and report to the Department any corrupt payments, falsified books and records, or inadequate internal controls as required by … the Deferred Prosecution Agreement.

8. J&J will ensure that J&J’s policies and procedures regarding the anti-corruption laws and regulations apply as quickly as is practicable, but in any event no less than one year post-closing, to newly-acquired businesses, and will promptly, for those operating companies that are determined not to pose corruption risk, J&J will conduct periodic FCPA Audits, or will incorporate FCPA components into financial audits.

a. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to J&J, on the anticorruption laws and regulations and J&J’s related policies and procedures; and

b. Conduct an FCPA-specific audit of all newly-acquired businesses within 18 months of acquisition.

These enhanced obligations agreed to by J&J in the M&A context were less time sensitive than those agreed to by Halliburton in 08-02. In the J&J DPA, the company agreed to following time frames:

A.     18 Month – conduct a full FCPA audit of the acquired company.

B.     12 Month – introduce full anti-corruption compliance policies and procedures into the acquired company and train those persons and business representatives which “present corruption risk to J&J.”

So there is no longer a risk based approach as set out in 08-02 and the tight time frames are also relaxed. Once again we applaud the DOJ for setting out specific information for the compliance practitioner through the release of the J&J DPA. As many have decried 08-02 is a standard too difficult to satisfy in the real world of time constraints and budget cuts, the “Acquisition” component of the J&J DPA should provide those who have made this claim with some relief.

III.             DS&S

In the DS&S DPA there are two new items listed in the Corporate Compliance Program, attached as Schedule C to the DPA, rather than the standard 13 items we have seen in every DPA since at least November 2010. The new additions are found on items 13 & 14 on page C-6 of Schedule C and deal with mergers and acquisitions. They read in full:

13. DS&S will develop and implement policies and procedures for mergers and acquisitions requiring that DS&S conduct appropriate risk-based due diligence on potential new business entities, including appropriate FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. If DS&S discovers any corrupt payments or inadequate internal controls as part of its due diligence of newly acquired entities or entities merged with DS&S, it shall report such conduct to the Department as required in Appendix B of this Agreement.

 14. DS&S will ensure that DS&S’s policies and procedures regarding the anticorruption laws apply as quickly as is practicable to newly acquired businesses or entities merged with DS&S and will promptly:

a. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to DS&S, on the anti-corruption laws and DS&S’s policies and procedures regarding anticorruption laws.

b. Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable.

 This language draws from and builds upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance and the J&J Enhanced Compliance Obligations incorporated into its DPA. While the DS&S DPA does note that it is specifically tailored as a solution to DS&S’s FCPA compliance issues, I believe that this is the type of guidance that a compliance practitioner can rely upon when advising his or her clients on what the DOJ expects during M&A activities.

FCPA M&A Box Score Summary

Time Frames

Halliburton 08-02

J&J

DS&S

FCPA Audit
  1. High Risk Agents – 90 days
  2. Medium Risk Agents – 120 Days
  3. Low Risk Agents – 180 days
18 months to conduct full FCPA audit As soon “as practicable
Implement FCPA Compliance Program Immediately upon closing 12 months As soon “as practicable
Training on FCPA Compliance Program 60 days to complete training for high risk employees, 90 days for all others 12 months to complete training As soon “as practicable

I believe that the DOJ does listen to the concerns of US companies about issues relating to FCPA enforcement, which is consistent with its duty to uphold that law. Last month we saw the issue of the Morgan Stanley declination in the context of the Garth Peterson FCPA prosecution. With the DS&S DPA, there is clearly more flexible language presented in the context of M&A work and potential liability for ‘buying a FCPA claim.’

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

October 10, 2011

Benefits to Voluntary Disclosure: DOJ does not act as a Star Chamber

From time-to-time, I am fortunate to have a guest post on my blog by Mike Volkov which are always informative and provocative. Last Friday, Mike continued this tradition of both as he posed the question of whether the Department of Justice (DOJ) voluntary disclosure process operates as a “Star Chamber” for companies which self-disclose an actual or potential Foreign Corrupt Practices Act (FCPA) violation to the DOJ and Securities and Exchange Commission (SEC). He answered this question by noting that the DOJ “operates as a Star Chamber, defining and enforcing [the FCPA] without any meaningful judicial review.” He ends by stating “The absence of any such standards is unfair, breeds disparate treatment of similarly situated companies, and undermines the fair administration of justice.”

So once again I am inspired, by my “This Week in FCPA” colleague Howard Sklar, to the take the contrarian approach. I will attempt to respond to one of Mike’s comments and demonstrate that voluntary disclosure has significant benefits to a company which avails itself of this procedure. Further, I will conclude by arguing that neither the DOJ or SEC operates the voluntary disclosure process as a “Star Chamber.”

What was the “Star Chamber”?

So what was the “Star Chamber”? Although English legal scholars are not certain when it was initially established, the Star Chamber was made up of Privy Counselors, as well as common-law judges, and common-law and equity courts. It began as a supervisory body, overseeing the operations of lower courts, though its members could hear cases by direct appeal as well. The court was set up to ensure the fair enforcement of laws against prominent people, those so powerful that ordinary courts could never convict them of their crimes.

A second function of the Star Chamber was to act like a court of equity, which could impose punishment for actions which were deemed to be morally reprehensible, but not in violation of the letter of the law. This second function gave the Star Chamber great flexibility as it could punish offenders for any action which the court felt should be illegal even when in fact it was technically legal; however, it also meant that the justice imposed by the Star Chamber could be very arbitrary and subjective, and allowed the court to be used later on in its history as an instrument of oppression rather than for the purpose of for which it was intended.

However, these ancient precedents were later set aside by the Tudor and particularly Stuart kings. This created the modern usage of the term “Star Chamber” which is generally associated with strict, arbitrary rulings and secretive proceedings. I believe that this is what Mike referred to in his post.

Benefits of Voluntary Disclosure

1. Monetary Benefits

I believe that there are clear, substantive and discrete benefits to voluntary disclosure which a company can receive from the DOJ and SEC. If there was any doubt to the financial benefits to this question, I believe that they were answered in the Johnson and Johnson (J&J) Deferred Prosecution Agreement (DPA). Listed under the section “Relevant Considerations” one of the reasons the DOJ entered into the DPA is the following:

  1. J&J voluntarily and timely disclosed the majority of the misconduct described in the [Criminal] Information and Statement of Facts;

So the self-disclosure was one of the reasons that the DOJ entered into the DPA, however, and perhaps more importantly, the self-disclosure brought to J&J a monetary benefit with a tangible reduction in its overall fine and penalty. The DPA reported a reduction by 5 points of the company’s overall Culpability Score with the following:

(g)(1) The organization, prior to an imminent threat of disclosure or government investigation, within a reasonably prompt time after becoming aware of the offense, reported the offense, fully cooperated, and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct;  -5

It is not possible to determine from the DPA how much of the reduction was attributable to the self-disclosure and how much was attributed to the conduct thereafter. However, this precise language makes clear that the DOJ places a real value on such self-disclosures and companies should take this as a clear sign that, at the end of the day, it will be better for them to self-disclose.

