FCPA Compliance and Ethics Blog

March 5, 2015

Is Strict Liability Coming to FCPA Enforcement?

Strict LiabilityI think that a strict liability standard is coming to Foreign Corrupt Practices Act (FCPA) enforcement. A number of factors have caused me to come to this conclusion. While there may well be wide disagreement as to whether such a standard is warranted under the FCPA, I think it is coming and it is something every Chief Compliance Officer (CCO) and compliance practitioner needs to be ready to address if and when the day comes that your company is under the shadow of a FCPA investigation.

I do not think this strict liability standard is coming for criminal enforcement of the FCPA by the Department of Justice (DOJ) because there is still a requirement of intent under the Act. Intent can be inferred by conscious indifference but I still do not think that day of reckoning is near for DOJ enforcement. However I do think that a confluence of events, FCPA enforcement actions by the Securities and Exchange Commission (SEC) and statements by the SEC representatives, all point towards a new enforcement angle to the FCPA. I think that the SEC is moving towards a strict liability standard for internal controls under the FCPA. That means if your compliance internal control regime is investigated, you will have to demonstrate that it meets some minimum standard that satisfies the SEC. If not, there will be a SEC administrative complaint filed against your company, alleging failure to maintain appropriate internal controls as required by the FCPA and your company will bear the burden of proof to demonstrate that you have designed and implemented an effective system of compliance internal controls.

The FCPA says that internal controls requires issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with man­agement’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to per­mit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is com­pared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences. 

As further explained in the FCPA Guidance, “the Act defines “reasonable assurances” as “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.” The Act does not specify a particular set of controls that companies are required to implement. Rather, the internal controls provision gives companies the flexibility to develop and maintain a system of controls that is appropriate to their particular needs and circumstances.””

My evolution of thinking on this issue began last fall with the Smith & Wesson (S&W) FCPA enforcement action. There was nothing in the reported settlement documents that tied the failure of S&W internal controls to the payment (or offer to pay) of a bribe or the obtaining of any benefit. The claims made against S&W were basically along the lines of this language laid out in the Order Instituting Cease-and-Desist Proceedings, “Despite making it a high priority to grow sales in new and high risk markets overseas, the company failed to design and implement a system of internal controls or an appropriate FCPA compliance program reasonably designed to address the increased risks of its new business model.” It should be noted that S&W did not ‘admit or deny’ any of the allegations made against it, the company simply consented to the entry of the Order.

In its Administrative Order, the SEC stated, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” Additionally, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization.”

All of this was laid out in the face of no evidence of the payment of bribes by S&W to obtain or retain business. This means it was as close to strict liability as it can be without using those words. Kara Brockmeyer, chief of the SEC Enforcement Division’s FCPA Unit, was quoted in a SEC Press Release on the matter that ““This is a wake-up call for small and medium-size businesses that want to enter into high-risk markets and expand their international sales.” When a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.””

The second factor that informs my thinking on this issue is the updated COSO 2013 Framework that became effective in December 2014. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said that the original COSO framework from 1992 has stood the test of time “because it was built as conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based upon four general principles which include the following: (1) the updated Framework should be conceptual which allows for updating as internal controls (and compliance programs) evolve; (2) internal controls are a process which is designed to help businesses achieve their business goals; (3) internal controls applies to more than simply accounting controls, it applies to compliance controls and operational controls; and (4) while it all starts with Tone at the Top, compliance is the responsibility for the implementation of effective internal controls resides with everyone in the organization.”

For the compliance practitioner, this final statement is of significant importance because it directly speaks to the need for the compliance practitioner to be involved in the design and implementation of internal controls for compliance and not to simply rely upon a company’s accounting, finance or internal audit function to do so.

The updated Framework also gives a precise model for the SEC to use to inquire from companies about their compliance internal controls. How many companies could not only present evidence of implementation of compliance internal controls along the lines of the updated Framework but also evidence of their effectiveness? Unfortunately the answer is not many.

There is one other factor that informs my evolution of thinking regarding a strict liability standard under the FCPA. Under Sarbanes-Oxley (SOX), Section 404, public companies are required to report on the adequacy of the company’s internal control on financial reporting. The report must affirm the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. The report must also contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. External auditors must also assess and make such a report. To do so, most companies, and their external auditors were using the prior COSO Framework.

Now imagine a situation where your external auditors have made their report and your company has made such report public, under its SOX 404 reporting obligation. What if the SEC took that report, reviewed it and made an initial assessment that your compliance internal controls around bribery and corruption were not sufficient, as required under the FCPA? What if the SEC sent you a letter asking for evidence of development and implementation of compliance internal controls, also asking for your audited evidence of effectiveness? What if you respond in due course and you receive another letter from SEC, which opines that your compliance internal controls are insufficient under the FCPA giving your proposed fine. You protest that there is no evidence of bribery or corruption regarding this insufficiency of your compliance internal controls. What if your company is then invited to contest this issue through the SEC Administrative process?

