Is Strict Liability Coming to FCPA Enforcement?

I think that a strict liability standard is coming to Foreign Corrupt Practices Act (FCPA) enforcement. A number of factors have caused me to come to this conclusion. While there may well be wide disagreement as to whether such a standard is warranted under the FCPA, I think it is coming and it is something every Chief Compliance Officer (CCO) and compliance practitioner needs to be ready to address if and when the day comes that your company is under the shadow of a FCPA investigation.

I do not think this strict liability standard is coming for criminal enforcement of the FCPA by the Department of Justice (DOJ) because there is still a requirement of intent under the Act. Intent can be inferred by conscious indifference but I still do not think that day of reckoning is near for DOJ enforcement. However I do think that a confluence of events, FCPA enforcement actions by the Securities and Exchange Commission (SEC) and statements by the SEC representatives, all point towards a new enforcement angle to the FCPA. I think that the SEC is moving towards a strict liability standard for internal controls under the FCPA. That means if your compliance internal control regime is investigated, you will have to demonstrate that it meets some minimum standard that satisfies the SEC. If not, there will be a SEC administrative complaint filed against your company, alleging failure to maintain appropriate internal controls as required by the FCPA and your company will bear the burden of proof to demonstrate that you have designed and implemented an effective system of compliance internal controls.

The FCPA says that internal controls requires issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with man­agement’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to per­mit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is com­pared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences. 

As further explained in the FCPA Guidance, “the Act defines “reasonable assurances” as “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.” The Act does not specify a particular set of controls that companies are required to implement. Rather, the internal controls provision gives companies the flexibility to develop and maintain a system of controls that is appropriate to their particular needs and circumstances.””

My evolution of thinking on this issue began last fall with the Smith & Wesson (S&W) FCPA enforcement action. There was nothing in the reported settlement documents that tied the failure of S&W internal controls to the payment (or offer to pay) of a bribe or the obtaining of any benefit. The claims made against S&W were basically along the lines of this language laid out in the Order Instituting Cease-and-Desist Proceedings, “Despite making it a high priority to grow sales in new and high risk markets overseas, the company failed to design and implement a system of internal controls or an appropriate FCPA compliance program reasonably designed to address the increased risks of its new business model.” It should be noted that S&W did not ‘admit or deny’ any of the allegations made against it, the company simply consented to the entry of the Order.

In its Administrative Order, the SEC stated, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” Additionally, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization.”

All of this was laid out in the face of no evidence of the payment of bribes by S&W to obtain or retain business. This means it was as close to strict liability as it can be without using those words. Kara Brockmeyer, chief of the SEC Enforcement Division’s FCPA Unit, was quoted in a SEC Press Release on the matter that ““This is a wake-up call for small and medium-size businesses that want to enter into high-risk markets and expand their international sales.” When a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.””

The second factor that informs my thinking on this issue is the updated COSO 2013 Framework that became effective in December 2014. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said that the original COSO framework from 1992 has stood the test of time “because it was built as conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based upon four general principles which include the following: (1) the updated Framework should be conceptual which allows for updating as internal controls (and compliance programs) evolve; (2) internal controls are a process which is designed to help businesses achieve their business goals; (3) internal controls applies to more than simply accounting controls, it applies to compliance controls and operational controls; and (4) while it all starts with Tone at the Top, compliance is the responsibility for the implementation of effective internal controls resides with everyone in the organization.”

For the compliance practitioner, this final statement is of significant importance because it directly speaks to the need for the compliance practitioner to be involved in the design and implementation of internal controls for compliance and not to simply rely upon a company’s accounting, finance or internal audit function to do so.

The updated Framework also gives a precise model for the SEC to use to inquire from companies about their compliance internal controls. How many companies could not only present evidence of implementation of compliance internal controls along the lines of the updated Framework but also evidence of their effectiveness? Unfortunately the answer is not many.

There is one other factor that informs my evolution of thinking regarding a strict liability standard under the FCPA. Under Sarbanes-Oxley (SOX), Section 404, public companies are required to report on the adequacy of the company’s internal control on financial reporting. The report must affirm the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. The report must also contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. External auditors must also assess and make such a report. To do so, most companies, and their external auditors were using the prior COSO Framework.