2. Credibility Benefits – Creation of Leverage

One of the points that Mike makes is that “Clients lost all leverage when they enter the voluntary disclosure process.” I believe that there are significant “leverage” benefits gained by self-disclosure. Stephen Martin, my partner on the World-Check sponsored FCPA speaking tour, is a former federal prosecutor. He speaks about the FCPA from that perspective, while I speak about it form a civil side perspective. Stephen says the most important thing that a company can bring to the table when negotiating with the government is credibility. Credibility benefits can start with self-disclosure but it should continue throughout the entire process. If a company self-discloses and then cooperates with the government during the investigative process, it can lead to both a monetary reduction in the overall fine and penalty. But more than monetary benefits it creates the “leverage” that the company wants to do the right thing even if a FCPA violation has occurred within the company.

My colleague Mary Jones, former Assistant General Counsel and Director of Compliance for Global Industries (GI), speaks about her experiences with a multi-year FCPA process which had its genesis from the Panalpina matter.While many companies caught up in the Panalpina matter were assessed fines and penalties, after a thorough internal investigation, neither the SEC nor the DOJ chose to take any action against Global Industries. Mary speaks about going through negotiations with the DOJ and how she personally made presentations to the DOJ about robust nature of the GI compliance program and how she and the company’s General Counsel led a world-wide investigation team to determine if there were any additional problems after the Panalpina matter came to light. One of the things that Mary emphasizes was the complete cooperation by GI and “leveraging” the vigorous nature of its compliance program to the SEC and DOJ.

Indeed, the best example of this leveraging I can bring forward is the result achieved by RAE Systems, Inc. (RAE) last year when it received a NPA, after having actual knowledge of FCPA violations in two majority owned joint ventures in China. Even though RAE failed to follow the 2004 FCPA compliance best practices when it failed to engage in due diligence on one joint venture acquisition and even though RAE failed to take effective remedial measures with a second joint venture, after it became a corporate subsidiary, and after RAE had actual knowledge of FCPA violations; RAE did not receive a criminal charge against it. In its Letter Agreement to the NPA, the DOJ noted “…non-prosecution agreement based, in part, on the following factors: (a) RAE Systems’ timely, voluntary, and complete disclosure of the facts described in Appendix A; (b) RAE Systems’ thorough, real-time cooperation with the Department and the U.S. Securities and Exchange Commission (“SEC”); (c) the extensive remedial efforts already undertaken and to be undertaken by RAE Systems; and (d) RAE Systems’ commitment to submit periodic monitoring reports to the Department.”

I believe that this is “leveraging” that a company can bring to negotiations when it self-discloses a FCPA violation to the DOJ and that the RAE matter would appear to provide specific evidence of the benefits of such corporate conduct. The NPA reports that RAE had actual knowledge of FCPA violations yet no criminal charges were filed. Further, no ongoing external Corporate Monitor was required. Clearly RAE engaged in actions during the pendency of the investigation which persuaded the DOJ not to bring criminal charges.

Other Points

Mike also raises other points, one being that the DOJ acts as “prosecutor, judge and jury” and “that no company can challenge the DOJ’s interpretation and enforcement positions regarding the meaning of the FCPA.” As to the latter I would only observe that no company is willing to challenge the DOJ’s interpretation and enforcement position but there are others who have fleshed this critique more fully, such as the FCPA Professor. As to the former point, in any negotiation with the DOJ, it is by its nature an adversarial proceeding. While certainly we in the compliance world would expect an element of justice to be taken into account in any negotiation with the DOJ, it is incumbent to remember that the DOJ represents the People of the United States and counsel for any company which self-discloses represents the company. To have the DOJ aggressively negotiate should not be a surprise.

Lastly, Mike states that “federal judges have been unwilling to question the Justice Department’s interpretation of the law.” I believe that this statement is correct and this is one area that I could only propose be expanded. All plea agreements are subject to court review. If the courts began to test some of these or require the DOJ to disclose its decision making calculus behind some of its legal interpretations, this would be something that companies could utilize to determine the parameters of potential FCPA exposure. So I would agree with Mike that there is no “meaning judicial review” of FCPA settlement agreements, but I do not believe this factor results in any “Star Chamber” proceedings by the DOJ.

Conclusion

I do not believe that voluntary self-disclosure throws a company into a “Star Chamber” with the DOJ or SEC. I believe that there are monetary and credibility reasons for self-disclosure which can bring tangible benefits. I believe that Mike correctly notes near the end of his post, “there are significant risks that a disgruntled employee, a whistleblower or a competitor may raise complaints that a company is engaging in illegal bribery activity. Most of the significant FCPA cases have been started through a whistleblower or disgruntled employee. That risk will be even greater in response to the SEC’s whistleblower bounty program.” Voluntary self-disclosure can reduce overall exposure before any of the above occurs. And finally, if you do get into FCPA hot water, you need to hire Mike to self-disclose to the DOJ and SEC.

Mike and I will continue setting out our respective positions on other issues. I hope you enjoy reading them as much as we enjoy writing them and that you will find them useful and informative.

————————————————————————————————–

I have been honored to be nominated as one of the Top 25 Business Blogs of 2011 by LexisNexis. If you would like to support my nomination, please comment on the announcement post on our Corporate & Securities Community

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

July 26, 2011

How Cyrano de Bergerac Portends the Compliance Assessment

In a recent article entitled “The Breakthrough Myth” author Clive Thompson postulates that most radical new technologies have been “percolating in plain sight for years.” He begins with the position that everyone is looking for the Next New Big Thing or as I like to say, the “New New Thing”. This is based upon the assumption that all breakthroughs are “inherently surprising, so it takes a special genius to spot one coming.”

Thompson goes on to point out that such breakthroughs are not how innovation works. He cites Bill Buxton for the proposition that “paradigm-busting innovations are easy to see because they are already lying there-close at hand.” Further, anything that will have an impact in the next ten years has already “been around for 10 years.” He cites Buxton for the name of this phenomenon, the “long nose theory of innovation.” Is this some type of reference to Cyrano de Bergerac (or perhaps more recently, Steve Martin in Roxanne)? No all this means is that big ideas poke their noses into consciousness very slowly, “easing gradually into view.”