Does that sound far-fetched? Maybe it is but, from where I sit, that is the direction I see the issue of internal controls going in FCPA enforcement. I think a strict liability regime is coming under SEC enforcement of the FCPA. As a CCO or compliance practitioner in a public company, you need to be ready to defend your compliance internal controls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 4, 2015

Minnie Minoso Broke Barriers; Goodyear Pushes Compliance Forward

Minnie MinosoYesterday we celebrated the hard-nosed playing style of Anthony Mason, who recently passed away. Today we honor a true pioneer in professional baseball, Minnie Minoso, or Mr. White Sox. Minoso was the first black Cuban to play in Major League Baseball (MLB) when he debuted for the Cleveland Indians in 1949. In 1951, he was traded to the Chicago White Sox and he became a southside fixture for the rest of the decade. While his numbers were less than 2000 hits and 200 home runs, he was a fearless and speedy base runner and a nine-time All Star. Similarly to Mr. Cub, Ernie Banks, the Chicago White Sox erected a statue in tribute to Mr. White Sox outside their ballpark. Even President Obama was moved to release a statement about Minoso saying in part, “Minnie may have been passed over by the Baseball Hall of Fame during his lifetime, but for me and for generations of black and Latino young people, Minnie’s quintessentially American story embodies far more than a plaque ever could.”

The contribution of Minoso in the exorable march of MLB towards integration informed part of my reading of the recent Goodyear Tire & Rubber Company (Goodyear) Foreign Corrupt Practices Act (FCPA) enforcement strategy of the Securities and Exchange Commission (SEC). This enforcement action was a solo effort by the SEC; there was no corresponding Department of Justice (DOJ) criminal enforcement action. So following this past fall’s triumvirate of SEC enforcement actions involving Smith & Wesson, Layne Christenen and Bio-Rad, the SEC continues to bring enforcement actions based upon the books and records and internal controls civil requirements of the FCPA. Therefore the Goodyear enforcement action is one which provides many lessons to be learned by the Chief Compliance Officer (CCO) or compliance practitioner going forward and should be studied quite carefully by anyone in the compliance field.

The Bribery Schemes

As set out in the SEC Cease and Desist Order (the Order), Goodyear used several different bribery schemes in different countries, all violating the FCPA. In Kenya, Goodyear became a minority owner in a locally owned business which apparently paid bribes the old-fashioned way, in cash to the tune of over $1.5MM, yet falsely recorded the cash bribe payments as “promotional expenses.” In Angola, a wholly-owned subsidiary of the company paid approximately $1.6MM in bribes by falsely marking up invoices with “phony freight and customs clearing costs.” The subsidiary made the payments in cash and through wire transfers to various government officials. Finally, the subsidiary apparently cross-referenced the bribes it paid as follows, “As bribes were paid, the amounts were debited from the balance sheet account, and falsely recorded as payments to vendors for freight and clearing costs.” In other words a complete, total and utter failure of internal controls to forestall any of the foregoing.

Internal Controls Violations

The Order set out the section of the FCPA that the company violated. Regarding the internal controls, the Order stated, “Under Section 13(b)(2)(B) of the Exchange Act issuers are required to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization; (ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets; (iii) access to assets is permitted only in accordance with management’s general or specific authorization; and (iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.”

The Comeback

Equally important for the CCO or compliance practitioner are the specific steps that Goodyear took to remediate the situation it found itself in through these illegal payments. When the company received the initial reports about “the bribes, Goodyear promptly halted the improper payments and reported the matter to Commission staff.” Moreover, the company also cooperated extensively with the SEC. As noted in the Order, “Goodyear also provided significant cooperation with the Commission’s investigation. This included voluntarily producing documents and reports and other information from the company’s internal investigation, and promptly responding to Commission staff’s requests for information and documents. These efforts assisted the Commission in efficiently collecting evidence including information that may not have been otherwise available to the staff.”

In the area of internal remediation, regarding the entity in Kenya, where Goodyear was a minority owner in a local business, the company got rid of its from its corrupt partners by divesting its interest and ceasing all business dealings with the company. Goodyear is also divesting itself of its Angolan subsidiary. The Order also noted that Goodyear had lost its largest customer in Angola when it halted its illegal payment scheme. The company also took decisive disciplinary action against company employees “including executives of its Europe, Middle East and Africa region who had oversight responsibility, for failing to ensure adequate FCPA compliance training and controls were in place at the company’s subsidiaries in sub-Saharan Africa.”

Finally, in a long paragraph, the SEC detailed some of the more specific steps Goodyear took in the area of remediation. These steps included:

  • Improvements to the company’s compliance function not only in sub-Saharan Africa but also world-wide;
  • In Africa, both online and in person training was beefed up for “subsidiary management, sales and finance personnel”;
  • Regular audits were instituted by the company’s internal audit function, which “specifically focused on corruption risks”;
  • Quarterly self-assessment questionnaires were required of each subsidiary regarding business with government-affiliated customers;
  • For each subsidiary, there were management certifications required on a quarterly basis that required, “among other things controls over financial reporting; and annual testing of internal controls”;
  • Goodyear put in a “new regional management structure, and added new compliance, accounting, and audit positions”;
  • The company made technological improvements to allow the company to “electronically link subsidiaries in sub-Saharan Africa to its global network”;

However these changes were not limited to improvement of Goodyear’s compliance function in Africa only. At the corporate headquarters, Goodyear created the new position of “Vice President of Compliance and Ethics, which further elevated the compliance function within the company”. There was expanded online and in-person training at the corporate headquarters and other company subsidiaries. Finally, the company instituted a new “Integrity Hotline Web Portal, which enhanced users’ ability to file anonymous online reports to its hotline system. With that system, Goodyear is also implementing a new case management system for legal, compliance and internal audit to document and track complaints, investigations and remediation.”

