FCPA Compliance and Ethics Blog

March 31, 2014

Life Cycle of Third Party Management – Step 1 Business Justification

Five stepsWith thanks to the Two Tough Cookies, I am back from a successful Spring Break college tour to universities in the state of Washington. My daughter and I had a great time, experienced some typical and untypical Seattle weather and met some very interesting folks on our trip. But I would have to say that one of my greatest joys as a father has been watching my daughter grow into a young woman as she navigated the college tour process with much aplomb.

This week I am going to present a series on my views of the life cycle of third party management under an anti-corruption (or anti-money laundering (AML) program for that matter) under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. I have broken down the life cycle of third party management into five steps:

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

Today I will begin with the business justification.

It really seems to me that it should be common sense that you should have a business justification to hire or use a third party. If that third party is in the sales chain of your international business it is important to understand why you need to have a particular third party represent your company. This concept is enshrined in the FCPA Guidance, which says, “companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the ser­vices to be performed.”

The Internal Revenue Service (IRS) also considers a business justification to be an important part of any best practices anti-corruption compliance regime. Clarissa Balmaseda, a special agent in charge of IRS criminal investigation, speaking at the 2013 ACI Bootcamp in Houston, said that the lack of business justification could be a Red Flag, which could signify a possible indicia of corruption. With the Department of Justice (DOJ); Securities and Exchange Commission (SEC) and IRS all noting the importance of a business justification, it is clear that this is something you should incorporate into your compliance program.

But the business justification also provides your company the opportunity to help drive compliance into the fabric of your everyday operations. This is done by requiring the employee who prepares the business justification to be the Business Sponsor of that third party. The Business Sponsor can provide the most direct means of communication to the third party and can be the point of contact for compliance issues.

Tyco International takes this approach in its Seven Step Process for Third Party Qualification. Tyco breaks the first step into two parts, which include:

  1. Business Sponsor – Initially identify a business sponsor or primary contact for the third party within your company. This requires not only business unit buy-in but also business unit accountability for the business relationship or as Scott Moritz, a partner at Navigant and one of the architects of the Tyco Process, said “This puts the onus on each stakeholder.”
  2. Business Justification – The business unit must articulate a commercial reason to initiate or continue to work with the third party. You need to determine how this third party will fit into your company’s value chain and whether they will become a strategic partner or will they be involved in a one-off only transaction?

Further, at the same conference as IRS Agent Balmaseda spoke, another Chief Compliance Officer (CCO) of a major energy service company detailed his thoughts on his company’s 12 point evaluation process for reviewing, assessing, then contracting with and managing foreign business partners. Under Step 2, which he entitled, “Competence of foreign business partner”;he detailed a two-part analysis for his company. “It includes a review of the qualifications of the candidate for subject matter expertise and the resources to perform the services for which they are being considered. However, it also in includes an identification of the representative’s expected activities for your company.”  He also added, that under one of his company’s steps, which he monikered “Business justification for use of agent and reasonableness of compensation”, “you should begin the entire process by requiring the relevant business unit which desires to obtain the services of any foreign business partner to provide you with a business justification including current opportunities in territory, how the candidate was identified and why no currently existing foreign business relationships can provide the requested services. Your next inquiry should focus on the terms of the engagement, including the commission rate, the term of the agreement, what territory may be covered by the agreement and if such relationship will be exclusive.”

So what should go into your Business Justification? First and foremost is that you should craft a document, which works for both you as the compliance practitioner and the business folks in your company. There are some basic concepts that I think are important but you may want to modify my suggestions based on your own experiences.

You need the name and contact information for both the Business Sponsor and the proposed third party. You need to inquire into how the Business Sponsor came to know about the third party because it is a Red Flag if a customer or government representative points you towards a specific third party. You should inquire into what services the third party would perform for your company, the length of time and compensation rate for the third party. You will also need an explanation of why this particular third party should be used, as opposed to an existing or other third party, if such were considered. All of this information should be written down and then signed by the Business Sponsor.