I would add my own corollary for the compliance world, the train moves most slowly when leaving the station,but after it leaves, it certainly picks up speed. The most prescient example is the compliance assessment. At the Compliance Week 2010 Annual Conference one of the issues discussed by Lanny Breuer, Assistant Attorney General, for the Criminal Division of the US Department of Justice (DOJ), was what might constitute as some of the elements of an effective compliance and ethics program under the Foreign Corrupt Practices Act (FCPA). In the Q&A following his prepared remarks, Breuer answered a question from the floor and indicated that an annual assessment was one such element. This annual assessment is different from a biennial compliance audit, utilizing a company’s internal audit department or outside professional auditors.

One of the purposes of the compliance assessment is to determine if any new elements of an effective compliance program have been developed in the past year and if they should be incorporated into your company’s compliance program. After I blogged about this point, several people asked me for the text where Breuer spoke about this point and I informed them that it was raised in the unscripted Q&A session with Compliance Week Editor Matt Kelly. Back in May 2010, this was a new component of a best practices compliance program,  now one year later an annual assessment is viewed as a key component of such a compliance program.

To demonstrate the “long nose theory” one only need look at the Johnson & Johnson Deferred Prosecution Agreement (DPA), released in April of this year. In addition to the (now) standard Attachment C, in which the DOJ listed its minimums for a best practices compliance program, there was an Attachment D, entitled “Attachment D-Enhanced Compliance Obligations, it was designed to be in addition to, and to build upon, the commitments made by Johnson & Johnson in Attachment C.

These enhanced obligations include the following:

  1. Compliance Department – A senior executive will serve as the Chief Compliance Officer (CCO) and shall report to the Audit Committee of the Board. There shall be heads of compliance within each business sector and corporate function. There shall be a Global Compliance Leadership Team which reports to the CCO.
  2. Gifts, Hospitality and Travel – Gifts are limited to those in “modest” value and appropriate under the circumstances. Hospitality and travel is limited to reasonably priced meals, accommodations and incidental expenses and should be a part of education programs, training, business meetings or conferences. Hospitality and travel are limited to the officials not others.
  3. Complaints and Reports – In addition to maintaining a mechanism for making reports, the company shall create a “Sensitive Issue Triage Committee” to review and respond to any such FCPA issues as may arise.
  4. Risk Assessments and Audits – The company will conduct risk assessment in markets where it has customers who are foreign governments. The company will annually conduct FCPA audits for a minimum of five operating companies who are in high risk markets and after the initial audit every three years for any such operating entity. These audits shall include, at a minimum: (1) onsite visits by auditors and where appropriate legal and compliance personnel; (2) review of payments to health care providers; (3) creation of action plans from these audits; and (4) review of the books and records of distributors and agents.
  5. Acquisitions – To the extent possible, conduct a pre-acquisition FCPA audit of any acquisition target and after acquisition a full FCPA audit within 18 months and training of all relevant personnel and business representatives within one year of acquisition.
  6. Relationships with Third Parties – The company shall conduct a thorough due diligence of all third party representatives including: (1) a review of the qualifications and business reputation of the third party; (2) written rationale for the use of the third party; and (3) a review of the FCPA risk areas. Due diligence is to be conducted by a local business and compliance representative and elevated for review if Red Flags appear or as appropriate. Contracts with such third parties are to include appropriate FCPA compliance terms and conditions including; (i) representatives and undertakings of the third party to compliance; (ii) right to audit; and (iii) right to terminate.
  7. Training – Annual training to all directors, officers and employees who could “present corruption risk” to the company. The company shall provide enhanced and more in-depth training to those involved in company sponsored FCPA audits or those on the company acquisition team. Last, the company shall provide training to “relevant third parties acting on the companies behalf” at least every three years.
  8. Annual Certifications – The company shall implement a system of certifications from “each of J&J’s corporate-level functions, divisions, and business units in each foreign country confirming that their local standard operating procedures adequately implement J&J’s anticorruption policies and procedures, including training requirements, and that they are not aware of any FCPA or other corruption issues that have not already been reported to corporate compliance.”

The J&J Enhanced Compliance Obligations would seem to fall under the “long nose theory” as the nine points set out as obligations are not unfamiliar to the FCPA compliance practitioner. They build upon concepts which have been articulated for some time in the compliance arena. But by utilizing the annual compliance assessment a company may more nimbly move towards a best practices compliance program by determining if it currently has these concepts incorporated into it program. If not it can implement these changes more easily than waiting every two years.

=======================================================

This Week in FCPA, Episode 13 is up. Check out Howard Sklar and myself as we discuss the week’s top FCPA developments. Click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

July 12, 2011

Corporate Social Responsibility and the FCPA

I was surprised to see the continuing the defense of the Foreign Corrupt Practices Act (FCPA) in publications normally thought of as pro-business. On July 1, authors Amol Mehra and Ajoke Agbool published an article in Forbes.com entitled, “The Corporate Responsibility to Prevent Corruption.” This article followed two articles in the Wall Street Journal (WSJ) from the previous week which discussed the positive effects of the FCPA. In the Forbes.com article, the authors focused on a company’s corporate social responsibility to refrain from engaging in bribery and corruption.

The authors began their piece on the recent Deferred Prosecution Agreement involving Johnson and Johnson (J&J). However, rather than concentrating on the specifics of the FCPA violative actions engaged in by J&J, the authors reviewed the J&J conduct in light of J&J’s own stated Corporate Social Responsibility (CSR) Policy, which the authors quoted as:

We must provide competent management and their actions must be ethical. We are responsible to the communities in which we live and work and to the world community as well.  We must be good citizens – support good works and charities and bear our fair share of taxes.

The authors noted that the actions of J&J which were found to violate the FCPA involved bribery in several countries in Eastern Europe. This corruption was disconnected from their stated company CSR Policy.

The authors went onto state that company compliance programs should not simply be seen as a means of reducing liability and risk; they are also critical components of a company’s CSR Policy. The reality is that corruption should and does have its costs, and not just in situations where companies get caught. Bribery distorts competition and rewards those who cannot compete in an open and fair market. In his prepared statement before the recent House Judiciary Committee hearing on the FCPA, Department of Justice (DOJ) representative Greg Andres stated:

Corruption undermines the democratic process, distorts markets, and frustrates competition.  When government officials, whether at home or abroad, trade contracts for bribes, communities, businesses and governments lose; and when corporations and their executives bribe foreign officials in order to obtain or retain business, they perpetuate a culture of corruption that we are working hard to change.”