Now imagine a situation where your external auditors have made their report and your company has made such report public, under its SOX 404 reporting obligation. What if the SEC took that report, reviewed it and made an initial assessment that your compliance internal controls around bribery and corruption were not sufficient, as required under the FCPA? What if the SEC sent you a letter asking for evidence of development and implementation of compliance internal controls, also asking for your audited evidence of effectiveness? What if you respond in due course and you receive another letter from SEC, which opines that your compliance internal controls are insufficient under the FCPA giving your proposed fine. You protest that there is no evidence of bribery or corruption regarding this insufficiency of your compliance internal controls. What if your company is then invited to contest this issue through the SEC Administrative process?

Does that sound far-fetched? Maybe it is but, from where I sit, that is the direction I see the issue of internal controls going in FCPA enforcement. I think a strict liability regime is coming under SEC enforcement of the FCPA. As a CCO or compliance practitioner in a public company, you need to be ready to defend your compliance internal controls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Board of Directors and FCPA Oversight – An Internal Control Under SOX, Part I

Today we begin by honoring the political process and a politician extraordinaire for on this day in 1836, Sam Houston was elected as the first President of the Republic of Texas. One of the most interesting characters from the early-to-mid-19^th century, Houston was born in Virginia in 1793, moved with his family to rural Tennessee as a teenager and later ran away and lived for several years with the Cherokee tribe. Houston served in the War of 1812. He practiced law in Nashville and from 1823 to 1827 served as a US congressman before being elected governor of Tennessee in 1827. He was extensively interviewed for Alex De Tocqueville’s seminal work Democracy in America.

A failed marriage led Houston to resign from office and live again with the Cherokee who officially adopted him. In 1832, President Andrew Jackson sent him to Texas to negotiate treaties with local Native Americans for protection of border traders. Houston arrived in Texas during a time of rising tensions between US settlers and Mexican authorities and soon emerged as a leader among the settlers. In 1835, Texans formed a provisional government, which issued a declaration of independence from Mexico the following year. Houston was appointed military commander of the Texas army.

Houston served as the Republic of Texas President until 1838, then again from 1841 to 1844. Houston helped Texas win admission to the United States in 1845 and was elected as one of the state’s first two senators. He served three terms in the Senate and ran successfully for Texas’ governorship in 1859. As the Civil War loomed, Houston argued unsuccessfully against secession, and was deposed from office in March 1861 after refusing to swear allegiance to the Confederacy. He died of pneumonia in 1863.

This political process angle informs your anti-corruption compliance program through the passage of Sarbanes-Oxley (SOX). Yesterday, I was at a presentation, where James Doty, Commissioner of the Public Company Accounting Oversight Board (PCAOB) spoke. One of the questions was put to him was regarding the function of a Board of Directors under SOX, which I thought had some significant implications for Foreign Corrupt Practices Act (FCPA) compliance. He was asked if the Board or its sub-committee which handles audits was a part of a company’s internal financial controls. He answered that yes, he believed that was one of the roles of an Audit Committee or full Board. I had never thought of the Board as an internal control but the more I thought about it, the more I realized it was an important insight for any Chief Compliance Officer (CCO) or compliance practitioner.

In the FCPA Guidance, in the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1 , which states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, where it discusses that the CCO should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The Department of Justice’s (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Doty’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program.

Board liability for its failure to perform its assigned function in any compliance program is well known. David Stuart, an attorney with Cravath, Swaine & Moore LLP, noted that FCPA compliance issues can lead to personal liability for directors, as both the Securities and Exchange Commission (SEC) and DOJ have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption”. He added that based upon the SEC’s enforcement action against two senior executives at Nature’s Sunshine Products, “Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery”. It would not be too far a next step for the SEC to invoke the same provisions against audit committee members who do not actively exercise oversight of an ongoing compliance program.

Further, the SEC has made clear that it believes a Board should take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.

I believe that a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward.

Lawyers often speak to and advise Boards on their legal obligations and duties. However the insight I received from the Q&A with James Doty drove home a different, yet very valuable point to me. If a Board’s oversight is part of effective financial controls, then the failure to do so may result in something far worse than bad governance. It may directly lead to a FCPA violation and could even form the basis of an independent FCPA violation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

IP Rights under the FCPA

For many US companies conducting business internationally, Intellectual Property (IP) is a key business component. Not only is the development of new IP critical to many businesses, for continued growth strategies, but IP protection is now a central business interest. This significance was recognized as far back as 2002 by the US Congress in the passage of the Sarbanes-Oxley Act (SOX), which required, among other things, that companies must incorporate systematic programs for protecting and monitoring IP assets as a part of an overall SOX compliance program.

