Michael Volkov | FCPA Compliance and Ethics Blog

November 24, 2014

The FCPA Guidance: Still Going Strong at Two

Filed under: Best Practices,Compliance,compliance programs,Department of Justice,FCPA,FCPA Guidance,Michael Volkov,SEC,Ten Hallmarks of an Effective Compliance Program — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, Michael Volkov, SEC

One of the great things about Sunday afternoon is that Mike Volkov posts his Monday blog, when I usually have time to read it when I get the email notification that it is up. Yesterday he wished the Department of Justice’s (DOJ) and Securities and Exchange Commission’s (SEC) jointly released 2012 A Resource Guide to the U.S. Foreign Corrupt Practices Act (Guidance) a belated Happy 2^nd Birthday and bemoaned the fact no one else had done so. Inspired, and somewhat chagrined by Volkov, I decided to blog today about a couple of the highlights from the FCPA Guidance.

I. The Ten Hallmarks of Effective Compliance Programs

As a ‘Nuts and Bolts’ guy I found the DOJ/SEC formulation of their thoughts on what might constitute a best practices compliance program, the most useful part. The Guidance cautions that there is no “one-size-fits-all” compliance program. It recognizes a variety of factors such as size, type of business, industry and risk profile a company should determine for its own needs regarding a Foreign Corrupt Practices Act (FCPA) compliance program. But the Guidance made clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states, “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. Importantly, the Guidance made clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model.
Oversight, Autonomy, and Resources. This section began with a discussion on the assignment of a senior level executive to oversee and implement a company’s compliance program. Equally importantly, the compliance function must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Finally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall, the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
Risk Assessment. The Guidance states, “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”
Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high-risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
Incentives and Disciplinary Measures. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.”
Third-Party Due Diligence and Payments. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.

Mergers and Acquisitions.Pre-Acquisition Due Diligence and Post-Acquisition Integration.Here the DOJ and SEC spell out their expectations in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information was not something on which most companies had previously focused. A company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

II. Declinations

Many commentators such The FCPA Professor, Mike Volkov, myself and others have advocated that the DOJ release information about Declinations because they are an excellent source of information for the compliance practitioner about the DOJ’s thinking on FCPA enforcement issues. Indeed I had written, “In an area like Foreign Corrupt Practice Act (FCPA) enforcement, where guiding case law is largely non-existent, compliance practitioners must rely on the actions and decisions of federal enforcement agencies for information. Such information is available in the form of enforcement actions, the release of Deferred Prosecution Agreements (DPAs) and Non-Prosecution Agreements (NPAs), and hypothetical fact patterns presented to the Department of Justice (DOJ) through its Opinion Release procedure. But one highly valuable source of guidance has been kept from regulated entities and their counsels: DOJ and Securities and Exchange Commission (SEC) “declination” decisions, opinions which are drafted when the agencies decline to prosecute an individual or organization. A change is needed in this counterproductive policy. The release of substantive information on declinations would help foster greater compliance with the FCPA by providing practitioners with specific facts of circumstances where investigations did not result in an enforcement action.”

Whether the DOJ was answering any of the commentary, it hardly matters. But a significant section of the Guidance is dedicated specifically to six Declinations provided to companies which self-disclosed possible FCPA violations. The types of issues reported to the DOJ were as varied as mergers and acquisitions (M&A); actions by third parties on a company’s behalf which violated the FCPA; payments improperly made by company employees which were incorrectly characterized as facilitation payments; and illegal bribes paid out by a small group of company employees. From these Declinations, I derived the following points (1) The Company was alerted to possible corrupt conduct via its compliance program or internal controls. (2) Possible FCPA violations were self-reported or otherwise voluntarily disclosed to the DOJ/SEC. (3) The entities in question conducted a thorough internal investigation and shared the results with the DOJ/SEC. (4) The conduct violative of the FCPA was not pervasive and consisted of relatively small bribes or other corrupt payments. (5) The company took immediate corrective action against the person(s) engaging in the conduct. (6) Each company’s compliance program was expanded or enhanced and these enhancements were reflected in compliance training, internal process improvements and additional enhanced internal controls.

So here’s to the Guidance at the ripe of age of 2. Thanks for coming into all of our (compliance) lives. I have also held back the best for last; the Guidance is available for free on the DOJ website and you can download it by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Leave a Comment

November 17, 2014

Opinion Release 14-02: Dis-Linking The Illegal Conduct Going Forward

One of my favorite words in the context of Foreign Corrupt Practices Act (FCPA) enforcement is dis-link. I find it a useful adjective in explaining how certain conduct by a company must be separated from the winning of business. But it works on so many different levels when discussing the FCPA. Last week I thought about this concept of dis-linking when I read the second Opinion Release of 2014, that being 14-02. One of the clearest ways that the Department of Justice (DOJ) communicates is through the Opinion Release procedure. This procedure provides to the compliance practitioner solid and specific information about what steps a company needs to take in the pre-acquisition phase of due diligence. However, 14-02 directly answers many FCPA naysayers long incorrect claim about how companies step into FCPA liability through mergers and acquisitions (M&A) activity.

From the Opinion Release it was noted that the Requestor is a multinational company headquartered in the United States. Requestor desired to acquire a foreign consumer products company and it’s wholly owned subsidiary (collectively, the “Target”), both of which are incorporated and operate in a foreign country, never issuing securities in the United States. The Target had negligible business contacts in the US, including no direct sale or distribution of their products. In the course of its pre-acquisition due diligence of the Target, Requestor identified a number of likely improper payments by the Target to government officials of Foreign Country, as well as substantial weaknesses in accounting and recordkeeping. In light of the bribery and other concerns identified in the due diligence process, Requestor also detailed a plan for remedial pre-acquisition measures and post-acquisition integration steps. Requestor sought from the DOJ an Opinion as to whether the Department would then bring an FCPA enforcement action against Requestor for the Target’s pre-acquisition conduct. It was specifically noted that the Requestor did not seek an Opinion from the Department as to Requestor’s criminal liability for any post-acquisition conduct by the Target.

Improper Payments and Compliance Program Weaknesses

In preparing for the acquisition, Requestor undertook due diligence aimed at identifying, among other things, potential legal and compliance concerns at the Target. Requestor retained an experienced forensic accounting firm (“the Accounting Firm”) to carry out the due diligence review. This review brought to light evidence of apparent improper payments, as well as substantial accounting weaknesses and poor recordkeeping. The Accounting Firm reviewed approximately 1,300 transactions with a total value of approximately $12.9 million with over $100,000 in transactions that raised compliance issues. The vast majority of these transactions involved payments to government officials related to obtaining permits and licenses. Other transactions involved gifts and cash donations to government officials, charitable contributions and sponsorships, and payments to members of the state-controlled media to minimize negative publicity. None of the payments, gifts, donations, contributions, or sponsorships occurred in the US, none were made by or through a US person or issuer and apparently none went through a US bank.

The due diligence showed that the Target had significant recordkeeping deficiencies. Nonetheless, documentary records did not support the vast majority of the cash payments and gifts to government officials and the charitable contributions. There were expenses that were improperly and inaccurately classified. It was specifically noted that the accounting records were so disorganized that the Accounting Firm was unable to physically locate or identify many of the underlying records for the tested transactions. Finally, the Target had not developed or implemented a written code of conduct or other compliance policies and procedures, nor did the Target’s employees show an adequate understanding or awareness of anti-bribery laws and regulations.

Post-Acquisition Remediation

The Requestor presented several pre-closing steps to begin to remediate the Target’s weaknesses prior to the planned closing in 2015. Requestor aimed to complete the full integration of the Target into Requestor’s compliance and reporting structure within one year of the closing. Requestor has set forth an integration schedule of the Target that included various risk mitigation steps, dissemination and training with regard to compliance procedures and policies, standardization of business relationships with third parties, and formalization of the Target’s accounting and record-keeping in accordance with Requestor’s policies and applicable law.