The authors cited to the FCPA Legislative History for the statement, “As Congress recognized, bribery “. . . rewards corruption instead of efficiency and puts pressure on ethical enterprises to lower their standards or risk losing business.” Returning to Greg Andres written testimony, he stated: As the FCPA’s legislative history makes clear, “Corporate bribery is bad business. In our free market system it is basic that the sale of products should take place on the basis of price, quality, and service.”

The authors also used examples of US businessmen who see value in the FCPA. After initially noting that if one bribe is given, it sets a negative precedent in which bribes may be expected in order for business to continue. The authors cited the example of Newmont Mining’s Director of Corporate and External Affairs for Africa, who publicly stated:

Newmont’s experience, particularly in Africa, has been that FCPA has been an enormously valuable protective device for us . . . when you have a government person saying . . . ‘we’ll give you that license if you buy us a car or something’ . . . it’s not about ‘look I’m a mean guy and I don’t have value our relationship, and therefore I’m not going to give it to you,’ you say ‘look, there’s a law out there that means I’m going to go to jail if I do that, I’m not going to go to jail for you or anybody else.’

The above example and the one previously reported in the WSJ of Alcoa may be one of the reasons why some business leaders have come out in defense of laws like the FCPA that both incentivize companies to develop compliance programs and punish violators.

Mehra and Agbool argue that a strong internal compliance program should be an integrated part of corporate social responsibility. They believe that businesses should be able to identify and mitigate against bribes and corruption, not only to ensure compliance with the law but additionally to keep markets competitive and to ensure that their activities are benefiting the societies in which they operate. Lastly they note that, “companies need to follow Newmont’s lead and understand that regulations like the FCPA have the potential to be used as a shield, enabling access to areas where corruption is rampant by providing a defensive measure against those seeking bribes.”

The key takeaway from this article and the previous articles in the WSJ is that review of the FCPA must be something more than what we saw in the House Judiciary Committee hearing. Not only did the Representatives who put forward questions fail to cite any examples of the loss of US jobs by US companies because of the FCPA, they completely failed to discuss any of the positive aspects of the FCPA and would barely allow DOJ Representative Greg Andres to respond to any questions on this point. As Mr. Andres said, if companies do not engage in bribery and corruption they do not have anything to worry about with regard to the FCPA. It would appear that some of the country’s more pro-business newspapers and journals are beginning to see the benefits of the FCPA.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

July 5, 2011

Toyota Quality Control and a Best Practices Compliance Program

In an article in the summer 2011 issue of the Sloan Management Review, entitled, “What Really Happened to Toyota?”, author Robert Cole explored the recent problems of the company and whether these difficulties “throw its legendary manufacturing model into question?” The commentary has some interesting implications for the compliance practitioner who works for a company with a global foot print such as Toyota and discusses  some key components of a best practices compliance program such as:

I.                   Know Your Suppliers

After noting the recall of automobiles that Toyota has engaged in over the past couple of years, Cole reviewed how the Toyota brand had become synonymous with quality. One of the key components is a program entitled ‘Total Quality Control” (TQC).  In this program Toyota works together with its suppliers to improve methodologies for its component products. The TQC model embedded quality into Toyota’s production system up and down the Supply Chain. Additionally, through the program, Toyota was able to understand the critical link between quality and profit through high customer satisfaction. This TQC program has been embraced by numerous US companies, including Toyota’s US auto manufacturing rivals.

However, when it comes to compliance, many companies either fail to embrace this concept or worse yet, do not understand how this concept is interwoven into an overall compliance program. Indeed, one of the perceived banes of compliance is that a company is responsible for the actions of its suppliers. Nevertheless if companies would follow the Toyota model for suppliers and understand that suppliers are a critical component of an overall compliance program it becomes much easier to understand how the Toyota TQC model can and should be used as a guidepost for the Supply Chain and compliance.

Part of Toyota’s quality problems can be traced to moving away from this TQC model.

II.                The Compliance Oversight Committee

Another key component of Toyota’s overall quality program was a high-level oversight committee which had been set up to deal with quality issues in 2005. This oversight committee was made up of persons across functions within the company and had the power to deal with issues outside of typical bureaucratic silos. Unfortunately for Toyota, this oversight committee was disbanded in 2009, immediately before the significant recalls began. Cole reports that the reason for the disbanding of the oversight committee was that “management had come to believe that quality control was a part of the company’s DNA and therefore they didn’t need a special committee to enforce it.”

The Oversight Committee is a key component of any best practices compliance program. Not only should be used for reviewing and managing traditional high risk areas such as third party business representatives; a company can create such committees for other high risk issues particular to a company. Witness the recent Johnson & Johnson (J&J) Deferred Prosecution Agreement and its “Enhanced Compliance Obligations”. In these Enhanced Obligations J&J agreed to establish “a “Sensitive Issue Triage Committee” to review and respond to any such [Foreign Corrupt Practices Act] FCPA issues as may arise.” Just as Toyota placed an additional premium on quality, at least up until 2009, by the establishment of a company-wide committee to deal with quality, J&J has one for FCPA issues. This is precisely the type of rigor which should be included in a best practices compliance program.

However, Toyota disbanded the committee because it felt as if the issue of quality had been embedded sufficiently within the organization. While certainly it does not appear that was the case, there is another consequence of disbanding such a visible sign of a management commitment. Perhaps Toyota employees saw the disbanding of the committee as a sign that management no longer held quality in such a high regard. If that is a valid interpretation, the lesson learned for J&J, or any other company which may implement a compliance oversight committee, is to keep such a committee in place as a backup in case a compliance issue is raised or even slips through the cracks.

III.             Don’t Let Growth Overwhelm You

Another point discussed by Cole in his article is that Toyota almost doubled its overall global market share in a little over 10 years and this caused sales to grow “faster than the company could manage.” This changed the traditional order of priorities within the company: growth now became paramount over quality. Previously the company had been conservative, even cautious about growth.

However, this growth was pursued while not fully assessing or even appreciating the risks involved. Cole reported that Toyota moved to expand production into new markets. This meant that there were many new vendors in the Supply Chain that did not receive the rigorous due diligence and training into the Toyota philosophy regarding quality. The company also hired huge numbers of new contract employees who did not receive the same training as previously hired employees. Lastly organizational incentives became skewered towards growth and not quality.

IV.              Lessons for the Compliance Practitioner

The growth experienced by Toyota can also be a clear lesson for the compliance practitioner. Compliance must be rigorously implemented and continued for a company to succeed in its overall anti-corruption and anti-bribery policies. The Toyota TQC model served it well until the rigor surrounding it was reduced. This model inculcated quality throughout vendors in the Supply Chain. As its rigor was reduced due to the replacing emphasis on sales, the quality of Toyota’s product dropped. A company must continue to push compliance throughout its Supply Chain.