The specific listing of the compliance initiatives or enhancements that Goodyear pushed after its illegal conduct came to light is certainly a welcomed addition to SEC advice about what it might consider some of the best practices a company may engage in around its compliance function. Moreover, this specific information can provide audit and information to the compliance practitioner of strategies that he or she might use to measure a company’s compliance program going forward. The continued message of cooperation and remediation as a way to lessen your overall fine and penalty continues to resonate from the SEC. Finally, just as Minoso helped move forward the integration of baseball and civil rights in general, the Goodyear FCPA enforcement action demonstrates that the SEC will continue to prosecute cases around the failure of or lack of internal controls. The clear import is that a company must have an appropriate compliance internal control regime in place. We are moving towards a strict liability standard under the FCPA around internal controls, which I will have much more to say about later but for now – you have been warned.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 25, 2015

Doing Less with Less and the Unification of Germany

Sqeezed Piggy BankI am attending the SCCE Utilities and Energy Conference in Houston this week. As usual, the SCCE has put on a great event for the compliance practitioner. This year there is live blogging by Kortney Nordum so there should be much about the conference up on the SCCE blogsite, this week and into the future. Lizza Catalano has put together a first rate program for compliance practitioners of many stripes. As an added benefit, SCCE Chief Executive Officer (CEO) Roy Snell has brought some cold weather down to Houston for the event for our late February enjoyment. While it was 80 on Saturday, today is was a balmy 36 courtesy of our Minnesotan guests.

As you might guess the current economic downturn is on everyone’s mind and a subject of much conversation. Last week I wrote a post about the depression of oil and gas prices in the energy space and some of the increased Foreign Corrupt Practices Act (FCPA) or other anti-corruption risks that might well arise from this economic downturn. Over the next couple of days, I want to explore how a Chief Compliance Officer (CCO) or compliance practitioner might think through responses to this increased compliance risk. Today I will focus on doing less with less. Tomorrow I will suggest some technological solutions.

I have been around long enough to see more than one of these economic events in the energy space. While not suggesting that we Texans never learn not to repeat our mistakes, they do seem to have a pattern. Prices drop precipitously, companies who are overstocked, over-leverage or generally over-panic; over-react and cut head count and spending dramatically to some level that is not based on rational economic analysis. Then they get some handle on where the numbers might be heading and the cuts start to flatten out and some type of equilibrium is reached.

Right now, in the energy space, we are in the cutting phase. That means loss of personnel (head count) and loss of resources even if it was calculated last year based on a summer or fall 2014 economic projection in your annual budgeting process. This means one thing you will need get for a quarter or two will be financial resources to place the personnel your compliance function may have lost. This means that you will have to figure out a way to accomplish more with fewer resources. While I often advocate that the compliance function can and should draw on other disciplines such as Human Resources (HR), IT, Internal Audit and Marketing for support; those functions have most probably been ‘right-sized’ as well so they may not be able to assist the compliance function as much they could have previously.

Now would be a very good time to put into practice what Dresser-Rand CCO Jan Farley often says, “Don’t sweat the small (compliance) stuff.” Farley often speaks about the need not to waste your scarce compliance resources on areas or matters that are low compliance risks. But to do this, you need to understand what are your highest compliance risks. Since you will not have additional resources to perform such an analysis, I would suggest now would be a very good time for you to assess your compliance program and your business model to see what are your highest risks. If you believe there are several, you can fprioritize them. This exercise will give you the basis to deliver your ever-scarcer compliance resources to your highest risk areas.

While I do not believe the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) will be sympathetic to some unsubstantiated claim along the lines of ‘I did my best with what I had’; they also made clear in the FCPA Guidance that “An effective compliance program promotes “an orga­nizational culture that encourages ethical conduct and a commitment to compliance with the law.” Such a program protects a company’s reputation, ensures investor value and confidence, reduces uncertainty in business transactions, and secures a company’s assets. A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.” (emphasis supplied)

So while the DOJ and SEC will not accept you bald-faced claims that our company simply did not have the money to spend on compliance, they will most-probably consider a compliance program where you have looked at your risks, in the context of this economic downturn, and delivered the compliance resources you do have to those risks. But the key is Document, Document, and Document your decision-making calculus and your implementation. (Stephen Martin would probably add here that if your annual spend on Yellow Post-It Notes is a factor of 10X your compliance spend, this approach would not be deemed credible.)

In her On work column in the Financial Times (FT), Lucy Kellaway wrote about this the concept of doing less with less for the corporate executive personally, in an article entitled, “No need to ‘lean in’ when laziness can be just as effective”. She cited to the Prussian General Helmuth von Moltke for “devising one of the world’s fist management matrices” when he assessed his officers on two scales: “clever v. dim and lazy v. energetic.” From this he came up with four permutations:

  • Dim and lazy – Good at executing orders.
  • Dim and energetic – Very dangerous, as they take the wrong decisions.
  • Clever and energetic – Excellent staff officers.
  • Clever and lazy – Top field commanders as they get results.