DOJ Analysis

The DOJ noted black-letter letter when it stated, ““It is a basic principle of corporate law that a company assumes certain liabilities when merging with or acquiring another company. In a situation such as this, where a purchaser acquires the stock of a seller and integrates the target into its operations, successor liability may be conferred upon the purchaser for the acquired entity’s pre-existing criminal and civil liabilities, including, for example, for FCPA violations of the target. However this is tempered by the following from the 2012 FCPA Guidance, “Successor liability does not, however, create liability where none existed before. For example, if an issuer were to acquire a foreign company that was not previously subject to the FCPA’s jurisdiction, the mere acquisition of that foreign company would not retroactively create FCPA liability for the acquiring issuer.””

This means that because none of the payments were made in the US, none went through the US banking system and none involved a US person or entity that this would not lead to a creation of liability for the acquiring company. Moreover, there would be no continuing or ongoing illegal conduct going forward because “no contracts or other assets were determined to have been acquired through bribery that would remain in operation and from which Requestor would derive financial benefit following the acquisition.” Therefore there would be no jurisdiction under the FCPA to prosecute any person or entity involved after the acquisition.

The DOJ also provided this additional information, “To be sure, the Department encourages companies engaging in mergers and acquisitions to (1) conduct thorough risk-based FCPA and anti-corruption due diligence; (2) implement the acquiring company’s code of conduct and anti-corruption policies as quickly as practicable; (3) conduct FCPA and other relevant training for the acquired entity’s directors and employees, as well as third-party agents and partners; (4) conduct an FCPA-specific audit of the acquired entity as quickly as practicable; and (5) disclose to the Department any corrupt payments discovered during the due diligence process. See FCPA Guide at 29. Adherence to these elements by Requestor may, among several other factors, determine whether and how the Department would seek to impose post-acquisition successor liability in case of a putative violation.”

Discussion

Mike Volkov calls it ‘reading the tea leaves’ when it comes to what information the DOJ is communicating. However, sometimes I think it is far simpler. First, and foremost, 14-02 communicates that there is no such thing as ‘springing liability’ to an acquiring company in the FCPA context nor such a thing as simply buying a FCPA violation, simply through an acquisition only, there must be continuing conduct for FCPA liability to arise. Most clearly beginning with the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) have communicated what companies need to do in any M&A environment. While many compliance practitioners had only focused on the post-acquisition integration and remediation; the clear import of 14-02 is to re-emphasize importance of the pre-acquisition phase.

Your due diligence must being in the pre-acquisition phase. The steps taken by the Requestor in this Opinion Release demonstrate some of the concrete steps that you can take. Some of the techniques you can use in the pre-acquisition phase include (1) having your internal or external legal, accounting, and compliance departments review a target’s sales and financial data, its customer contracts, and its third-party and distributor agreements; (2) performing a risk-based analysis of a target’s customer base; (3) performing an audit of selected transactions engaged in by the target; and (4) engaging in discussions with the target’s general counsel, vice president of sales, and head of internal audit regarding all corruption risks, compliance efforts, and any other major corruption-related issues that have surfaced at the target over the past ten years.

Whether you can make these inquiries or not, you will also need to engage in post-acquisition integration and remediation. 14-02 provides you with some of the steps you need to perform after the transaction is closed. If you cannot perform any or even an adequate pre-acquisition due diligence, the time frames you put in place after the acquisition closes may need to be compressed to make sure that you are not continuing any nefarious FCPA conduct going forward. But it all goes back to dis-linking. If a target is engaging in conduct that violates the FCPA but the target itself is not subject to the jurisdiction of the FCPA, you simply cannot afford to allow that conduct to continue. If you do allow such conduct to continue you will have bought a FCPA violation and your company will be actively engaging and participating in an ongoing FCPA violation. That is the final takeaway I derive from this Opinion Release; it is allowing corruption and bribery to continue which brings companies into FCPA grief. Opinion Release 14-02 provides you a roadmap of the steps you and your company can take to prevent such FCPA exposure.

© Thomas R. Fox, 2014

Leave a Comment

October 22, 2014

Right to Retire Or Termination: Remediation of Leadership To Foster Compliance

Filed under: Banamex,Best Practices,Chris Matthews,Citigroup,Compliance,Compliance and Ethics,compliance programs,Department of Justice,FCPA,Michael Volkov,New York Times,Wall Street Journal,Watts Water,WSJ — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, ethical leadership, ethics, FCPA, New York Times, NYT, SEC, Wall Street Journal, WSJ

Many historians have long given 476 AD as the date of the fall of the Roman Empire. Further, it was from this date forward that Europe began its long slide into the abyss, which came to be known as the Dark Age. However, this view was challenged in 1971 by Peter Brown, with the publication of his seminal work “The World of Late Antiquity”. One of the precepts of Brown’s work was to reinterpret the 3rd to 8^th centuries not as simply a decline of the greatness that had been achieved in the heydays of the Roman Empire, but more on their own terms. It was in the year of 476 AD that the last Roman Emperor, Romulus Augustulus, left the capital of Rome in disgrace. However as Brown noted, he was not murdered or even thrown out but allowed to retire to his country estates, sent there by the conquers of the western half of the Roman Empire, the Goths. Not much conquering going on if a ruler is allowed to ‘retire’, it was certainly a replacement but not quite the picture of marauding barbarians at the gate.

I thought about this anomaly of retirement by a leader in the context where a company or other entity might be going through investigations for corruption and non-compliance with such laws as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Yesterday I wrote about three recent articles and what they showed about a company’s oversight of its foreign subsidiaries. Today I want to use these same articles to explore what a company’s response and even responsibility should be to remediate leadership under which the corruption occurs. The first was an article in the New York Times (NYT), entitled, “Another Scandal Hits Citigroup’s Moneymaking Mexican Division” by Michael Corkery and Jessica Silver-Greenberg. Their article spoke about the continuing travails of Citigroup’s Mexican subsidiary Banamex. Back in February, the company reported “a $400 million fraud involving the politically connected, but financially troubled, oil services firm Oceanografía.”

This has led Citigroup to ever so delicately try to oust the leader of its Mexico operations, Mr. Medina-Mora, by encouraging him to retire. While Citigroup did terminate 12 individuals around the Oceanografía scandal earlier in the year, it has not changed the employment status of the head of the Mexico business unit. This may be changing as the article said, “In a delicate dance, Citigroup is encouraging its Mexico chairman, Manuel Medina-Mora, 64, to retire, according to four people briefed on the matter. The bank has been quietly laying the groundwork for his departure, which could come by early next year, the people said. Still, Mr. Medina-Mora’s business acumen and connections to the country’s ruling elite have made him critical to the bank’s success in Mexico. Citigroup and its chairman, Michael E. O’Neill, cannot afford to alienate Mr. Medina-Mora and risk jeopardizing those relationships, these people said.”

Should Mr. Medina-Mora be allowed to retire? Should he even be required to retire? What about the ‘mints money’ aspect of the Mexican operations for Citigroup? Was any of that money minted through violations of the FCPA or other laws? What will the Department of Justice (DOJ) think of Citigroup’s response or perhaps even its attitude towards this very profitable business unit and Citigroup’s oversight, lax or other?

Does a company have to terminate employees who engage in corruption? Or can it allow senior executives to gracefully retire into the night with full pension and other golden parachute benefits intact? What if a company official “purposely manipulated appointment data, covered up problems, retaliated against whistle-blowers or who was involved in malfeasance that harmed veterans must be fired, rather than allowed to slip out the back door with a pension.” Or engaged in the following conduct, “had steered business toward her lover and to a favored contractor, then tried to “assassinate” the character of a colleague who attempted to stop the practice.” Finally, what if yet another company official directed company employees to “delete hundreds of appointments from records” during the pendency of an investigation?

All of the above quotes came from a second NYT article about a very different subject. In the piece, entitled “After Hospital Scandal, V.A. Official Jump Ship”, Dave Phillips reported that two of the four VA Administration executives who engaged in the above conduct and were selected for termination, had resigned before they could be formally terminated. The article reported that the VA “had no legal authority to stop” the employees from resigning. Current VA Secretary Robert McDonald was quoted in the article as saying, “It’s also very common in the private sector. When I was head of Procter & Gamble, it happened all the time, and it’s not a bad thing — it saves us time and rules out the possibility that these people could win an appeal and stick around.” Plus, he said, their records reflect that they were targeted for termination. “They can’t just go get a job at another agency,” Mr. McDonald said. “There will be nowhere to hide.”