Compliance Committees which can serve to escalate compliance issues before they become violations of the FCPA or UK Bribery Act are becoming a part of a best practices compliance program. If a company decides to disband such a committee it must clearly perform rigorous audits or place such safeguards in place to send a message to both vendors in the Supply Chain and employees that compliance is still held in the highest regard by the company.

Lastly, if a company wants to move forward with an aggressive growth model, it should assess the risks of doing so. For Toyota, such a risk assessment might have demonstrated that quality might suffer through the increased use of new vendors. For the compliance practitioner, these risks might also be that new vendors in the Supply Chain need full and complete compliance training, that contract employees need the same compliance training as full-time employees and new vendors in the Supply Chain need rigorous screening through a robust due diligence process to not only identify Red Flags regarding corruption but to help educate new vendors that your company takes compliance very seriously.

Cole’s article is a very good starting point to demonstrate that when a company leaves it core values, the consequences can be quite severe. If your company has compliance as a core value, it must continue to assess, refine and implement new compliance strategies as business strategies evolve.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

June 13, 2011

Recent DPAs Provide Guidance on FCPA Compliance Best Practices

The House Judiciary Committee will hold hearings Tuesday on the Foreign Corrupt Practices Act. At this point the Witness List as set forth on the Committee’s website is as follows:

  • Hon. Michael Mukasey
    Former Attorney General
    Partner
    Debevoise & Plimpton LLP
  • Mr. Greg Andres
    Deputy Assistant Attorney General
    Criminal Division
    U.S. Department of Justice
  • Mr. George Terwilliger
    Partner
    White & Case LLP
  • Ms. Shana-Tara Regon
    Director
    White Collar Crime Policy
    National Association of Criminal Defense Lawyers

At this point no preview of the witnesses’ testimony has been released. However, other than Greg Andres, the testimony will probably not be a defense of the FCPA or even the need to expand it to meet the anti-bribery and anti-corruption enhancements found in the UK Bribery Act. Indeed it reads like a list of representatives from the US Chamber of Commerce, which has been engaged in a campaign to amend the FCPA.

However in the past 12 months or so many of the complaints which have practitioners have made regarding the FCPA have been addressed by the Department of Justice (DOJ) or by recent court rulings. In a blog entitled, “House Judiciary FCPA Hearing: An Opportunity for Greater Information” I have reviewed the federal district court rulings in the CCI and Lindsey Manufacturing cases, which both discussed the factors which should go into an analysis of what is a foreign governmental instrumentality under the FCPA. So at this point, I thought it might be propitious to review some of the information which has come out from the DOJ on what it considers the current best practices for a FCPA compliance program.

Alliance One/Universal Corp.-actions during the pendency of an investigation

Last July, the DOJ released joint Deferred Prosecution Agreement (DPAs) for two companies in the tobacco industry: Alliance One and Universal Corp. These DPAs started a year-long process by which the DOJ has informed the compliance community about specific steps companies can take to enhance their FCPA compliance program or benchmark their current compliance programs against DOJ suggested best practices. These two DPAs in question provided to companies in the midst of FCPA enforcement actions specific steps that should be implemented during the pendency of an investigation to present to the DOJ, which could reduce the overall penalties at the end of the day. Initially it should be noted that full cooperation with the DOJ at all times during the investigation is absolutely mandatory. Thereafter from the Alliance One matter, the focus was on accounting procedures and control of cash payments. From the Universal case, a key driver appears to be the due diligence on each pending international transaction, and subsequent full due diligence on each international business partner. Next is the management of any international business partner after due diligence is completed and a contract executed. Lastly is the focus on the Chief Compliance Officer position, emphasizing this new position throughout the organization and training, training and more training on FCPA compliance.

Panalpina Settlements-Best Practices

In the DOJ settlement with the freight forwarder Panalpina and all related settlements announced on the same day last November, the DOJ attached as Attachment C (Attachment B to the Noble Non-Prosecution) a list of 13 best practices which included the collective Corporate Compliance Programs provided the FCPA compliance practitioner with the most current components that the Department of Justice believes should be included in a FCPA compliance program. Hence, this information is a valuable tool by which companies can assess if they need to adopt new or to modify existing their internal controls, policies, and procedures in order to ensure that it maintains: (a) a system of internal accounting controls designed to ensure that a Company makes and keeps fair and accurate books, records, and accounts; and (b) a rigorous anti-corruption compliance code, standards, and procedures designed to detect and deter violations of the FCP A and other applicable anti-corruption laws. The Preamble notes that these suggestions are the “minimum” which should be a part of a Company’s existing internal controls, policies, and procedures:

1. Code of Conduct.

2. Tone at the Top.

3. Anti-Corruption Policies and Procedures.

4. Use of Risk Assessment.

5. Annual Review.

6. Sr. Management Oversight and Reporting.

7. Internal Controls.

8. Training.

9. Ongoing Advice and Guidance.

10.  Discipline.

11. Use of Agents and Other Business Partners.

12. Contractual Compliance Terms and Conditions.

13. Ongoing Assessment.

The DOJ goes on to fill in each of these categories so that it a valuable list to create, enhance or benchmark your FCPA compliance program.

Alcatel-Lucent, Maxwell Technologies and Tyson Foods-Risk Assessments

The three enforcement actions, all announced in early 2011, involving the companies Alcatel-Lucent, Maxwell Technologies and Tyson Foods, had common areas that the DOJ indicated were FCPA compliance risk areas which should be evaluated for a minimum best practices FCPA compliance program. In both Alcatel-Lucent and Maxwell Technologies, the Deferred Prosecution Agreements (DPAs) listed the seven following areas of risk to be assessed.

1.         Geography-where does your Company do business.

2.         Interaction with types and levels of Governments.

3.         Industrial Sector of Operations.

4.         Involvement with Joint Ventures.

5.         Licenses and Permits in Operations.

6.         Degree of Government Oversight.

7.         Volume and Importance of Goods and Personnel Going Through Customs and Immigration.

In the Tyson Foods DPA, this list was reduced to the following (1) Geography, (2) Interaction with Governments, and (3) Industrial Sector of Operations. As with all DPAs released since the Panalpina settlements, each DPA has included an Attachment C, compliance program best practices. However these three DPAs give the compliance practitioner the guidance that the DOJ considers a risk assessment to be the starting pointing for any compliance program. In addition to this information on the starting point, there are specific risks which should be assessed listed by the DOJ. 