IP in relation to anti-bribery and anti-corruption programs under the Foreign Corrupt Practices Act (FCPA) were recently explored in an article by authors Doug Sawyer and T. Markus Funk, in an article entitled “The IP Practitioner’s ‘Cheat Sheet’ to the FCPA and Travel Act: Introducing the IP FCPA Decision Tree” published in the BNA Bloomberg Patent, Trademark & Copyright Journal (January 27, 2012). The thesis, as presented by the authors, is that with so many companies going global, IP is routinely and simultaneously “owned and litigated in multiple jurisdictions.” As such it poses significant risk for anti-bribery and anti-corruption program scrutiny as “the tactics used to register, challenge or enforce those IP rights in foreign jurisdictions must be carefully viewed” under the FCPA.

IP Anti-Corruption Red Flags

IP rights by their nature are created by a government. Within this context, the authors note that there are several IP Red Flags which should be noted and followed up on if they appear. IP Red Flags include some of the following: a patent being allowed unusually quickly; an opposition to a trademark being granted before the entire process has been completed; and a foreign customs official robustly enforcing company A’s anti-counterfeiting agenda, while ignoring company B’s agenda. Compounding these Red Flags is the knowledge of the company, whether it is a US public or a private equity owner. Under the FCPA, both the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) interpret a principal’s ‘‘knowledge’’ constructively to include circumstances where the company fails to exercise due diligence by, for example, following up on Red Flags. More ominously, the UK Serious Fraud Office (SFO), in its Press Release announcing the Mabey and Johnson enforcement resolution under the Proceeds of Crime Act, said the following:

The second, broader point is that shareholders and investors in companies are obliged to satisfy themselves with the business practices of the companies they invest in. This is very important and we cannot emphasise it enough. It is particularly so for institutional investors who have the knowledge and expertise to do it. The SFO intends to use the civil recovery process to pursue investors who have benefitted from illegal activity. Where issues arise, we will be much less sympathetic to institutional investors whose due diligence has clearly been lax in this respect.”

Anti-corruption Pitfalls in the IP Context

The authors detail some of the specific pitfalls a company may face in registering or in otherwise protecting their IP rights in the international context. While noting that the FCPA prohibits payments of ‘anything of value’ such as “gifts, cash, unreasonably high commissions,” paid directly a company or through foreign business partners, “to foreign officials in order to ensure IP registration, or to oppose registration or enforcement of other companies’ IP.”; the authors caution that often times IP investments which are made abroad “frequently go through foreign transaction partners who ‘know the local system’.” Compounding this problem is the fact that many foreign countries “require the retention of one or more foreign associates, facilitators, and intermediaries to effectively register and enforce a robust IP program.” Lastly, the authors write that even when “accommodating seemingly simple requests from a customs official to pay for costs, such as transportation required in sending officers on an anti-counterfeiting operation, requires a determination of whether the payment is a legal facilitating payment under the FCPA.” Of course facilitation payments are not legal under the Bribery Act so the issue is even more problematic.

Prevention

The authors correctly note that having an anti-bribery and anti-corruption program which meets both the DOJ’s 13 point minimum best practices is critical. The pitfalls listed out above, which certainly point towards training of your own employees on what is and is not permissible, is key for protection. Under the FCPA, the question of who is a foreign governmental official can be vexing. However, in the IP context, such an analysis should be straightforward as such rights are only granted by a government, any dealing around IP rights creation and enforcement should be assumed to involve a foreign governmental official. Clearly the FCPA requires training on what actions are not permissible.

In addition to a thorough vetting, contracting with and management of any foreign business partners your company might utilize in the IP context, companies “must be ever vigilant when hiring third parties or local counsel to help to register, or oppose the registration of, their IP.” Likewise, IP owners should be equally aware that any actions in relation to government officials or third parties to aid the granting process, or ‘‘motivating police and prosecutors, must do so in a manner that does not violate the FCPA” or local laws.

As companies move towards IP as much of the basis of their business values, increasing pressure will build for registration and protection of these rights. Anti-corruption laws such as the FCPA make clear that there can be no corruption when obtaining or enforcing these rights. Your company would do well to perform an anti-corruption risk assessment on your IP program to ensure it is not caught with any of the problems detailed by the authors.