The third article was in the Wall Street Journal (WSJ) and entitled, “GM Says Top Lawyer to Step Down”. In this piece, reporters John D. Stroll and Joseph B. White, with contributions from Chris Matthews and Joann Lublin, reported that General Motors (GM) General Counsel (GC) Michael Millikin will retire early next year. Milliken is famously the GC who claimed not to know what was going on in his own legal department around the group’s settlements of product liability claims of faulty ignition switches. Milliken claimed he was kept “in the dark” by his own lieutenants about the safety issues involved with this group of litigation. Does Milliken have any responsibility for the failures of GM around this safety issue? What does his apparent graceful retirement say about the corporate culture of GM and its desire to actually change anything in the light of its ongoing travails? Of course one might cynically point to GM’s failure to even have a Chief Ethics and Compliance Officer as evidence of the company’s attitude towards compliance and ethics. (I wonder how that might look to the DOJ/Securities and Exchange Commission (SEC) if GM goes under any FCPA scrutiny?)

With Citigroup, the Department of Veterans Affairs and GM, we have three separate excuses for companies (and a Cabinet level department) not disciplining top employees for ethical and/or compliance failures. At Citigroup, the excuse is apparently that it does not want to rock the boat from a top producing foreign subsidiary by terminating the head of the subsidiary under investigation. At the Department of Veterans Affairs, the excuse seems to be they can go ahead and resign because we prefer to get rid of them that way. At GM, it is not clear why the GC who claimed not to know what was going on in even his own law department can ride off into the sunset with nary a contrary word in sight. Millikin’s conduct would seem to be the product of a larger cultural issue at GM.

I thought about how the DOJ might look at these situations for companies if a FCPA claim were involved. Even with McDonald’s observations about what happened when he was with Procter & Gamble; does a company show something less than commitment to having a culture of compliance if it allows an employee to retire? What does it say about Citigroup and its culture given the current dance it is having with its head of the Mexico unit? What about GM and its Sgt. Schultz of a GC and his ‘I was in the dark posture’? As stated by Mike Volkov, in his post entitled “Goodbye Mr. Millikin: GM’s Continuing Culture Challenges”, GM does under appear to understand the situation it finds itself in currently over its failures. He wrote, “GM still does not understand the significance of its governance failure…GM should have taken dramatic and affirmative steps to create a new culture – resources and new initiatives should be launched to rid GM of its current culture and replace it with a new speak up culture. It is a daunting task in such a large company but it has to be done. Until GM wakes up, missteps and failures will continue.” One might say the same for Citigroup and the Department of Veterans Affairs as well.

© Thomas R. Fox, 2014

Leave a Comment

August 28, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part III

Today, I conclude a three-part series on risk assessments in your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act anti-corruption compliance program. I previously reviewed some of the risks that you need to assess and how you might go about assessing them. Today I want to consider some thoughts on how to use your risk assessment going forward.

Mike Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. Finally, through this risk matrix you should be able to assess relative remediation requirements.

A manner in which to put into practice some of Volkov’s suggestions was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations”. Her article focused on the how Timken Company, assesses and then evaluates the risks the company has assessed. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan, she said. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks.

LIKELIHOOD

Likelihood Rating	Assessment	Evaluation Criteria
1	Almost Certain	High likely, this event is expected to occur
2	Likely	Strong possibility that an event will occur and there is sufficient historical incidence to support it
3	Possible	Event may occur at some point, typically there is a history to support it
4	Unlikely	Not expected but there’s a slight possibility that it may occur
5	Rare	Highly unlikely, but may occur in unique circumstances

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

PRIORITY

Priority Rating	Assessment	Evaluation Criteria
1-2	Severe	Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans
3-4	High	Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans
5-7	Significant
8-14	Moderate
15-1920-25	LowTrivial	Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used, such as continuous controls monitoring with tools like those provided by Visual RiskIQ, a relationship-analysis based software such as Catelas or other analytical based tools. But you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the method set forth by the DOJ in its FCPA Guidance and in the UK Bribery Act’s Adequate Procedures. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

In an article in Compliance Week Magazine, entitled, “Lessons on Risk Assessments from Winnie The Pooh” Jason Medford articulated that a key use of a risk assessment is to assist the internal audit function in developing their internal audit plan. He cited to the Institute of Internal Auditors (IIA) standard 2010.A1, which states “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually.” He went on to note that “In order to have a truly integrated GRC capability it is necessary for internal auditors to work with other GRC professionals in their organization. They must align their annual audit plan with the organization’s objectives, strategies, and initiatives of the other GRC professionals. They must collaborate, coordinate, and align their audit activities with other GRC professionals to increase visibility, improve efficiency, accountability and collaboration.

Carol Saint, Vice President of Internal Audit for 7-Eleven, who was interview by OCEG President Carol Switzer for the same article said that “We start with a risk assessment, beginning with business units because this is how the organization has designed accountability. We decompose business units into the processes and sub-processes they own and execute. We evaluate how sub-processes align to achievement of strategic objectives: How do they affect the company’s value drivers? Next, we map financial statement lines to the sub-processes to help prioritize from that lens. Finally, for each sub-process we consider specific risks that could hinder achievement of strategic objectives, as well as fraud risks, significant accounting estimates, benchmarking/ hot topics, and ERM risks. We created an “intensity rating” that measures how often a process/sub-process was mentioned in our stakeholder interviews as a risk to the company. And we also considered how cross-functional a process is so that the element of complexity—a risk accelerator—could help determine audit plan priorities. This year’s plan development process was quite intense, but I think we did a good job of creating a baseline so that future risk assessments are more efficient.”

I hope that you have found this series on risk assessments useful. If you have any questions or better yet would like me to work on a risk assessment for your organization, please contact me.

© Thomas R. Fox, 2014

Comments (1)

June 19, 2014

What a Long Strange Trip It’s Been – The First 1000 Blog Posts

Filed under: FCPA,FCPA Professor,FCPABlog,FCPAmericas,Francine McKenna,Howard Sklar,Matt Ellis,Matt Kelly,Michael Volkov,This Week in FCPA,Travel Act — tfoxlaw @ 12:01 am
Tags: Dick Cassin, FCPA, FCPA Professor, Francine McKenna, Howard Sklar, Matt Ellis, Mike Koehler, Mike Volkov, Travel Act

Yes, indeed the Grateful Dead can and does inform your compliance regime as today is my 1000^th blog posting on the FCPA Compliance and Ethics Blog. To say that I ever thought I would see this day or this many blog posts, would portend a level of clairvoyance that even Carnac the Great could not conceive of pontificating upon. I had struggled with a theme for this momentous accomplishment but my sublimely-grounded English wife brought me down from the ethereal clouds with the following suggestion, “Even an old dog can learn new tricks.” Nothing like being married to a younger woman.

So today, I want to write about some of the things I have learned on this 4+ year journey, which began in late 2009/early 2010 after a serious automobile/bicycle event (Box Score: Hummer-1 Tom-0) where about the only thing I had on my hands was time while I was at home convalescing. I started to explore the world of social media, engaging on Twitter, webinaring from my home office and blogging. I was so un-savvy in this arena that about the only positive thing my teenaged daughter could say about me was “Dad, you are so unhip, you are retro. But that is cool too.” The first thing I learned was that even a complete computer misfit and social media idiot could set up a blog on WordPress. It is not only easy but free. I cannot say with any pride that some of my early blogs were very good but I can say that for a lawyer, whose only skill was to be able to perform word processing in Microsoft Word, I could type and then upload a blog post into WordPress. At that point in my blogging career, that was a major accomplishment.