Johnson and Johnson-self disclosure and enhanced compliance obligations

  1. Self-Disclosure

FCPA practitioners have repeatedly asked the DOJ for specific guidance as to what will be the tangible results of self-disclosure. In the Johnson & Johnson DPA this question is clearly answered. Listed under the section “Relevant Considerations” one of the reasons the DOJ entered into the DPA is the following:

a.         J&J voluntarily and timely disclosed the majority of the misconduct described in the [Criminal] Information and Statement of Facts;

So the self-disclosure was one of the reasons that the DOJ entered into the DPA, however, and perhaps more importantly, the self-disclosure brought to Johnson & Johnson a monetary benefit with a tangible reduction in its overall fine and penalty. The DPA reported a reduction by 5 points of the company’s overall Culpability Score with the following:

(g)(1) The organization, prior to an imminent threat of disclosure or government investigation, within a reasonably prompt time after becoming aware of the offense, reported the offense, fully cooperated, and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct;  -5

It is not possible to determine from the DPA how much of the reduction was attributable to the self-disclosure and how much was attributed to the conduct thereafter. However, this precise language makes clear that the DOJ places a real value on such self-disclosures and companies should take this as a clear sign that, at the end of the day, it will be better for them to self-disclose.

  1. Attachment D-Enhanced Compliance Obligations

The following nine points will not be unfamiliar to the FCPA compliance practitioner. These points are recognized to be in most ‘good to best’ compliance programs. However, the Johnson & Johnson DPA goes much further by adding an Attachment D, entitled “Enhanced Compliance Obligations” which is designed to be in addition to, and to build upon, the commitments made by Johnson & Johnson in Attachment C. These enhanced obligations include the following:

A.        Compliance Department

B.        Gifts, Hospitality and Travel

C.        Complaints and Reports

D.        Risk Assessments and

E.         Acquisitions

F.         Relationships with Third Parties

G.        Training

H.        Annual Certifications

This Attachment D “Enhanced Compliance Obligations” is an excellent road map for the FCPA practitioner in which to establish, enhance, or simply review a company’s FCPA compliance program. As with the Attachment C, the DOJ expands upon each of these categories. The Johnson & Johnson DPA demonstrates that a company’s commitment to ongoing FCPA remediation and program enhancement will help it reduce its overall FCPA liability in a case with facts as bad as those presented in this matter.

These DPAs demonstrate that the DOJ is committed to releasing information on what it believes will constitute a best practices compliance program. It will be interesting to see if any of the witnesses before the House Judiciary Committee will acknowledge the DOJ’s efforts in this area or the recent federal court rulings on what may constitute an foreign governmental instrumentality under the FCPA in their testimony.

———————————————————————————————————————————————————————

Join Me for Following Upcoming Webinars

Tuesday, June 21 at 1 EDT, I am co-presenting on a webinar with Mary Shaddock Jones, former Assistant General Counsel and Director of Compliance at Global Industries, Ltd., on “Supply Chain Relationship Management Under the FCPA and Bribery Act”. The event is co-hosted by Ethisphere and World Check. For information and registration details click here.

Wednesday, June 22 at 1 PM EDT, I am a co-panelist with Henry Mixon, Managing Director of Mixon Consulting, in a webinar hosted by Corporate Compliance Insights, entitled, “Internal Controls Under the FCPA & UK Bribery Act”. For information and registration details click here.

———————————————————————————————————————————————————————-

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

April 29, 2011

The Royal Wedding and the End of the ‘Halliburton’ Opinion Release

Today is a Royal wedding in England and in honor of the happy couple and the English House of Windsor we will take a look at the Foreign Corrupt Practices Act (FCPA) in the context of a merger and acquisition (M&A) of a British company.

Until recently, many FCPA practitioners had based decisions in the M&A context on Department of Justice’s (DOJ) Opinion Release, 08-02 (08-02), which related to Halliburton’s proposed acquisition of the UK entity, Expro. However, the recently released Deferred Prosecution Agreement (DPA) of Johnson & Johnson (J&J) may have changed the perception of practitioners regarding what is required of a company in the M&A arena related to FCPA due diligence, both pre and post-acquisition. In this post we will review the genesis of 08-02, the risk based approach that it advocated and the vigorous time frames, which it set forth, to accomplish the agreed to compliance investigations and opine on how these may have changed.

08-02 began as a request from Halliburton to the DOJ from issues that arose in the pre-acquisition due diligence of the target company Expro. Halliburton had submitted the following request to the DOJ specifically posing these three questions: (1) whether the proposed acquisition transaction itself would violate the FCPA; (2) whether through the proposed acquisition of Target, Halliburton would “inherit” any FCPA liabilities of Target for pre-acquisition unlawful conduct; and (3) whether Halliburton would be held criminally liable for any post-acquisition unlawful conduct by Target prior to Halliburton’s completion of its FCPA and anti-corruption due diligence, where such conduct is identified and disclosed to the Department within 180 days of closing.

I.                08-02 Conditions

 Halliburton committed to the following conditions, if it was the successful bidder in the acquisition:

1. Within ten business days of the closing. Halliburton would present to the DOJ a

comprehensive, risk-based FCPA and anti-corruption due diligence work plan which would address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. The Halliburton work plan committed to organizing the due diligence effort into high risk, medium risk, and lowest risk elements.

a. Within 90 days of Closing. Halliburton would report to the DOJ the results of its high risk due diligence.

b. Within 120 days of Closing. Halliburton would report to the DOJ the results to date of its medium risk due diligence.

c. Within 180 days of Closing. Halliburton would report to the DOJ the results to date of its lowest risk due diligence.

d.  Within One Year of Closing. Halliburton committed full remediation of any issues which it discovered within one year of the closing of the transaction.

Many lawyers were heard to exclaim, “What an order, we cannot go through with it.” However,  we advised our clients not to be discouraged because 08-02 laid out a clear road map for dealing with some of the difficulties inherent in conducting sufficient pre-acquisition due diligence in the FCPA context. Indeed the DOJ concluded 08-02 by noting, “Assuming that Halliburton, in the judgment of the Department, satisfactorily implements the post-closing plan and remediation detailed above… the Department does not presently intend to take any enforcement action against Halliburton.”