The point of Kellaway’s article has direct implications for the CCO or compliance practitioner currently facing an economic downturn, “It is only by being lazy that we become truly efficient, and come to see what is important and what is not.” Kellaway cautioned “the sort of laziness to encourage is not the slobbish variety that means you do bad work. That is not laziness: it is stupidity. Instead, we need the clever version that comes from knowing there is an opportunity cost to every minute we spend working, so we must use our time wisely.”

From the compliance perspective, this translates directly into using your compliance resources wisely. So whether you want to cite the Prussian general who unified Germany, columnist Kellaway, Dresser-Rand CCO Farley or this article’s theme of doing less with less, I would suggest to you there is a manner to maintain “A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations” even in an economic downturn.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

 

February 20, 2015

Assessing Internal Compliance Controls – Part II

Assessing Internal Controls IIn this blog post I continue my exploration of how you should assess your compliance internal controls using the Committee of Sponsoring Organization of the Treadway Organization (COSO), publication “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), as a starting point and basis for discussion. You will recall from my series on compliance internal controls under the COSO 2013 Framework there are five objectives: (1) Control Environment; (2) Risk Assessment; (3) Control Activities; (4) Information and Communication; and (5) Monitoring Activities. Today I will review issues around compliance internal control assessments on Control Environment and Risk Assessments.

First are some general definitions that you need to consider in your evaluation. A compliance internal control must be both present and functioning. A control is present if the “components and relevant principles exist in the design and implementation of the system of [compliance] internal control to achieve the specified objective.” A compliance internal control is functioning if the “components and relevant principles continue to exist in the conduct of the system of [compliance] internal controls to achieve specified objectives.”

I. Control Environment

Under the objective of Control Environment there are five principles which you will need to assess. The five principles are:

  1. The organization demonstrates a commitment to integrity and ethical values. Here you can look to see if there is a training program to help make employees cognizant of the importance of doing business ethically and in compliance with the standard’s of your company’s Code of Conduct. Also is there specific training on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other relevant anti-corruption/anti-bribery legislation which may govern your organization? Next does your company have in place any process to evaluate “individuals against published integrity and ethics policy”? Finally, do you have in place any process to “identify and address deviations in the organization”?
  2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Under this Principle you must DOCUMENT the active involvement of your company’s Board of Directors. So not only must risk assessments be performed and evaluated by senior management, they must also be evaluated by the Board, separate and apart from senior management. A Board must also document its review of any remediation plans and monitoring activities.
  3. Management establishes, with board oversight, structures, reporting lines and appropriate authorities and responsibility in pursuit of the objectives. This Principle deals primarily with reporting lines and structures so you will need to consider not only the structure of your business but also whether or not both clear and sufficient reporting lines have been established throughout the company. The next analysis is to move down the chain to see if there definitions and assignments for your compliance function. Lastly you need to assess whether there are sufficient parameters around the responsibilities of the compliance function and if there are limitations which should be addressed.
  4. The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives. Under this Principle you will need to review the policies and procedures to make sure you have the minimum required under a best practices compliance program and then evaluate and address any shortcomings. This Principle also has a more personnel focus by requiring you to consider whether your organization attracts, develops and retains sufficient compliance personnel and is there an appropriate succession plan in place if someone ‘wins the lottery’ on the way to work.
  5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective. Under this Principle review is required to determine whether the Board established and communicated the mechanisms to hold employees accountable for your compliance internal controls. As suggested in the FCPA Guidance, there should be both a carrot and stick approach, so for the carrot is there some type of Board, senior management or employee compensation based on whether they did their assignments in compliance with your Code of Conduct or are bonuses based strictly on a sales formulation? For the stick, have any employees ever been disciplined under your compliance regimes?

II. Risk Assessment

This objective has four Principles that require assessment. They are (numbers follow the COSO Framework):

  1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives which include Operations Objectives, External Financial Reporting Objectives, External Non-Financial Reporting Objectives, Internal Reporting Objectives and Compliance Objectives. Here I think the key is the documentation of several different topics and issues relating to your company and how it operations. This means you will need to assess such diverse concepts as what are your senior management’s choices for business and compliance? You will need to consider and assess tolerances for risk as demonstrated by such issues as operations and financial performance goals. Finally, it can be used as a basis for committing of compliance resources going forward.
  2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. This Principle requires you to take a look at not only your compliance organization but also your business structure including entity, subsidiary, division, operating unit, and functional levels. You should assess the involvement of your compliance function at each point identified and the appropriate levels of management therein. Finally, from the compliance perspective, you should attempt to estimate not only the significance of compliance risks identified in the risk assessment but also determine how to respond to such identified compliance risks.
  3. The organization considers the potential for fraud in assessing risks to the achievement of objectives. Bribery and corruption can be categorized as forms of fraud. Rather than being fraud against the company to obtain personal benefits it can be fraud in the form of bribery and corruption of foreign government officials. For the compliance internal control assessment around this Principle I would urge you to ‘follow the money’ in your organization and consider the mechanisms by which employees can generate the funds sufficient to pay bribes. Many of these are simply fraud schemes so you should consider this within the compliance context and assess incentive and pressures on employees to make their numbers or be fired. You should also assess your employees’ attitudes and rationalizations regarding same.
  4. The organization identifies and assesses changes that could significantly impact the system of internal control. This Principle speaks to the need of your organization to maintain personnel competent to use the risk assessment going forward. But it also requires you to assesses changes in the external environment, assess changes in the business model or other significant business changes and, finally, to consider any changes in compliance leadership and how that would impact this Principle.