Remember, the purpose of the Business Justification is to document the satisfactoriness of the business case to retain a third party. The Business Justification should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third party relationship is renewed. In the Tom Fox Mantra, this means Document, Document, and Document.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

February 20, 2013

Interview with Scott Moritz

Ed. Note-today we continue with our series on thought leaders and practitioners in the compliance arena. Today, we have an interview with Scott Moritz, who is a Managing Director, Protiviti (www.protiviti.com)

============================================================================================

1. Where did you grow up and what were your interests as a youngster? 

I grew up on the North Shore of Long Island, the youngest of six kids. Our father owned a swimming pool construction company whose workforce at various times consisted of my legendary grandfather, brothers, many cousins, a wide variety of parolees and, for a few summers during high school, me. Since I can remember, I was always fascinated with police work and detective stories and grew up watching TV shows like Baretta, The Rockford Files and Police Story. From an early age, people thought I looked like a cop. When I was 16, some of my knuckleheaded friends brought me along to New York City as “security,” because they wanted to buy fireworks, which were illegal at the time. In fact, I played the security role a lot with my friends, because they always seemed to attract the kind of attention that necessitated someone securing their safety. Our misadventure in the city was my first exposure to a recurring theme in my law enforcement experience: even if something is illegal to make, sell or possess, it is still readily available. In no time, one of my friends was in negotiation with a gang member who took one look at me and said “He’s a cop, get lost.” My undercover career was over before it started.

2. Where did you go to college and what experiences there led to your current profession?

I graduated from Jacksonville University in Jacksonville, Florida with a double major in marketing and management and a minor in psychology. Throughout college, I worked as a bouncer, bartender, DJ and eventually manager at a rock nightclub. As a 5’8” bouncer in Jacksonville, where the average male is 6’3,” I quickly developed negotiation, persuasion, de-escalation and other crisis-related skills. I also had to be able to read body language and know when a  negotiation had broken down, and it was time to take action. I prided myself on how frequently I was able to get people out of the club peacefully. I witnessed more violent crimes, including shooting incidents, in my four years as a nightclub employee than I did in nearly 10 years as an FBI agent.

3. How did you come to join the FBI? What were your duties as an agent?

After college, I applied to take the NYPD entrance exam. At the time, my sister Stacey was an Assistant U.S. Attorney in the Southern District of New York. When I mentioned to her that I had applied to take the police exam, she asked “What about the FBI?” She put me in touch with her friend, who was a Special Agent in the New York Field Office. This was in 1985. I called the number she gave me and a deep, booming voice answered, “TERRORISM!” I was so startled, I nearly fell off my chair! Whatever preconceptions I had in terms of how the FBI might answer the phone, that one didn’t make the mental checklist. I collected myself and had a great conversation with the agent, who encouraged me to apply to the FBI.

The FBI recruitment process is very involved, with many aspects to it, and candidates fall by the wayside at every stage. Back then, there was an initial application, a written exam, the completion of a very detailed application, a panel interview with three FBI Special Agents and finally a background check investigation, and as far as I know, that’s still the case today. Completing the application was quite an undertaking because you had to provide very detailed information about you, your siblings, their spouses, your parents and every roommate you’ve ever had. The application was used as the roadmap for the intensive background investigation that follows.

I entered on duty as an FBI Special Agent in October, 1986. Special Agent trainees lived at the FBI Academy for four months, and academy training was divided equally between academics (minimum passing grade is 85%), physical training/defensive tactics and firearms training.