II.             Johnson & Johnson “Enhanced Compliance Obligations”

In the recently released J&J DPA, there is an Attachment D, which is entitled, “Enhanced Compliance Obligations.” This is a list of compliance obligations in which J&J agreed to undertake certain enhanced compliance obligations for at least the duration of its DPA. With regard to the acquisition context, Johnson and Johnson agreed to:

7. J&J will ensure that new business entities are only acquired after thorough FCPA and anticorruption due diligence by legal, accounting, and compliance personnel. Where such anticorruption due diligence is not practicable prior to acquisition of a new business for reasons beyond J&J’s control, or due to any applicable law, rule, or regulation, J&J will conduct FCPA and anticorruption due diligence subsequent to the acquisition and report to the Department any corrupt payments, falsified books and records, or inadequate internal controls as required by … the Deferred Prosecution Agreement.

 8. J&J will ensure that J&J’s policies and procedures regarding the anticorruption laws and regulations apply as quickly as is practicable, but in any event no less than one year post-closing, to newly-acquired businesses, and will promptly: For those operating companies that are determined not to pose corruption risk, J&J will conduct periodic FCPA Audits, or will incorporate FCPA components into financial audits.

a. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to J&J, on the anticorruption laws and regulations and J&J’s related policies and procedures; and

b. Conduct an FCPA-specific audit of all newly-acquired businesses within 18 months of acquisition.

These enhanced obligations agreed to by J&J in the M&A context would seem to be less time sensitive than those agreed to by Halliburton in 08-02. In the J&J DPA, the company agreed to following time frames:

a.    18 Month-conduct a full FCPA audit of the acquired company.

b.    12 Month-introduce full anti-corruption compliance policies and procedures into the acquired company and train those persons and business representatives which “present corruption risk to J&J.”

So there is no longer a risk based approach as set out in 08-02 and the tight time frames are also relaxed. Once again we applaud the DOJ for setting out specific information for the compliance practitioner through the release of the J&J DPA. As many have decried 08-02 is a standard too difficult to satisfy in the real world of time constraints and budget cuts, the “Acquisition” component of the J&J DPA should provide those who have made this claim with some relief.

For a copy of Opinion Release 08-02, click here.

For a copy of the Johnson & Johnson Deferred Prosecution Agreement, click here.

We would be remiss if we did not wish Prince William and his bride, Kate, best wishes in their new journey together. No one puts on pomp and circumstance like the Brits so sit back, relax and enjoy the nuptials with a nice cup of tea.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

April 12, 2011

Johnson & Johnson DPA-Part II: Compliance Program Best Practices

Yesterday we reviewed the background facts of the Johnson & Johnson (J&J) Deferred Prosecution Agreement (DPA) and the issue of self-reporting. In this posting we will review some of specific compliance program best practices which Johnson & Johnson agreed to implement.

I. Attachment C

As with other DPA’s entered into by the Department of Justice (DOJ) since, at least, last summer, Attachment C to the DPA sets out the minimum best practice Foreign Corrupt Practices Act (FCPA) compliance program. Attachment C lists nine factors, set out below, which Johnson & Johnson agreed to implement or modify their existing compliance program:

1. A clearly articulated corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable counterparts (collectively, the “anticorruption laws”).

2. Promulgation of compliance standards and procedures designed to reduce the prospect of violations of the anticorruption laws and J&J’s compliance code. These standards and procedures shall apply to all directors, officers, and employees and, where necessary and appropriate, outside parties acting on behalf of J&J in a foreign jurisdiction, including but not limited to, agents, consultants, representatives, distributors, teaming partners, and joint venture partners (collectively, “agents and business partners”);

3. The assignment of responsibility to one or more senior corporate executives of J&J for the implementation and oversight of compliance with policies, standards, and procedures regarding the anticorruption laws. Such corporate official(s) shall have the authority to report matters directly to J&J’s Board of Directors or any appropriate committee of the Board of Directors;

4. Mechanisms designed to ensure that the policies, standards, and procedures of J&J regarding the anticorruption laws are effectively communicated to all directors, officers, employees, and, where appropriate, agents and business partners. These mechanisms shall include: (a) periodic training for all directors, officers, and employees, and, where necessary and appropriate, agents and business partners; and (b) annual certifications by all such directors, officers, and employees, and, where necessary and appropriate, agents, and business partners, certifying compliance with the training requirements;

5. An effective system for reporting suspected criminal conduct and/or violations of the compliance policies, standards, and procedures regarding the anticorruption laws for directors, officers, employees, and, where necessary and appropriate, agents and business partners;

6. Appropriate disciplinary procedures to address, among other things, violations of the anticorruption laws and J&J’s compliance code by J&J’s directors, officers, and employees;

7. Appropriate due diligence requirements pertaining to the retention and oversight of agents and business partners;

8. Standard provisions in agreements, contracts, and renewals thereof with all agents and business partners that are reasonably calculated to prevent violations of the anticorruption laws, which may, depending upon the circumstances, include: (a) anti-corruption representations and undertakings relating to compliance with the anti-corruption laws; (b) rights to conduct audits of the books and records of the agent or business partner to ensure compliance with the foregoing; and (c) rights to terminate an agent or business partner as a result of any breach of anticorruption laws, and regulations or representations and undertakings related to such matters; and

9. Periodic testing of the compliance code, standards, and procedures designed to evaluate their effectiveness in detecting and reducing violations of anticorruption laws and J&J’s compliance code.

II.     Attachment D-Enhanced Compliance Obligations

The nine points will not be unfamiliar to the FCPA compliance practitioner. These points are recognized to be in most ‘good to best’ compliance programs. However, the Johnson &  Johnson DPA goes much further by adding an Attachment D, entitled “Enhanced Compliance Obligations” which is designed to be in addition to, and to build upon, the commitments made by Johnson & Johnson in Attachment C. These enhanced obligations include the following:

  1. Compliance Department – A senior executive will serve as the Chief Compliance Officer (CCO) and shall report to the Audit Committee of the Board. There shall be heads of compliance within each business sector and corporate function. There shall be a Global Compliance Leadership Team which reports to the CCO.
  2. Gifts, Hospitality and Travel – Gifts are limited to those in “modest” value and appropriate under the circumstances. Hospitality and travel is limited to reasonably priced meals, accommodations and incidental expenses and should be a part of education programs, training, business meetings or conferences. Hospitality and travel are limited to the officials not others.
  3. Complaints and Reports – In addition to maintaining a mechanism for making reports, the company shall create a “Sensitive Issue Triage Committee” to review and respond to any such FCPA issues as may arise.
  4. Risk Assessments and Audits – The company will conduct risk assessment in markets where it has customers who are foreign governments. The company will annually conduct FCPA audits for a minimum of five operating companies who are in high risk markets and after the initial audit every three years for any such operating entity. These audits shall include, at a minimum: (1) onsite visits by auditors and where appropriate legal and compliance personnel; (2) review of payments to health care providers; (3) creation of action plans from these audits; and (4) review of the books and records of distributors and agents.
  5. Acquisitions – To the extent possible, conduct a pre-acquisition FCPA audit of any acquisition target and after acquisition a full FCPA audit within 18 months and training of all relevant personnel and business representatives within one year of acquisition.
  6. Relationships with Third Parties – The company shall conduct a thorough due diligence of all third party representatives including: (1) a review of the qualifications and business reputation of the third party; (2) written rationale for the use of the third party; and (3) a review of the FCPA risk areas. Due diligence is to be conducted by a local business and compliance representative and elevated for review if Red Flags appear or as appropriate. Contracts with such third parties are to include appropriate FCPA compliance terms and conditions including; (i) representatives and undertakings of the third party to compliance; (ii) right to audit; and (iii) right to terminate.
  7. Training – Annual training to all directors, officers and employees who could “present corruption risk” to the company. The company shall provide enhanced and more in-depth training to those involved in company sponsored FCPA audits or those on the company acquisition team. Last, the company shall provide training to “relevant third parties acting on the companies behalf” at least every three years.
  8. Annual Certifications – The company shall implement a system of certifications from “each of J&J’s corporate-level functions, divisions, and business units in each foreign country confirming that their local standard operating procedures adequately implement J&J’s anticorruption policies and procedures, including training requirements, and that they are not aware of any FCPA or other corruption issues that have not already been reported to corporate compliance.”

This Attachment D “Enhanced Compliance Obligations” is an excellent road map for the FCPA practitioner in which to establish, enhance, or simply review a FCPA compliance program. The Johnson & Johnson DPA demonstrates that a company’s commitment to ongoing FCPA remediation and program enhancement will help it reduce its overall FCPA liability in a case with facts as bad as those presented in this matter. We commend the DOJ for presenting such detailed information for those in the compliance field and hope that they will learn from the lessons of Johnson & Johnson.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

April 11, 2011

Johnson & Johnson DPA-Part I: Self-Disclosure Reduces Fine

On April 8, 2011, the Wall Street Journal (WSJ) reported that Johnson & Johnson settled certain charges related to violations of the Foreign Corrupt Practices Act (FCPA) with the Department of Justice (DOJ) and Securities and Exchange Commission (SEC). The settlement was in the mechanism of a Deferred Prosecution Agreement (DPA). Over the next two postings we will be reviewing this DPA and its implications for the FCPA compliance practitioner. In this posting we will review the allegations of criminal misconduct and the issue of self-reporting. In the second posting we will review some of specific compliance program best practices which Johnson & Johnson agreed to implement.

The FCPA Blog reported that the company agreed to “pay a $21.4 million penalty to resolve criminal FCPA charges with the DOJ and $48.6 million in disgorgement and prejudgment interest to settle the SEC’s civil charges.” Additionally, as reported in the FCPA Blog, [the Johnson & Johnson subsidiary] “DePuy International Limited settled corruption charges brought by the Serious Fraud Office [in the United Kingdom]. The company was ordered by the High Court to pay £4.8 million in a civil recovery action.” So for those of you keeping score at home, Johnson & Johnson agreed to pay fines and penalties in the total amount of $77 million. For those of you scoring through the FCPA Blog, this settlement vaults the company to the FCPA Blog’s vaunted Top Ten FCPA settlements of all-time list, displacing ABB Ltd., at Number 10.

The DPA between Johnson & Johnson and the DOJ is very instructive for all FCPA practitioners and provides a wealth of information on not only the specific facts of the case, but information on what the DOJ is currently viewing as the best practices of a FCPA compliance program and conduct which Johnson & Johnson engaged in during the investigative process which led to a dramatic reduction in the overall fine and penalty assessed against the company.

I. The Allegations

As reported in the New York Times, Johnson & Johnson had engaged in a wide ranging effort to bribe doctors in Greece through “an elaborate scheme to pay about 20 percent of the price of the company’s devices to Greek surgeons.” The Times article went on to report that “The company also paid bribes to Polish doctors and administrators who served on hospital committees that made purchasing decisions for medical equipment. Some of the bribes included paying for travel arrangements for doctors to attend medical conferences, a common practice throughout the industry. The company also bribed doctors in Romania who prescribed the company’s drugs. The Times article reported that Robert Khuzami, director of the SEC’s division of enforcement, said that the company had attempted to hide these illegal transactions “using sham contracts, off-shore companies and slush funds to cover its tracks.”

In addition to these admissions of FCPA violations, Johnson & Johnson also admitted in its DPA that it had paid kickbacks to the Iraqi regime of Saddam Hussein under a United Nations oil-for-food program. These kickbacks were in the form of price overcharging and then remitting this overcharge back to the (then) Iraqi government.

II. To Self Disclose or Not Self-Disclose-It Should No Longer Be a Question

The question often arises as to whether a company should self-disclose to the DOJ or not. Over the past couple of years this has been a significant debate in the FCPA world. This debate arose long before the Dodd-Frank Whistle-Blower legislation so we will leave the discussion on the implications of that issue for another day. Over the past couple of years, we have seen companies take different approaches to self-disclosure. For instance Avon self-disclosed shortly after it received an internal whistle-blower report of alleged FPCA violations in its China operations. Hewlett-Packard (HP) apparently did not self-disclose to the DOJ or SEC any alleged possible FCPA violations emanating from its German subsidiary and those agencies did not publicly announce they were investigation HP for FCPA violations until after the WSJ broke the story.

FCPA practitioners have repeatedly asked the DOJ for specific guidance as to what will be the tangible results of self-disclosure. In the Johnson & Johnson DPA this question is clearly answered. Listed under the section “Relevant Considerations” one of the reasons the DOJ entered into the DPA is the following:

  1. J&J voluntarily and timely disclosed the majority of the misconduct described in the [Criminal] Information and Statement of Facts;

So the self-disclosure was one of the reasons that the DOJ entered into the DPA, however, and perhaps more importantly, the self-disclosure brought to Johnson & Johnson a monetary benefit with a tangible reduction in its overall fine and penalty. The DPA reported a reduction by 5 points of the company’s overall Culpability Score with the following:

(g)(1) The organization, prior to an imminent threat of disclosure or government investigation, within a reasonably prompt time after becoming aware of the offense, reported the offense, fully cooperated, and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct;  -5

It is not possible to determine from the DPA how much of the reduction was attributable to the self-disclosure and how much was attributed to the conduct thereafter. However, this precise language makes clear that the DOJ places a real value on such self-disclosures and companies should take this as a clear sign that, at the end of the day, it will be better for them to self-disclose.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Blog at WordPress.com.