I often say that good compliance is simply good business. These COSO objectives are not only important from the compliance perspective but they also speak to the issue of overall process in your organization. The more you can burn these activities into the DNA of your company, the better run your organization will be going forward. Auditing against the COSO standards will provide your management with greater information on the health of your organization and satisfy your legal requirements under the FCPA.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 19, 2015

Assessing Compliance Internal Controls – Part I

Assessing Internal Controls II have recently detailed the COSO 2013 Framework in the context of a best practices compliance regime. However there is one additional step you will need to take after you design and implement your internal controls. That step is that you will need to assess against your internal controls to determine if they are working.

In its Illustrative Guide, the Committee of Sponsoring Organization of the Treadway Organization (COSO), entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), laid out its views on “how to assess the effectiveness of its internal controls”. It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements which can only be met through such a structured post. First, each of the five components are present and function. Second, are the five components “operating together in an integrated approach”? Over the next couple of posts I will lay out what COSO itself says about assessing the effectiveness of your internal controls and tie it to your compliance related internal controls.

As the COSO Framework is designed to apply to a wider variety of corporate entities, your audit should be designed to test your internal controls. This means that if you have a multi-country or business unit organization, you need to determine how your compliance internal controls are inter-related up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing assessment and evaluation” program going forward.

The Illustrative Guide suggests using a four-pronged approach in your assessment. (1) Make an overall assessment of your company’s system of internal controls. This should include an analysis of “whether each of the components and relevant principles is present and functioning and the components are operating together in an integrated manner.” (2) There should be a component evaluation. Here you need to more deeply evaluate any deficiencies which you may turn up and whether or not there are any compensating internal controls. (3) Assess whether each principle is present and functioning. As the COSO Framework does not prescribe “specific controls that must be selected, developed and deployed” your task here is to look at the main characteristics of each principle, as further defined in the points of focus, and then determine if a deficiency exists and it so what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log so they are addressed on a structured basis.

Another way to think through the approach could be along the following lines. A Principle Evaluation should consider “the controls to effect the principle” and would allow internal control deficiencies to be “identified along with an initial severity determination.” A Component Evaluation would “roll up the results of the component’s principle evaluations” and would allow a re-evaluation of the severity of any deficiency in the context of compensating controls. Lastly, an overall Effectiveness Assessment which would look at whether the controls were “operating together in an integrated manner by evaluating any internal control deficiencies aggregate to a major deficiency.” This type of process would then lend itself to an ongoing evaluation so that if business models, laws, regulations or other situations changed, you could assess if your internal controls were up to the new situations or needed adjustment.

The Illustrative Guide spent a fair amount of time discussing deficiencies. Initially it defined ‘internal control deficiency’ as a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives.” It went onto define ‘major deficiency’ as an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve its objectives.” Having a major deficiency is a significant issue because “When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control.” Moreover, unlike deficiencies, “a major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component.”

Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have at a minimum the categories of policies laid out in the FCPA Guidance Ten Hallmarks of an Effective Compliance Program, which states “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments”, also formulated in the Illustrative Guide, such a finding would preclude management from “concluding that the entity has met the requirements for effective internal controls in accordance with the Framework.”

However, if there are no objective criteria, as laid out in the FCPA Guidance, to evaluate your company’s compliance internal controls, what steps should you take? The Illustrative Guide says that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.”

The Illustrative Guide has a useful set of templates that can serve as the basis for your reporting results. They are specifically designed to “support an assessment of the effectiveness of a system of internal control and help document such an assessment.” The Document, Document, and Document feature is critical in any best practices anti-corruption or anti-bribery compliance program whether based upon the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or some other regulation. With the Illustrative Guide of these Illustrative Tools, COSO has given the compliance practitioner a very useful road map to begin an analysis into your company’s internal compliance controls. When the Securities and Exchange Commission (SEC) comes knocking this is precisely the type of evidence they will be looking for to evaluate if your company has met its obligations under the FCPA’s internal controls provisions. In subsequent blog posts I will take a look at how you might audit your compliance internal controls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 16, 2015

Economic Downturns and Increased Compliance Risk

Oil PricesOil is hovering around $50 per barrel. For most of the US economy this drop in oil price has provided a much-needed economic boost. One piece on the NPR website, entitled “Oil Price Dip, Global Slowdown Create Crosscurrents For U.S.”, said “economists have suggested the big drop in oil prices is a gift to consumers that will propel the economy.” Liz Ann Sonders, who is the chief investment strategist at Charles Schwab, was quoted as saying “The U.S. economy is 68 percent consumer spending, so right there you know that falling oil prices is a benefit.” Another economist said the positive effects could be “worth $400 billion” for the US economy as a whole.

But in the energy space, particularly in the city of Houston, Texas, this plunge has been devastating. It is so bad that in this past week’s issue of the Houston Business Journal (HBJ), it provided a ‘Box Score’ for energy company lay-offs. And that was before Halliburton announced a 10%-15% reduction and Hercules Offshore announced that it had laid off some 30% of its work force since last October. Nationally, for the energy industry, it will be just as bad. In the NPR piece, David R. Kotok, of Cumberland Advisors, said, “cuts in production and energy company payrolls will cost the U.S. economy up to $150 billion.” The Houston Chronicle headlined it was a “Bloodbath”.