FBI Special Agents investigate and enforce an incredibly wide variety of criminal violations, counter-intelligence and counter-terrorism. My first assignment was the Memphis, Tennessee field office. At the time, Memphis was a relatively small FBI office, so agents had much broader responsibilities than in the larger field offices where agents tend to be more specialized. For most of my time in Memphis, I was assigned to a White Collar Crime squad, which also had responsibility for the Civil Rights and Fugitive programs. I worked on a wide array of primarily financial crime investigations, including on the bank robbery response team and worked with the narcotics task force. While white collar crime was my primary focus, each agent on the squad carried multiple fugitive cases. The FBI has primary jurisdiction to enforce Unlawful Flight to Avoid Prosecution (UFAP) in support of state and local law enforcement when there is evidence that violent offenders have fled their jurisdictions.

In 1991, I was transferred to NYC and assigned to the money-laundering and asset forfeiture squad.  There, the entire mission was to conduct parallel financial investigations alongside the largest, most complex criminal cases being investigated by the New York FBI. I worked on many organized crime, narco-laundering, and trafficking and white collar crime cases, and our squad seized and forfeited nearly $1 billion during my five years there.

4. How have you utilized the skills you learned in law enforcement in your current profession?

I use the skills I learned as an FBI Special Agent every day in my current profession and have since the day I left the Bureau nearly 17 years ago. Many crimes are revenue-generating crimes; making cases against criminal defendants and their criminally-derived assets means painstaking financial analysis. Tracing criminal proceeds back to their source provides evidence of the crime, quantifies it and enables the government to dismantle criminal organizations by seizing assets obtained by the specified unlawful activity or used to facilitate the laundering of criminal proceeds. I am usually surrounded by mountains of banking records and financial records. However, reviewing banking and financial records alone often doesn’t reveal the full picture. While at the FBI, I developed the ability to use publicly available information to identify the financial holdings and business interests of criminal subjects and their associates, as well as any prior illegal conduct or civil disputes that could help build the case against them. These same background investigation techniques can be used in a commercial context both after the fact as part of the ensuing financial crime investigation and also to vet prospective relationships in an effort to determine whether a company would make a suitable business partner. Likewise, interviewing and interrogation skills are something you use in a variety of settings. Unlike interviews depicted on many TV crime dramas, interviewing is often all about building a rapport and establishing some common ground, no matter how despicable the subject of the interview may be. People also give off hidden cues that signal when they are uncomfortable with your questions and when they are outright lying. These same skills are very helpful when conducting interviews of executives and employees, whether in the course of evaluating a corporate compliance program, conducting anti-corruption due diligence or interviewing a suspect.

5. You recently changed companies, moving from Navigant to Protiviti. What can you tell us about your new position and some of the things that you would like to achieve?

I’m incredibly excited about my new role at Protiviti. I’ve joined an established and very experienced firm whose professional staff includes investigators, forensic accountants, anti-corruption practitioners and technologists in over 70 offices in 23 countries. Protiviti also has a very powerful technology platform in its Governance Portal. The Portal manages data intake, risk scoring, work-flow management, case management and decision-making ‑ so that all the aspects of an overall ethics and compliance program, or a single aspect of it, such as managing third-party anti-corruption programs, can be brought together on a single platform. (The Portal has received industry recognition: Protiviti has been positioned as a “Challenger” by Gartner in the October 2012 Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms.)

I really look forward to continuing to help clients apply their limited resources strategically on a risk basis and also to better position them so that they can manage their regulatory risk proactively and deploy investigative and forensic resources rapidly when issues emerge.

============================================================================================

Scott Mortiz can be reached at scott.moritz@protiviti.com.

============================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. 

August 29, 2012

NYPD Community Policing as Model for Your FCPA Compliance Program

For those of you who do not know Scott Moritz, you should take an opportunity to do so. I first met Moritz (virtually) through his article in the FCPA Blog, entitled “Risk-Based Compliance”. In this post, Moritz looked at the language of Opinion Release 08-02 (the “Halliburton Opinion Release”) in the context of the risk based approach of which the Department of Justice (DOJ) approved Halliburton’s proposed acquisition of Expro. These risk based concepts were used by the UK Financial Services Authority (FSA) in its January, 2009, settlement with Aon. Moritz is a retired FBI special agent, with over 25 years of complex investigative, forensic accounting, regulatory compliance and law enforcement experience. He is now a Managing Director for Global Investigations & Compliance at Navigant Consulting.