Although it did take some time, I learned how to stop writing like a lawyer, with full citations in each blog, coupled with as much lawyerese as I could manage, by finally adjusting to a blogging format. I also relearned an old lesson, which says that if you really want to learn about a subject, write on it. I remember one of the first things I learned when researching the Travel Act was that this Kennedy era law, passed largely through the efforts of Bobby Kennedy, was designed to help in the fight against organized crime. So who would say a 60 year old law cannot be used for a 21^st century purpose? Or maybe even a Watergate-era like the Foreign Corrupt Practices Act (FCPA) could not have an expansive use, beyond that for which it was passed in 1977? I also learned that if you put out solid content people will read and listen to what you have to say.

I learned there are some great people out there blogging in the ethics and compliance space. I have met some fabulous colleagues through my blogging who have not only been incredibly supportive but whom I now cherish as good friends. Some of them include Mike Koehler, the FCPA Professor, for his scholarly rigor and continued intellectual challenges. Dick Cassin, the Dean of FCPA bloggers, for his unflinching support to myself and so many others. Mike Volkov, former prosecutor and DC-insider, who is always around to bounce a tough question off. Howard Sklar, who was my This Week in FCPA podcast partner, until we lost him to the corporate world. Francine McKenna, a great and generous mentor for myself and many others and the go-to person all issues in and around the accounting world. Jim McGrath, the internal investigations guy, who brings a former state prosecutor’s perspective to how investigations should be handled and critiqued. Matt Ellis, whose focus on and insights into South America (as in – it’s not a country) continue to shine a light on anti-corruption issues south of the border. Matt Kelly, Editor of Compliance Week, who saves some great witticisms for his weekly blog posts. These are but a very few of the folks I am now privileged to call friends because of my blogging.

I learned that there is way too much white noise in the FCPA space. The FCPA Professor calls them FCPA Inc. and Mike Volkov derides them as the FCPA paparazzi. Whatever you might call them, they put out reams and reams of information, sometimes useful but many times not. What I have tried to do is synthesize some of the most useful for the Chief Compliance Officer (CCO), compliance practitioner or anyone else who does the day-to-day work of anti-bribery/anti-corruption compliance. There are many, many things you can know but a far smaller subset of what you need to know. I try to bring to the compliance practitioner what they need to know. That is why the subtitle of my blog is ‘The Nuts and Bolts of FCPA Compliance’. I have tried to write about things which the compliance professional can use in the everyday practice of compliance.

I have learned that blog posts, which I thought were the most important, may turn out to be the least viewed blogs. Conversely, posts I did not think would be of great interest turned out to have the largest number of one-day hits. For instance, the largest single number of one-day hits I had was an article from two years ago about the SNC-Lavalin corruption investigation in Canada. [For a blog about FCPA compliance-go figure.] The second largest number was a recent blog post using the GM internal investigation as an exploration in the differences between a corporate legal function and its compliance function.

I have learned that by committing to something, you become much better at it. My first year of blogging, I tried to put out 2-3 blogs per week but beginning in 2011, I committed to a daily blog post. Once I made that commitment, blogging became a part of my workday. Once it became a part of my workday, it was like any other project or assignment. I had to set aside the time to work on it. It has made me a much more efficient and better writer to know that I need write something, during my workday. Yes there have been times I was up at 5 AM to write a post or stayed up way past my school-night bedtime trying to crank something out but those situations have become few and far between as I became more disciplined about my blogging.

But most of all I have learned that blogging is fun. It is fun because it is a challenge to write about something in an informative and engaging manner. It is fun to tie a Shakespeare play to a compliance and ethics theme. It is fun to read a week’s worth of Sherlock Holmes’ stories and tie a compliance topic to a story each day for one week. It is fun to find out what happened this day in history and use it as a hook to grab your readers’ attention. It is fun to engage in a debate with the FCPA Professor on a topic of mutual interest, where we look at the same thing, yet see it from different perspectives. And it is fun when you meet someone for the first time and after you introduce yourself, they say to you “When is a rose, not a rose? When it’s a FCPA violation”.

Where will the next 1000 blogs posts take me? I have no clue but if they are as much fun as the first 1000 posts have been I hope that you will continue to join my on This Long Strange Trip.

© Thomas R. Fox, 2014

Comments (5)

June 16, 2014

Watergate is Not Just a Hotel – Corporate Suitors for Alstom

Filed under: Best Practices,compliance programs,Department of Justice,FCPA,FCPA Guidance,FCPA Professor,Financial Times,Mergers and Acquisition,Michael Volkov — tfoxlaw @ 7:12 pm
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, FT, Michael Volkov

Today is the anniversary of an event that can truly be said to have changed the world; although certainly not in the manner intended by its planners, sponsors or participants. Today is the anniversary of the 1972 Watergate Break-In. How much of the world has changed because of this event? We certainly would not have had Jimmy Carter as the US President and most probably would not have had the Foreign Corrupt Practices Act (FCPA) passed into law during his administration. Would Ronald Reagan have become President four years earlier in 1976 rather than 1980? Who knows, but, if yes, would the Soviet Union have collapsed sooner under the weight of his military buildup? What about the fall of the Shah and the taking of the US hostages, think Reagan would have had a more ‘robust’ response than Carter? All tantalizing questions for those interested in the great What Ifs of history.

Over the weekend, I read that the long shuttered Watergate complex is scheduled to be torn down to make way for a more modern office edifice in its most desirable of Washington DC locations. This reminded me of one of my favorite Watergate era slogans “And Watergate was not just a hotel!” Indeed it was not just a building, rather an entire mindset of a presidency that went seriously off the rails.

Interestingly I found a parallel to this slogan when reading about the overtures by General Electric (GE), then Siemens and also Mitsubishi Heavy Industries to purchase some or all of the French company Alstom. These offers are in spite of Alstom’s very public current anti-corruption issues, in several countries. Mike Volkov, in a blog post entitled “Alstom: The Next Poster Child for Anti-Corruption Enforcement”, said “In our FCPA world, we have a new poster child for blundering – Alstom. The handwriting is on the wall – as time goes on, the Justice Department is building a bigger and bigger FCPA case against Alstom. One of my favorite Dylan lyrics applies with full force – “You don’t need a weatherman to know which way the wind blows.” Further, “Clearly we have a case where the client company just does not understand what is going on, nor does senior leadership have the ability or desire to respond and fix the problems. Instead, Alstom’s failure to act and respond reflects the lack of any ethical culture. That in a nutshell is probably 90 percent of the reason that a culture of bribery took over the company.” Pretty strong stuff.

Four senior executives have been charged for FCPA violations around one project. The FCPA Professor reported, “The conduct at issue concerned the Tarahan coal-fired steam power plant project in Indonesia.” All were charged around the same set of facts. They are alleged to have paid bribes to officials in Indonesia, including a member of Indonesian Parliament and high-ranking members of Perusahaan Listrik Negara (PLN), the state-owned and state-controlled electricity company, in exchange for those officials’ assistance in securing a contract for the company to provide power-related services for the citizens of Indonesia, known as the Tarahan project.” Two of the four Alstom executives have pled guilty to FCPA violations.

Over the weekend, the Financial Times (FT) reported, in an article by Caroline Binham, entitled “UK prosecutors press on with Alstom probe”, that the Serious Fraud Office (SFO) has been given permission by the UK attorney-general to prosecute both the company and former employees for allegations of overseas bribery. The SFO “has also notified seven individuals but is considering whether to prosecute them after they were interviewed with the assistance of French authorities, people familiar with the investigation told the Financial Times…Among those who received letters from the SFO are the company’s former senior vice-president of ethics and compliance, Jean-Daniel Lainé, and three Britons who formerly held senior management positions: Graham Hall, Robert Hallett and Nicholas Reynolds.” All of the individuals identified in the FT article do not appear to have been a part of the Indonesia power project, which appears to form the basis of the FCPA charges here in the US.

So why such high level suitors for a company of which Volkov has opined, “It is an important reminder of how bad a company’s culture can become and the consequences of embracing a culture of lawlessness versus a culture of ethics and integrity.” What about all that ‘Springing Liability’ for which both Siemens and GE might be liable for if they are successful in purchasing some or all of Alstom that the US Chamber of Commerce and others rail about? I think that the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) answered these questions in the FCPA Guidance when they stated, “companies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target. In addition, such actions demonstrate to DOJ and SEC a company’s commitment to compliance and are taken into account when evaluating any potential enforcement action.” But pre-acquisition work is only one part of the equation, as the FCPA Guidance goes on to state, “FCPA due diligence, however, is normally only a portion of the compliance process for mergers and acquisitions. DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program.Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.”