Decision Tree

I would also commend you to this article for another reason. They have included a most excellent, decision making tree which you can use in analyzing anti-corruption issues in the IP context. I could not cut and paste it into this article and post on the WordPress.com site so you will have to download the article to review and use it. However I would suggest that you take the time to do so as it presents a visual manner to think through and analyze the issues raised in their article.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

From Whistleblower to RICO Claimant

The holiday season is past and many of us have returned to work. However, if you are a Chief Compliance Officer (CCO) there is a gift that you may wish to give yourself, it is “The Whistleblower’s Handbook – A Step-by-Step Guide to Doing What’s Right and Protecting Yourself” authored by Stephen Martin Kohn, Executive Director of the National Whistleblowers Center. I do not suggest that CCO’s purchase this volume for their own protection, although the former Chief Executive Officer (CEO) of Olympus might have been able to use it before he was fired by the Olympus Board last October. No, I suggest that CCOs purchase this because many others in your company may well do so and it is the best single volume collection of all laws, rights and obligations related to whistle-blowing that I have come across.

I thought about Kohn’s book when I came across a couple of whistleblower related items last month. The first one was an article in the December 28, 2011 edition of the Wall Street Journal (WSJ), entitled “Internal BNY Mellon Documents Show Panic” by Jean Eaglesham and Michael Siconolfi. In the article they report on some of the emails and other documentary evidence that whistleblower Grant Wilson was able to obtain during the two year period that he was operating “as a government informant” while employed by Bank of New York Mellon (BNY). The WSJ obtained this evidence through an open-records request. Wilson was part of a group which brought a series of whistleblower lawsuits against BNY, which have led to several states, and the Manhattan US attorney, filing civil suits against BNY. Eaglesham and Siconolfi also reported that “the bank’s [BNY] foreign-exchange traders grew concerned about a leaker” and in an earlier WSJ article, entitled “Secret Informant Surfaces in BNY Currency Probe”, reporter Carrick Mollenkamp stated “BNY Mellon sought to discover the insider’s identity and to fight the lawsuits.”

I quote that final line because of a December 15, 2011 Court of Appeals decision from the Seventh Circuit Court of Appeals, styled “DeGuelle v. Camilli et al”, which is a whistleblower retaliation claim. As reported by Richard Renner, in an article entitled “Major Victory for Whistleblowers in Seventh Circuit Says Retaliation is a RICO Violation”, in the Whistleblowers Protection Blog, the Court of Appeals found valid a claim for damages under the Racketeer Influenced and Corrupt Organizations Act (RICO) for the retaliation against a whistleblower who provides information about corporate fraud to law enforcement officers under Sarbanes-Oxley Act (SOX).  SOX itself makes it a felony to retaliate against whistleblowers who bring forward such information.

The SOX provision in question states that Congress made it a crime to:

“knowingly, with intent to retaliate, take[] any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any Federal offense[.]” 18 U.S.C. 1513(e).

The novelty and significance of the Seventh Circuit decision is that it held “When an employer retaliates against an employee, there is always an underlying motivation. In this case, for example, the motivation was to retaliate against DeGuelle for disclosing the tax scheme. Retaliatory acts are inherently connected to the underlying wrongdoing exposed by the whistleblower.”

This means that any company which terminates or in any other way retaliates against a whistleblower may have engaged in a violation of RICO, which itself is a criminal statute. This becomes relevant to Foreign Corrupt Practices Act (FCPA) whistleblowers through the Dodd-Frank Whistleblowers provision. In excerpts from the final Securities and Exchanges Commission (SEC) comments, they stated “Employees who report internally in this manner will have anti-retaliation employment protection to the extent provided for by Section 21F(h)(1)(A)(iii) of the Exchange Act, which incorporates the broad anti-retaliation protections of Sarbanes-Oxley Section 806, see 18 U.S.C. 1514A(b)(2).” In other words, if a person reports internally to a company or externally to the SEC of a FCPA violation and there is retaliation against that person, a RICO claim may arise.

Ladies and Gentlemen, this is scary stuff so your company had better be ready and have a robust investigative protocol in place when an internal report is made. And train, train, train and really, really, really mean it when your company says that it will not retaliate against an employee for making an allegation of a FCPA violation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012