I thought about what this plunge in the price of oil could mean for the compliance function in energy and energy related companies going forward. Many Chief Compliance Officers (CCOs) and compliance practitioners struggle with metrics to demonstrate revenue generation. Most of the time, such functions are simply viewed as non-revenue generating cost drags on business. This may lead to compliance functions being severely reduced in this downturn. However I believe such cuts would be far from short-sighted; they would actually cost energy companies far more in the short and long term.

Almost any energy company of any size has gone through a Foreign Corrupt Practices Act (FCPA) investigation, whether internal or formal by the Department of Justice (DOJ) or Securities and Exchange Commission (SEC). Many had gone through enforcement actions. The risk profiles of these companies did not change because of the drop in oil prices. Extractive resources are still located largely in countries with a high perception of corruption. In others, the inherent compliance risks that currently exist for energy companies will certainly not lessen. Unfortunately they may well increase.

At this point I see two increasing compliance risks for energy companies. The first is that companies will attempt to reduce their costs by cutting their compliance personnel. A tangent but equally important component of this will be that companies that do not invest the monies needed to beef up their oversight through monitoring or other mechanisms are setting themselves up for serious compliance failures.

Moreover, what will be the pressure on the business folks of such companies to ‘get the deal done’ with this slashing of oil prices? Further, if there is a 10% to 30% overall employee reduction, what additional pressures will be on those employees remaining to make their numbers or face the same consequences as their former co-workers?

I think both of these scenarios are fraught with increased compliance risks. For companies to engage in behaviors as I have outlined above would certainly bring them into conflict with the Ten Hallmarks of an effective compliance program as set out in the FCPA Guidance. For instance on resources, the FCPA Guidance does not say in a time of less income, when your compliance risk remains the same or increases, you should cut your compliance function or the resources to support it. Indeed it intones the opposite, when stating, “Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.” Moreover, the FCPA Guidance adds, “Moreover, the amount of resources devoted to compliance will depend on the company’s size, complex­ity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk pro­file of the business.” So the resource issues is stated in reference to the risk profile of the business and not the current or fleeting economic issues of the day.

Also note that the FCPA Guidance speaks to an analysis from the DOJ side, which would presumably be a criminal side review. For instance, if a company cuts its compliance staff while its risk profile has not decreased, does this provide the required intent to commit a criminal act under the FCPA? Moreover, who would be the guilty party under such an analysis? Would it be the Chief Executive Officer (CEO) who ultimately decides we need a fixed percentage cut of employees or simply a raw number to be laid off? How about the department head (as in the CCO) who is told to cut your staff 10% or we will make the cuts for you? Or is it a company’s Human Resources (HR) department who delivers the dreaded knock on a compliance practitioner’s door (I’m from HR and could you come with me). What if a company’s decision-making authority is so decentralized that there is no one person who can be held accountable?

You should also note the SEC role in FCPA enforcement, as alluded to in the quote from the FCPA Guidance. There will be an assessment of internal controls. Now that the COSO 2013 Framework has become effective, will companies delay plans to implement the new Framework and to begin to audit against it? If so, would that be a per se FCPA violation?

But there is a second reason that I believe that energy companies risk profiles will increase in this industry-specific downturn. Unfortunately it will come from those employees who survive the lay offs. They will be under increased pressure to do the jobs of the laid-off folks so there will be a greater chance that something could slip through the cracks. If you are already working full time at one job and one, two or three other employees in your department are laid-off, which job is going to get priority? Will you only be able to put out fires or will you be able to accomplish what most business folks think is an administrative task?

But more than the extra work the survivors will have laid upon them will be the implicit message that some companies senior management may well lay down, that being Get the Deal Done. If economic times are tough, senior management will be looking even more closely at the sales numbers of employees. The sales incentives could very well move from a question of what will my bonus be if I close this transaction to one of will I be fired if I do not close this transaction. If senior management makes clear that it is bring in more business or the highway, employees will get that message.

Once again, where would the DOJ look for to find intent? Would it be the person out in the field who believed he was told that he or she either brought in twice as much work since there were half as many employees left after lay-offs? Would it be the middle manager who is more closely reviewing the sales numbers and sending out email reminders that if sales do not increase, there may well have to be more cuts? What about the CEO who simply raises one eyebrow and says we need to hunker down and get the job done?

What might be the DOJ or SEC reaction to the downsizing of compliance in the face of such increased compliance risk? The energy industry has not gone through this type of economic downsizing in the new age of FCPA prosecutions, largely since 2004, so there is no relevant time frame of FCPA enforcement to reflect from. However, the financial industry did go through such a contraction in the 2007-2010 time frame. We have seen the DOJ and other financial industry regulators draw huge penalties for a series of anti-money laundering (AML) and LIBOR scandals. My guess is that the DOJ and SEC will not allow companies to use economic arguments in the face of known and recognized increase in compliance risks. Indeed they may focus on some of these points as reasons for increased compliance vigilance in an energy company’s compliance function going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