One thing that GE and Siemens have in common are world-class compliance programs. Siemens was the subject of the highest FCPA fine ever at $800MM back in 2008. Since that time, it has successfully concluded a robust monitorship under the terms of its Deferred Prosecution Agreement (DPA). Siemens compliance representatives regularly speak at compliance related events and discuss not only the company’s commitment to anti-corruption compliance but they also detail how compliance is done at Siemens. GE is well known for having its compliance folks regularly speak at conferences about the details of its compliance regime. In other words, both companies’ have very public robust compliance regimes in place and most probably follow, at a minimum, the parameters set out in the FCPA Guidance.

Just as “And Watergate is not just a hotel!”; Springing Liability is not a warranted fear under the FCPA. The FCPA Guidance makes clear the steps a company should engage in under the FCPA to avoid liability in a mergers and acquisition (M&A) context. The steps are not only relatively straightforward; they are good business steps to take. If you do not know what you are looking to acquire, it is certainly hard to evaluate it properly and then to integrate it efficiently.

© Thomas R. Fox, 2014

Leave a Comment

April 24, 2014

Gifts, Travel and Entertainment under the FCPA – Part III

Filed under: Best Practices,compliance programs,Department of Justice,FCPA,FCPA Guidance,Gifts and Business Entertainment,Michael Volkov,SCCE,Travel and Entertainment — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, DOJ, Foreign Corrupt Practices Act

Now that we have reviewed all of the public record pronouncements from the Department of Justice (DOJ) and Securities and Exchange Commission (SEC), this post will try and suggest what you might need in your Foreign Corrupt Practices Act (FCPA) compliance policy and attendant procedures regarding gifts, travel and entertainment. Most generally, every company has three levels of written standards and controls around its compliance function. The first is its Code of Conduct, which every company should have to express its ethical principles. I assume your company has a Code of Conduct but if you are reading this blog post and you do not have a Code of Conduct, call me. The second is its standards and policies, which every company should use to build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. The third, and final component, is procedures, which every company should have to ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

Rebecca Walker, writing in the Society for Corporate Compliance and Ethics Complete Compliance Manual [Second Edition], in an article entitled “Gifts and Entertainment Compliance”,said written policies around gifts, travel and entertainment typically contain the following elements:

An introduction explaining why gifts and entertainment are acceptable and why it is important to place limits on them;
A discussion of the types of gifts and entertainment that are acceptable (e.g., commonly accepted business courtesies);
A discussion of the types of gifts and entertainment that are unacceptable (e.g., cash);
Dollar limits and approval requirements;
More stringent rules applicable to employees in particular functions, as appropriate;
A mention or discussion of different rules applicable to government officials; and
References to other policies.

Mike Volkov, in a blog post entitled “Safe Harbors and Gifts, Meals, Travel, and Entertainment Expenses”, gave these general guidelines about gifts:

Given openly and transparently;
Properly recorded in the company’s books and records;
Motivated to express esteem or gratitude (and not corrupt intent); and
Permitted under local law.

About travel he had the following insights:

Do not select the foreign officials to participate in the event, or use a systematic evaluation to identify appropriate officials to attend;
Pay all costs directly to vendors and do not put “cash” in the pockets of any foreign officials attending an event (as an advance or for reimbursement);
Ensure that stipends are reasonable estimates of expected costs and do not provide any additional compensation or money to foreign officials;
Ensure that payments are transparent and accurately reflected in company books and records;
Do not condition payments on any specific action by foreign official; and
Obtain written confirmation payments do not violate local law.

Below are some of my thoughts about what should go into your gifts, travel and entertainment policy.

A. Gifts

The gift should be provided as a token of esteem, courtesy or in return for hospitality.
The gift should be of nominal value but in no case greater than $500.
No gifts in cash.
The gift shall be permitted under both local law and the guidelines of the employer/governmental agency.
The gift should be a value which is customary for the country involved and appropriate for the occasion.
The gift should be for official use rather than personal use.
The gift should showcase the company’s products or contain the company logo.
The gift should be presented openly with complete transparency.
The expense for the gift should be correctly recorded on the company’s books and records.

B. Entertainment

There are no Opinion Releases on the threshold that a Company can establish as a value for entertainment. I am comfortable that such a value can go up to $500 in an appropriate circumstance. However this must be tempered with clear guidelines incorporated into the business expenditure component of a FCPA compliance policy, which should include the following:

A reasonable balance must exist for bona fide business entertainment during an official business trip.
All business entertainment expenses must be reasonable.
The business entertainment expenses must be permitted under (1) local law and (2) customer guidelines.
The business entertainment expense must be commensurate with local custom and practice.
The business entertainment expense must avoid the appearance of impropriety.
The business entertainment expense must be supported by appropriate documentation and properly recorded on the company’s book and records.

C. Travel

Any reimbursement for air fare will be for economy class. However, you may be able to make exceptions for senior government officials, extremely long haul flights, or where you are contractually mandated to pay for business class travel.
Do not select the particular officials who will travel. That decision will be made solely by the foreign government.
Only host the designated officials and not their spouses or family members.
Pay all costs directly to the service providers; in the event that an expense requires reimbursement, you may do so, up to a modest daily minimum (e.g., $35), upon presentation of a written receipt.
Any souvenirs you provide the visiting officials should reflect the business and/or logo and would be of nominal value, e.g., shirts or tote bags.
Apart from the expenses identified above, do not compensate the foreign government or the officials for their visit, do not fund, organize, or host any other entertainment, side trips, or leisure activities for the officials, or provide the officials with any stipend or spending money.
The training costs and expenses will be only those necessary and reasonable to educate the visiting officials about the operation of your company.

The incorporation of these concepts into a FCPA compliance policy is a good first step towards preventing potential FCPA violations from arising, but it must be emphasized that they are only a first step. They must be coupled with active training of all personnel, not only on the policy and procedures, but also on the corporate and individual consequences that may arise if the FCPA is violated regarding gifts, travel and entertainment. Lastly, it is imperative that all such gifts, travel and entertainment be properly recorded, as required by the books and records component of the FCPA.

I view one of the key reasons for the attendant procedure of implanting the company policy around gifts, travel and entertainment is to allow oversight by a second set of eyes. Process validation requires oversight of compliance with gifts and entertainment policies is important to ensuring consistency in policy enforcement. This helps to ensure that there is the perception of fairness in this area, particularly if there must be discipline administered. Nothing is worse for an organization if, say, a salesman from the US is disciplined via a warning letter for cheating on his expense account whereas salesmen in Brazil are fired for the same offense.

Mike Volkov, in another blog post entitled “Creating a Framework for Reviewing Gifts, Meals, Travel and Entertainment Expenses”, said that he believes “There are three basic requirements for making the review process more efficient.” They include:

Prospective standards – Companies need to adopt and enforce a prospective policy which carves out standards for the review and approval of such expenditures. The policy has to be clear on the standards and the procedures to be followed.
Documentation – Companies have to document the process, maintain records, and audit the process. Without documentation, the policy is doomed to fail, and provides no protection when government prosecutors conduct an investigation.
Advice of Counsel – Outside counsel should be used to review and approve any close calls. The run-of-the-mill situations can be handled by the policy. In close cases, outside counsel should review the matter, provide a short memo analyzing and approving the expenditure. The memo should be added to the file and available to auditors and the government if needed.

The final point from Walker, Volkov and myself is that whatever policy and procedures you set up and utilize, they should be designed for your company. The FCPA Guidance speaks to a well-thought out and designed system for any compliance risk and gifts, travel and entertainment is no different. Further, you must not only train but monitor and audit on your gifts, travel and entertainment. As this is one of the top areas that employees generate monies from their employers it is one of the top areas for fraud and hence corruption. And finally, Document, Document and Document.