I have had the opportunity to speak with Moritz on a couple of webinars, jointly author papers with him and hear him speak at leading Foreign Corrupt Practices Act (FCPA) conferences. I can assure you that he knows his stuff. Recently Moritz published yet another piece in his continuing education for the rest of us compliance practitioners in the area of risk based assessments. In an article entitled “Walking a Beat to Reduce Corruption”, Moritz analogized  “the concept of community policing that has been used to reduce crime in many major cities across the world” in his innovative approach of “a growing corporate culture of mutual transparency that is having a very positive effect on overall awareness regarding anti-corruption” for third party due diligence under both the FCPA and UK Bribery Act.

Moritz talked about community policing in the context of new thinking which holds that more “successful third-party anti-corruption programs depend upon effective two-way communication between the company and its third parties.” He advocates that companies “engage directly with third parties to build trust” and to communicate a company’s ethical values to both those third parties in its Sale and Supply Chains. The starting point for any trust is communications. He believes that for a compliance program to be truly effective, “it must create communication channels between compliance, its internal clients within the organization and the third parties whose actions could lead to corruption liability.” This communication should begin by making a company’s key employees, whose responsibilities include engagement with third parties i.e. business sponsors, “to the potential risks of these commercial relationships, how to recognize them, what they may mean in terms of their continuing compliance obligations and how to convey this information to the third parties in a way that is not construed to be offensive in any way.”

One of the most important roles of these business sponsors is to take the message of compliance to the company’s third party representatives. Many companies will have this first message be the company’s FCPA compliance questionnaire but Moritz advocates it is “the business sponsor’s responsibility to explain the company’s third-party anti-corruption program, the rationale behind it, to emphasize the mutual benefits of the relationship and to serve as the company liaison going forward. That initial conversation should also highlight the fact that the vast majority of such steps result in a strengthening of the relationship between the company and its third parties.”

This business sponsor should stress at least three key factors. The first is that the company lives by its anti-corruption values and those are embedded in its anti-corruption, FCPA Compliance Program and the questionnaire is a necessary part of that Compliance Program. Second, that your company’s Compliance Program is similar “to those in place at an increased number of organizations and it would be reasonable to expect it to be part of the process whenever their company engages with a global company.” Third, that by asking for what may seem as unusually sensitive information, it is not a lack of trust but that the request “actually signals the importance of the relationship and the company’s willingness to make a substantial investment in it to ensure that any issues that may be out there are put to rest at the outset thereby eliminating any future barriers to the relationship between the parties.” Concluding this section Moritz opines that by “Spending a fair amount of time setting the tone will provide a solid foundation for the relationship going forward.”

So how does this relate to a community policing program? At least as the theory is practiced by the New York Police Department (NYPD) it is based upon the precept of the “broken window theory” whereby if a window is allowed to be broken and stay broken it sends a signal that no one in the neighborhood cares about crime and this in turn leads to more crime. The NYPD took to having more foot patrols so that the officers could build trust in the neighborhoods which they were assigned, rather than driving around in squad cars. This signaled to the community that the police cared and many neighborhoods responded with actions, such as fixing broken windows, which showed they cared as well.

Moritz concludes his article by noting that “business sponsors act as the cops on your beat”. Just as community policing fosters two-way communication between the NYPD and the community; the business sponsor can effectively take the place of these police officers who are walking a beat in a community. The “business sponsors are on the front lines of your anti-corruption program building long-term relationships that are critically important components of your anti-corruption program and your commercial success as a whole.”