January 15, 2015

The Marx Brothers Mirror Scene: Absurdity and Comments by a SEC Commissioner

Mirror SceneI continue my Marx Brothers’ themed week by today looking at what I and many others believe to be their most cherished routine: the Mirror Scene. Danny Leigh, in his article in the Financial Times (FT), entitled “Souped-up comedy”, wrote, “The set-up is deathlessly simple. Fredonia’s President, Groucho in nightgown and cap finds Harpo, a spy from neighboring Sylvania, in his bedroom. They chase each other down some stairs and face off in front of each other, dressed identically. Harpo, the spy and intruder pretends to be Groucho’s reflection, and the two brothers spend the next three minutes locked in a mad dance of mimicry. The result is flawless, the kind of ecstatic comedy in which the world outside the cinema simply falls away. Variations on the skit had been performed by others before but the brothers raised it to undreamt absurdist heights, claiming it for ever as their own.” So you have Pinky (Harpo), dressed as Firefly (Groucho), pretending to be Firefly’s reflection in a missing mirror, matching his every move—including absurd ones that begin out of sight—to near perfection. In one particularly surreal moment, the two men swap positions, and thus the idea of which is a reflection of the other. The scene is absolutely silent until Chicolini (Chico), also disguised as Firefly, enters the scene and collides with both of them and sound resumes.

Although its appearance in Duck Soup is the best-known instance, the concept of the mirror scene did not originate in this film. Max Linder included it in Seven Years Bad Luck (1921), where a man’s servants have accidentally broken a mirror and attempt to hide the fact by imitating his actions in the mirror’s frame. Charlie Chaplin used a similar joke in The Floorwalker (1916), though it didn’t involve a mirror. This scene has been recreated many times from entertainment as diverse as Bugs Bunny cartoons, to the televisions series Gilligan’s Island and even in a The X-Files episode. Harpo himself did a reprise of this scene, dressed in his usual costume, with Lucille Ball also donning the fright wig and trench coat, in the I Love Lucy episode “Lucy and Harpo Marx”.

I find it to be absurdist comedy at its ultimate height. To this day, I almost cry I laugh so hard when I see that scene. While you may not find it quite as funny as I did, most probably one thing you will also not find funny is an ongoing debate in both academia and in legal circles involving a question on corporate governance as reported in the New York Times (NYT) in the Dealbook column by Andrew Ross Sorkin, in an article entitled “An Unusual Boardroom Battle, in Academia”. The question staggered elections of corporate board members or whether the entire slate of Board members be elected, up or down, each year.

On the side of full Board, up or down voting is Professor Lucian A. Bebchuk, a Harvard Law School professor who has long researched corporate governance issues and has been an outspoken advocate for increased democracy in corporate America’s boardrooms and his group, the Harvard’s Shareholder Rights Project. Professor Bebchuk believes staggered election of Board members “silences shareholders, entrenches management and makes it less likely that suitors or activists will emerge, depressing valuations.”

On the other side of the dispute are Daniel M. Gallagher, a member of the Securities and Exchange Commission (SEC), and Joseph A. Grundfest, a professor at Stanford Law School and a former SEC commissioner, who co-authored a paper entitled “Did Harvard Violate Federal Securities Law? The Campaign Against Classified Boards of Directors.” The paper is in opposition to Bebchuk’s position. Sorkin observed that “Mr. Gallagher and Mr. Grundfest suggest that companies are dropping their staggered board structures — and shareholders are voting to eliminate them — based, in part, on faulty research by Harvard’s Shareholder Rights Project. Worse.” But here is the kicker and what moves this rather arcane academic debate into the realm of the absurd. “They suggest, Mr. Bebchuk’s project committed fraud by not fully disclosing the extent of contradictory research, which they say is a “material omission” by S.E.C. standards.” Yes sports fans, a sitting SEC commissioner suggested in writing that Harvard had engaged in a securities law violation.

As Sorkin noted, “there’s the fundamental issue of whether a sitting member of the S.E.C. should be writing such an incendiary paper in the first place.” Sorkin quoted an email comment made by Professor Robert J. Jackson Jr., from Columbia Law School. Jackson wrote to Sorkin in an email “All should agree that it is wildly inappropriate for a sitting S.E.C. commissioner to issue a law review paper accusing a private party of violating federal securities law without any investigation or due process of any kind. This is a striking, and as far as I know unprecedented, departure from longstanding S.E.C. practice.” Jackson went on to say “Imagine if a sitting S.E.C. commissioner wrote a law review article accusing Goldman Sachs of violating federal law without any S.E.C. investigation of the matter — Goldman and their counsel would quite rightly be outraged.”

Near the end of his article, Sorkin stated, “There are many opposing views on the paper. But here’s one way to think about it: It was a bad precedent for Mr. Gallagher to involve himself in a paper that raises the possibility of fraud in the field he regulates without the due process of a legal complaint. Mr. Grundfest could have written this provocative paper on his own, though it might not have attracted the same amount of attention within the industry.”

I would ask you to imagine if any of the Department of Justice (DOJ) attorneys who work in the Foreign Corrupt Practices Act (FCPA) area were to write an article, law review or other, that said not only is an entity’s position on interpretation of the FCPA wrong, its interpretation in practice is a FCPA violation. Do you think such corporation or entity would feel like they would get a fair shake from such prosecutors? Think any bias might exist going forward? While I have been one of the loudest advocates for the DOJ making more information on its FCPA declinations more public, SEC Commissioner Gallagher’s paper, demonstrates a very good reason for the DOJ not making any such information public: i.e. due process and fairness. Just as bad facts can certainly lead to bad law, this action by a sitting SEC Commissioner to even imply that an entity violated US Securities Laws in an article is not a road that we want to begin to go down.