© Thomas R. Fox, 2014

Comments (1)

April 23, 2014

Gifts, Travel and Entertainment Under the FCPA – Part II

Filed under: Best Practices,compliance programs,Department of Justice,FCPA,Gifts and Business Entertainment,Michael Volkov,Opinion Releases,SEC,Travel and Entertainment — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA Professor, Foreign Corrupt Practices Act, gifts, travel and entertainment

Ed. Note – I know yesterday I said this would be a two-part series but as usual I got carried away so it has become a three part series. Today I review the Opinion Releases and Enforcement Actions dealing with gifts, travel and entertainment.

A. Opinion Releases

Gifts

In the early 1980s the Department of Justice (DOJ) issued three Opinion Releases related to gifts under the Foreign Corrupt Practices Act (FCPA). While these Opinion Releases are clearly dated, they do remain instructive. In Opinion Release 82-01, the DOJ approved the gift of cheese samples made to Mexican governmental officials, made by the Department of Agriculture of the State of Missouri to promote the state of Missouri’s agricultural products. However the value of the cheese to be presented was not included. In Opinion Release 81-02, the DOJ approved a gift from the Iowa Beef Packers, Inc. to officials of the Soviet Ministry of Foreign Trade of its packaged beef products. The total value of all the samples presented was estimated to be less than $2,000 and the Iowa Beef Packers, Inc. averred that the individual sample packages would not exceed $250 in value. In Opinion Release 81-01, Bechtel sought approval to use the SGV Group to solicit business on behalf of Bechtel and Bechtel had proposed to reimburse the SGV Group for gift expenses incurred in this business solicitation. The DOJ approved gifts to be given by SGV in the amount of $500.00.

Travel and Lodging for Governmental Officials

Prior to the FCPA Guidance, the DOJ issued three Opinion Releases which offered guidance to companies considering whether, and if so how, to incur travel and lodging expenses for government officials. These facts provided strong guidance for any company that seeks to bring such governmental officials to the US for a legitimate business purpose. In Opinion Release 07-01, the Company was desired to cover the domestic expenses for a trip to the US for a six-person delegation of the government of an Asian country for an educational and promotional tour of one of the requestor’s US operations sites. In the Release the representations made to the DOJ were as follows:

A legal opinion from an established US law firm, with offices in the foreign country, stating that the payment of expenses by the US Company for the travel of the foreign governmental representatives did not violate the laws of the country involved;
The US Company did not select the foreign governmental officials who would come to the US for the training program;
The delegates who came to the US did not have direct authority over the decisions relating to the US Company’s products or services;
The US Company would not pay the expenses of anyone other than the selected officials;
The officials would not receive any entertainment, other than room and board from the US Company;
All expenses incurred by the US Company would be accurately reflected in this Company’s books and records.

In Opinion Release 07-02 the Company desired to pay certain domestic expenses for a trip within the US by approximately six junior to mid-level officials of a foreign government for an educational program at the Requestor’s US headquarters prior to the delegates attendance at an annual six-week long internship program for foreign insurance regulators sponsored by the National Association of Insurance Commissioners (NAIC). In the Release the representations made to the DOJ were as follows:

The US Company would not pay the travel expenses or fees for participation in the NAIC program.
The US Company had no “non-routine” business in front of the foreign governmental agency.
The routine business it did have before the foreign governmental agency was guided by administrative rules with identified standards.
The US Company would not select the delegates for the training program.
The US Company would only host the delegates and not their families.
The US Company would pay all costs incurred directly to the US service providers and only a modest daily minimum to the foreign governmental officials based upon a properly presented receipt.
Any souvenirs presented would be of modest value, with the US Company’s logo.
There would be one four-hour sightseeing trip in the city where the US Company is located.
The total expenses of the trip are reasonable for such a trip and the training which would be provided at the home offices of the US Company.

Lastly, is Opinion Release 12-02, in which the Requestors, 19 non-profit adoption agencies located in the US, asked the DOJ about bringing certain foreign governmental officials involved in the foreign country’s adoption process to the US. All the foreign governmental officials were involved in the process of allowing children from their country go through the adoption process with the US non-profits involved. The trips to the US would be for two days of meetings. The purpose of the visit would be to demonstrate the Requestors’ work to the government officials so that the officials can see how adopted children from the foreign country had adjusted to life in the US and to help the Requestors learn how they can provide that information to the foreign country’s government with appropriate information during the adoption process. The Requestors would allow the government officials to meet with the Requestors’ employees and to inspect the Requestors’ offices and case files from previous adoptions. The foreign country’s government officials would also meet with families who had adopted children from their country and learn more about the Requestors’ work.

The Requestors stated that they would pay for the following:

Business class airfare on international portions of flights for ministers, members of the legislature, and the director of the Orphanage Agency; coach airfare for international portions of flights for all other government officials; and coach airfare for domestic portions of flights for all government officials;
Two or three nights hotel stay at a business-class hotel;
Meals during the officials’ stays; and
Transportation between agencies and local transportation.

What can one glean from these three Opinion Releases? Based upon them, it would seem that a US company could bring foreign officials into the US for legitimate business purposes. A key component is that the guidelines are clearly articulated in a compliance policy. Based upon these Releases the following should be incorporated into a compliance policy regarding travel and lodging:

Any reimbursement for air fare will be for economy class, unless it is a long haul international flight, high ranking foreign officials or those entitled to travel business class by contract.
Do not select the particular officials who will travel. That decision will be made solely by the foreign government.
Only host the designated officials and not their spouses or family members.
Pay all costs directly to the service providers; in the event that an expense requires reimbursement, you may do so, up to a modest daily minimum (e.g., $35), upon presentation of a written receipt.
Any souvenirs you provide the visiting officials should reflect the business and/or logo and would be of nominal value, e.g., shirts or tote bags.
Apart from the expenses identified above, do not compensate the foreign government or the officials for their visit, do not fund, organize, or host any other entertainment, side trips, or leisure activities for the officials, or provide the officials with any stipend or spending money.
The training costs and expenses will be only those necessary and reasonable to educate the visiting officials about the operation of your company.

Incorporation of these concepts into a compliance program is a good first step towards preventing any FCPA violations from arising, but it must be emphasized that they are only a first step. These guidelines must be coupled with active training of all personnel, not only on the compliance policy, but also on the corporate and individual consequences that may arise if the FCPA is violated regarding gifts and entertainment. Lastly, it is imperative that all such gifts and entertainment are properly recorded, as required by the books and records component of the FCPA.

B. Enforcement Actions

Mike Volkov refers to the FCPA Paparazzi when he talks about those FCPA practitioners who confuse FCPA information with FCPA scare tactics and manipulate legal reasoning and practical advice with “marketing” using fear as opposed to reliable and accurate information. In a recent blog post, entitled “The So-Called Re-Emergence of Gifts, Meals and Entertainment as a Compliance Problem” Volkov bemoaned recent FCPA Paparazzi client alerts which said that the DOJ was now gunning after companies for FCPA transgressions in this area.

But one point Volkov raised for consideration by the compliance practitioner was the overall management of these risks. He asked the following questions: “Who is responsible for approving expenditures? What controls are in place for ensuring that money is used for proper purposes? How are these expenditures monitored? Who watches the person responsible for controlling the money and what controls are in place to monitor their behavior?” All good questions, and all questions that the compliance function should be able to answer going forward.

While there were three of enforcement actions in 2013 and one in 2014 where gifts, travel and entertainment were discussed. In only one of the four such enforcement actions were gifts, travel and entertainment discussed, where over a period of 15 months these actions were the primary cause of the violation. That matter was the Diebold enforcement action. In all others, HP, Weatherford and Stryker, the gifts, travel and entertainment matters were all ancillary to the primary illegal conduct at issue. This is consistent with DOJ enforcement of the FCPA so Volkov rights notes, the FCPA Paparazzi are howling at the moon once again.