I found the Moritz piece quite interesting and continued his long line of thoughtful, best practices and leading edge commentary. I would add that a key is the business sponsor, your selection and training of this employee is a critical element. I commend the full Moritz piece to you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

December 1, 2011

Tyco’s Seven Step Process for Third Party Qualification

An article in the September, 2011 issue of Compliance Week, entitled, “How Tyco Turned Around Third-Party Risk Program” by author Karen Kroll, reported on the program initiated and developed by Tyco International, assisted by Navigant Consulting, to enable Tyco to develop and initiate a “comprehensive program to gain a better control over the activities of third parties.” This task seemed particularly daunting as Tyco initially identified over 66,000+ third party vendors and this group needed to be risk assessed to determine the high risk third parties which could be handled in the first pass.

Key First Step

Interestingly a key first step in the process was that Tyco set up a specific project team in the company to handle the task. This is different to such assignments in a Compliance or Legal Department where a project is added to an employee’s existing portfolio of assignments. The Chief Compliance Counsel, Matthew Tanzer made the decision to assign a “small group of dedicated employees to the job”. Scott Moritz, Managing Director of Navigant, who worked with Tyco on the project, said this was an important early decision and was quoted as saying “You need to develop bench strength to deal with this, and staffing that’s proportional to the third party population.”

The Seven Steps

Tyco developed a process to identify, risk assess, contract with and then compliance train its third parties in this project. Tyco distilled this process into the following seven steps.

  1. Business Sponsor – Initially identify a business sponsor or primary contact for the third party within your company. This requires not only business unit buy-in but business unit accountability for the business relationship or as Moritz was quoted as saying, “This puts the onus on each stakeholder.”
  2. Business Justification – The business unit must articulate a commercial reason to initiate or continue to work with the third party. You need to determine how this third party will fit into your company’s value chain and whether they will become a strategic partner or will they be involved in a one-off only transaction?
  3. Third-Party Questionnaire – This requirement is not only a key step but a mandatory step for any third party which desire to do work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk but run away from doing business with such a party. The minimum information which should be obtained is basic business information, disclosures of all direct and beneficial owners, politically exposed persons (PEPs) and both commercial and compliance references.
  4. FCPA Certification – You should require a representative of the third party to attest that it will comply with all relevant anti-corruption laws and will not pay bribes, “either directly or indirectly.”
  5. Risk Assessment – The above information should be analyzed which leads to a risk score. This risk assessment will be used to determine the appropriate level of due diligence that should be performed on the third party. In Tyco’s system, the higher the risk assessment score, the more due diligence should be performed.
  6. Written Agreements – This requirement mandates that, in addition to commercial terms, compliance terms and conditions are appended to each third party contract. This is now Item 12 in the Department of Justice’s (DOJ) minimum best practices as set out in Deferred Prosecution Agreements (DPA) since at least November 2010.
  7. Training – Your company should require all third parties to complete an online training module which discusses your company’s values and its approach to bribery and corruption. You should also consider live training for the highest risk third parties.

The Tyco Seven Step Process does end at training. Tyco continues to manage these risks through an ongoing monitoring program which they developed in the course of this exercise. This monitoring includes both substantive compliance and transactional monitoring. Both of these monitoring systems can be reviewed by a committee or group dedicated to ongoing management of third parties within Tyco.

The task of getting a handle on your company’s third parties may often seem daunting. However, the Tyco Seven Step Process provides an excellent framework for the compliance professional to develop a program for his/her company. I recommend the article for your review and the program for your consideration.

============================================================================================

If you are going to be in Houston on December 7, myself, Mike Volkov and the Bribery Act guys, Richard Kovalevsky QC and Barry Vitou will be making their only US appearance this year. Mike and I will review some of the more significant enforcement matters of 2011 and discussion lessons which may be drawn from them. Richard and Barry will discuss the Bribery Act. Best of all the event is free and CLE will be provided. Event details and registration are found at http://events.r20.constantcontact.com/register/event?llr=myqi4pcab&oeidk=a07e55t5re06e78f1e3. I hope you can make it!

============================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Blog at WordPress.com.