Travel and Entertainment Enforcement Expense Box Score

Company	Trip Locations	Trip Costs & Perks	Company Facilities Present
Lucent Technologies	DisneyWorld, Hawaii, Las Vegas, Grand Canyon, Niagara Falls, Universal Studios, NYC	$10 million in trips for 1000 Chinese governmental officials, including $34,000 for five days of sightseeing	None of the travel destinations
Ingersoll-Rand	Trip to Florence after trip to company facility in Vignate, Italy	$1000 ‘pocket money’ per attendee	Facilities in Vignate but not in Florence
Metcaf & Eddy	First trip – Boston, Washington, D.C., Chicago and Orlando. Second trip – Paris, Boston and San Diego.	First Class Travel and trip expenses for Egyptian governmental official and his family. Cash payments prior to trips of 150% of estimated daily expenses.	Wakefield Mass., not in Washington DC, Chicago, Paris or DisneyWorld
Titan Corporation		Reference in company books and records of $20,000 for promotional travel expenses. Not clear if ever funded (Remember a promise to pay equals making a payment under the FCPA)
UTStarcom	Hawaii, Las Vegas and NYC	Up to $7 million on gifts and all expense paid trips to US	No company offices present in any of the travel destinations
Diebold	Europe, with stays in: Paris, Amsterdam, Florence, Rome In the US with visits to: Disneyland, Grand Canyon, Napa Valley, Las Vegas	$1.6MM to employees of Chinese state-owned banks; $175K to employees of Indonesian state-owned banks	No company offices present in any of the travel destinations
Weatherford	Trip to Germany for the World Cup Honeymoon for Sonatrach official’s daughter Trip to Saudi Arabia for religious holiday	Payment of $24,000 in cash advance for Algerian government officials visiting Houston	No legitimate business purpose for any of the business travel
Stryker	NYC and Aruba	$7000 for Polish gov official and wife	No company offices present in any of the travel destinations
HP	Las Vegas	$35,000 in travel expenses paid for Polish gov official	No company offices present in any of the travel destinations

Tomorrow we will tie it all together for you.

Leave a Comment

December 27, 2013

My Favorite Blog Posts from 2013

Filed under: Best Practices,Bribery Act,compliance programs,FCPA,FCPA Professor,FCPABlog,FCPAmericas,Jim McGrath,Matt Ellis,Michael Scher,Michael Volkov,Richard Cassin — tfoxlaw @ 12:01 am
Tags: FCPA Blog, FCPA Professor, Foreign Corrupt Practices Act, Michael Volkov

One of the best things about the Foreign Corrupt Practices Act (FCPA), UK Bribery Act and other anti-corruption practice areas is the top notch quality of commentators. While Mike Volkov regularly derides the FCPA paparazzi for being scare mongers and the FCPA Professor chastises FCPA Inc. for attempts to paint FCPA enforcement in the worst possible light so as to draw clients to their collective resources; there is also a great set of bloggers, writers and pundits who put out solid, useful and well-reasoned pieces on FCPA and Bribery Act issues. In this blog post, I would like to highlight some of my favorite posts from some of my favorite commentators over the past year.

From the Dean

If you do not know who the Dean of FCPA bloggers is you have not been looking too long or too hard. It’s Dick Cassin, who is the Founder, Editor and Publisher of the FCPA Blog, which consistently reports on all things compliance around the globe. But for me, it is when Dick writes from the heart, he is able to articulate what many of us are feeling but cannot seem to put into words. My favorite post from Dick this year was his tribute to President Kennedy on the occasion of the 50^th anniversary of the President’s assassination, entitled “And So The Legend of Camelot Was Born”. Dick ended his post with the following quote from Teddy White, “He advanced the cause of America at home and abroad. But he also posed for the first time the great question of the sixties and seventies: What kind of people are we Americans? What do we want to become?” The question still stands.

From the FCPA Professor

If you have never debated the FCPA Professor, live or via email, you should. But be prepared to bring your A-Game and your authority. He posts daily and has become a great resource for guest posts over the years which challenge the status quo on a variety of legal and compliance issues. Each morning I cannot wait to see what the Professor has to say that day. However, what I have really come to appreciate is his Friday Round-Ups. Each Friday, the Professor gives us a round-up of recent FCPA and related news, articles and developments not otherwise covered by him in his Monday – Thursday posts. I should also say he saves some of his best witticism for these posts. My favorite post from the Professor this year was the milestone of his 100^th Friday Round Up, appropriately entitled “The 100^th Edition of the Friday Round-Up”. Tune in each Friday for another edition of this great resource.

From Jim McGrath

I continually bemoan to Jim McGrath that he needs to post blogs more often than his twice or thrice weekly output. The reason being they are so good and I want to see more of his stuff. As you might guess from the title of his blog, Internal Investigations Blog, he tends to focus on investigations; some criminal, some civil, some internal and some external. McGrath is an ex-prosecutor and tends to view things through that prism and give us a different perspective of law enforcement. He writes about investigations inside and outside the realm of anti-corruption but his insights are certainly applicable to any FCPA or Bribery Act investigation.

My favorite post from McGrath this year was his piece on 7-Eleven, entitled “Human Trafficking Concerns for 7-Eleven in Wake of Payroll Scam”. In this article he detailed the federal investigation into allegations that 7-Eleven franchisees in New York and Virginia had engaged in human trafficking and possible involvement by the franchisor through its payroll system. His piece was a cautionary tale for the compliance practitioner about the need for internal controls, internal monitoring and internal investigations. McGrath ended his post with the following, “Further, its future due diligence efforts as regards suppliers and franchisees should include a review for human rights abuses such as those suggested here. Otherwise, it will have to sell a helluva lot of Slurpees to pay the fines, costs, and disgorgements that a failure to do so will no doubt entail.” In other words, trust but verify.

From Mike Volkov

Mike Volkov has worked at the Department of Justice (DOJ) on Capitol Hill and for Big Law. He now has founded his own firm, the Volkov Law Group and writes the Corruption, Crime & Compliance blog. Mike primarily writes about anti-corruption but he also writes about health care fraud, anti-trust compliance and enforcement and many other topics. While I cannot determine if he set out to have a theme this year, Volkov has written many articles this year which focus on the role and position of the Chief Compliance Officer (CCO), the need for independence and resources required for the position.

My favorite post from Volkov was entitled “The Only Thing [In-House Counsel and CCOs] Have to Fear, Is Fear Itself”. His title is a play-off of what I believe to be the most inspiring FDR speech so that alone is worth the price of admission. He also tells one of the great stories about his days from Big Law. Volkov related that he wrote his views on the UK Bribery Act and the length of time it would take for any meaningful enforcement to take place, “I received a call from the firm’s London partners and was chastised for undermining their entire “marketing” program. (In stark contrast, many clients wrote me and thanked me for my “honesty.)” As my 16 year old daughter might say, ‘Sometimes you just have to keep it real’.

From Across the Pond

If you do not subscribe to thebriberyact.com, you are missing out on the best site for all things UK Bribery. thebriberyact.com guys, Barry Vitou and Richard Kovalevsky QC, consistently give their readers both practical insight and in-depth analysis. Their interviews of the relevant players allow all compliance practitioners to develop insight into what the top UK regulatory officials are thinking about on the Bribery Act. They also write from the very British perspective of understatement and skewering satire, which is more than a ton of fun for us Americans to read.

My favorite post which illustrated all of the above traits was from March and is entitled “Parliament report calls for Bribery Act review: Our opinion – Junk in. Junk Out.” In this post, they took on the call for the urgent scrutiny of the UK Bribery Act by a parliamentary select committee claiming that the Act has met with “confusion and uncertainty.” To this rather inane claim, the guys responded “We cannot think of a piece of legislation which has sparked much more commentary, advisory, much of it on line and completely free, including our own eponymous website.” But my favorite line was their dénouement to the British MP who brought up the need for clarification of the UK Bribery Act, “And, Tony from Alderly PLC, if you’re reading feel free to give us a call. We can help you.”

My Favorite from 2013 (Think Big)

My favorite blog post of the year was actually posted on December 28, 2012 by Matt Ellis, Founder and Editor of the FCPAméricas blog, which was entitled “Wal-Mart, Go Big on FCPA Compliance”. The reason that it is my favorite of 2013 is because it is the one post that I have thought the most about, talked the most about, read the most about and it even inspired me to write on the issue myself. In his post Ellis challenged Wal-Mart to “go big” on compliance in the wake of its world-wide FCPA investigation and policy implementation. He wrote, “Wal-Mart should instead use the FCPA investigation, and the attention it has generated, as an opportunity. It is an opportunity to go big on compliance.” Ellis went on to detail some specific suggestions that Wal-Mart could implement to help the fight against bribery and corruption that, due to its size and market share, would be in a unique opportunity to put in place.

Within the anti-corruption compliance community there was a noted buzz about Ellis’ piece and his suggestions. I was inspired to write a blog post, entitled “Wal-Mart-Be a Leader in Compliance”, due to the ideas articulated by Ellis. Seemingly inspired by Ellis’ example, Michael Scher, writing in the FCPA Blog, in a piece entitled “Michael Scher talks to the feds”, used the Wal-Mart investigation as a jumping off point to ask the DOJ to resolve several open issues on compliance as he saw them. In others words, Ellis piece (hopefully) got not only Wal-Mart to thinking but several others of us. That is why it is my favorite blog post of 2013.

Comments (1)

December 13, 2013

More Compliance Lessons from the Asiana/SFO Crash Investigation

Filed under: Best Practices,Bribery Act,compliance programs,Deferred Prosecution Agreement,Department of Justice,FCPA,FCPA Guidance,FCPA Professor,Michael Volkov,Non-Prosecution Agreements,Training,Training — tfoxlaw @ 12:01 am

I have long been interested in the intersection in the changes in attitude regarding safety in the workplace by corporations and the changing attitudes on doing business through bribery and corruption. As a trial lawyer defending corporations in catastrophic accident lawsuits, I saw a sea change in the corporate attitude regarding safety, beginning in the 1980s through the 1990s. Many of the arguments used against safety during that era are used now. Some of my favorites are: (the financial excuse) it costs too much and doesn’t contribute to the bottom line; (the traditional excuse) we’ve always done it that way; and (my personal favorite) you can’t stop humans from screwing up and trying to injure themselves. But the reality is that safety at the work place did improve and now most companies not only say that safety is job No. 1 but they live and breathe that motto. Does this sea change mean that serious accidents do not happen at the workplace? Of course not, but it does not mean that companies have or even should give up the quest for zero accidents at work.

Part of the ongoing debate about compliance is whether the Department of Justice (DOJ) approach of corporate enforcement actions and the use of Deferred Prosecution Agreements (DPAs) and Non-Prosecution Agreements (NPAs) help or hurt compliance with the Foreign Corrupt Practices Act (FCPA). Some commentators remark that the simple fact that there are enforcement actions is indicia itself that the DOJ approach is not working. Mike Volkov took on this topic in his post, entitled “The Sky is the Limit: Escalating Fines, DPA/NPAs and Deterrence”, by asking if “it is important to ask the question whether the current enforcement scheme adequately punishes and deters corporations”? In his discussion he points to some who want more prosecution of individuals as a greater deterrent and others, notably the FCPA Professor, who want greater corporate protections against prosecution through the addition of a compliance defense as a mechanism to give corporations more incentive to do business in compliance with the law. Volkov ends by observing the DOJ’s current enforcement focus “will not change unless and until there is a good reason to do so – so far no one has pointed to any significant reason for the Department of Justice to change its practices.”

I thought about all of the above in the context of the hearings in Washington in front of the National Transportation Safety Board (NTSB) surrounding the crash of the Asiana jet at San Francisco’s airport last summer. Earlier this week I wrote about one of the lessons from the hearings which was the need for enhanced training by Asiana pilots on not only the specific planes they pilot but also training that they can speak up when they see something that they believe is not right.

This need for training was made even more acute when the story about the testimony given by the Captain on board the flight in question in a New York Times (NYT) article, entitled “Pilots in Crash Were Confused About Control Systems, Experts Say”, where Captain Lee said that he told investigators that any of the three pilots on the plane could have decided to break off the approach, but he said it was “very hard” for him to do so because he was a “low-level” person being supervised by an instructor pilot. But more than even the failure to raise his hand and speak up, Lee did not heed the warning of a junior officer. As reported in an article by the Associated Press, entitled “Pilot who crashed at SFO was worried about landing”, after the accident, Lee told NTSB investigators that neither he nor the instructor pilot onboard the flight said anything when the first officer raised concerns four times about the plane’s rapid descent. Further, he was very concerned about his ability to make a visual landing. So not only was Lee afraid to speak the truth to a superior, he didn’t listen when questioned by a junior. In the world of workplace or airline safety, this is a recipe for disaster.

I think the key to overcoming these problems is training, which has long been recognized as a cornerstone of any best practices ethics and compliance program. I thought it might be an appropriate time to review the training statements made regarding the FCPA. The US Sentencing Guidelines list “Conducting effective training programs” as one of the factors the DOJ will take into account when a company accused of a FCPA violation is being evaluated for a sentence reduction. The Sentencing Guidelines mandate:

(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.

After the promulgation of the Sentencing Guidelines, the DOJ and Securities and Exchange Commission (SEC) gave their views on training in the 2012 FCPA Guidance. Their Ten Hallmarks of an Effective Compliance Program listed Training and Communication as one of the key elements. In this section they said that anti-corruption and anti-bribery compliance policies cannot work unless effectively communicated throughout a company. They advised that “a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” But more than a simple dyadic promulgation of a rule, a company should tailor its training to its needs and its risks. This means that any “information should be presented in a manner appropriate for the targeted audience, including providing training and training materials in the local language.”

In addition to the FCPA Guidance, the UK Ministry of Justice (MOJ) has stated that training is one of the Six Principles of an effective compliance program. Under Principle V, it states that “The business seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the company through internal and external communication, including training, that is proportionate to the risks it faces.” The Guidance recognizes that communication and training deters bribery by companies, their employees and those persons associated with it, by enhancing awareness and understanding anti-corruption policies and procedures and the company’s commitment to their proper application. It therefore follows that making information available on legal requirements, obligations and policies and procedures for implementation of the same assists in more effective monitoring, evaluation and review of bribery prevention procedures. Anti-bribery training should provide, to company employees and those persons and entities associated with the company, the knowledge and skills needed to implement and utilize the anti-bribery procedures and handle in a satisfactory manner any bribery related problems or issues that may arise.

Fortunately violations of the FCPA rarely result in loss of life or limb. But that does not diminish the responsibility of companies to comply with the law. And just as corporate attitudes around safety changed dramatically, corporate attitudes about following the FCPA can change as well. Indeed they could even take the basic approach suggested by (the then) DOJ representative Greg Anders in testimony about attempts to amend the FCPA before the House Judiciary Committee, don’t pay bribes.

Leave a Comment

FCPA Compliance and Ethics Blog

November 24, 2014

The FCPA Guidance: Still Going Strong at Two

November 17, 2014

Opinion Release 14-02: Dis-Linking The Illegal Conduct Going Forward

October 22, 2014

Right to Retire Or Termination: Remediation of Leadership To Foster Compliance

August 28, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part III

June 19, 2014

What a Long Strange Trip It’s Been – The First 1000 Blog Posts

June 16, 2014

Watergate is Not Just a Hotel – Corporate Suitors for Alstom

April 24, 2014

Gifts, Travel and Entertainment under the FCPA – Part III

April 23, 2014

Gifts, Travel and Entertainment Under the FCPA – Part II

December 27, 2013

My Favorite Blog Posts from 2013

December 13, 2013

More Compliance Lessons from the Asiana/SFO Crash Investigation

January

Blogroll

Pages

Admin

Read by Email

Recent Posts from FCPA Compliance and Ethics Report: FCPA Compliance and Ethics Report

Episode 240-Bill Coffin on Compliance Week 2016

Episode 239-Jonathan Armstong On EU Privacy Shield

Episode 238-John Allen on HR Touch Points in Compliance

Episode 237-Steve McCalmont on the Avior Risk Management Platform

Episode 236-Adam Turteltaub and SCCE CCO Survey