For a clip of the famous Mirror Scene, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

December 31, 2014

The Avon FCPA Settlement – Part III

Geronimo's CadillacToday I conclude my 2014 blog posts with a final look at the Avon Foreign Corrupt Practices Act (FCPA) enforcement action. Before getting to the key lessons that a compliance practitioner may draw from this enforcement action, allow me to thank you for letting me be a part of your FCPA and greater compliance and ethics experience. This has been a memorable year in social media for me, both in blogging, publishing and podcasting. (If you have not listened to one of my podcasts please head over to the FCPA Compliance and Ethics Report on the web or on iTunes and check it out.) I have learned quite a bit this year, in writing, podcasting and listening. I hope that you will continue to follow me in 2015 through my blogs, podcasts and via some of the other sites and magazines that I write for. I plan to publish more books, in both print and electronic format, and pen more long form articles that will provide a deeper dive into various topics that I think will be of interest to the FCPA compliance and ethics practitioners out there. But I am getting a bit ahead of myself so back to today’s topic and where we are on the Avon FCPA enforcement action, and the big question of what does it all mean for the compliance practitioner and companies worldwide?

And The Money Kept Rolling Out

Unlike Eva Peron and the Foundacion Eva Peron, Avon had the opposite problem; the money never seemed to stop rolling out for Avon. As the FCPA Professor said in his blog post, entitled “Issues to Consider from the Avon Enforcement Action”, “Avon’s FCPA scrutiny was also very expensive. For years, the whisper in the FCPA community was how expensive – and dragged out – FCPA’s internal investigation and pre-enforcement professional fees and expenses were. Not all companies disclose pre-enforcement action professional fees and expenses, but Avon did and those figures were approximately $500 million”. Even the Department of Justice (DOJ) questioned why the company’s investigative costs were so high.

In an article in Bloomberg News, entitled “Avon Bribe-Probe Clean-Up Neared $500 Million as Sales Cratered, Tom Schoenberg and David Voreacos reported, “In a 2010 meeting, government officials took the unusual step of questioning why Avon’s legal costs were so high at that point, according to two people familiar with the meeting who weren’t authorized to discuss it publicly. Avon said its legal bills had ballooned in part because the company operated in more than 100 countries without consolidated transaction records, according to one of the people.” The article quoted Matthew Axelrod, former senior Justice Department official, who said, “Though unusual, DOJ may call in company counsel to discuss when an outside law firm is going too far afield from what is necessary.” He added the “DOJ doesn’t want a company to have to spend unnecessary millions of dollars on an internal investigation any more than the company itself does”.

If there is one over-riding lesson for all companies to take away from this enforcement action it is that the cost can quickly spiral far out of control and beyond anything you might budget for. While the events at issue took place in 2003-08, the clear import is that it is much cheaper to spend the money to have a compliance program in place now rather than roll the dice and wait. This may mean you need to look at your internal financial accounting systems to determine if they can be monitored adequately and efficiently, yet in a cost-effective manner. While I have not reviewed the internal controls component of this FCPA enforcement action, it is also clear that internal controls need to be in place to detect, in a timely manner, when something goes askance. Of course, if it is in your corporate culture to lie, cheat and steal, it really does not matter what the standard of your internal controls is because the powers that be will find a way around them.

Will No One Rid Me of This Meddlesome Priest?

Henry II and his famous dictum surely seemed to exist at Avon corporate headquarters. If management wants sales accomplished in any way possible then that is the message that is communicated down the line to the troops in the field. Avon had a Code of Conduct that prohibited bribery and corruption, yet the company’s own internal investigation revealed that most company employees were not even aware such a document existed. There was no such thing as FCPA training at the time of the events in question. But more than simply the message of ‘Make Your Numbers; Make Your Numbers; (and then) Make Your Numbers’, Avon had a culture that actively hid criminal acts. For when credible information came to light that Avon China was violating the FCPA, the company went into full cover-up mode, even ordering the destruction of soft and hard copies of the Draft Audit Report. The cover-up was accomplished at the highest levels of the company, with the settlement documents noting the involvement of Avon Executive 1, Avon Executive 2 (believed to be the head of Avon’s Internal Audit function when he left the company), Avon Executive 3, another senior executive in Avon’s Internal Audit function, and two lawyers, Avon Attorney 1, who was identified as “a senior executive in the Office of the General Counsel at AVON” and Avon Attorney 2 who was identified as “an executive in the Office of the General Counsel at AVON”.

High Reward = High Risk

In their Bloomberg News article, Schoenberg and Voreacos reported that Avon was “among the first companies to obtain a license to sell products directly to consumers – the cornerstone of its business model – after Chinese authorities ended a ban on direct sales in 2006.” Further, “By July 2006, Avon had hired more than 114,000 door-to-door salespeople in China. [Then Avon CEO Andrea] Jung said at the time the company viewed the country as a potential $1 billion market. Sales in China surged 28 percent to $67.2 million in the company’s fourth quarter that year.” This means that in less than one year after receiving its license to do business in China, Avon China had one quarter of sales in excess of $60MM. That is quite a lot of Ding Dong, Avon Calling plus following up that doorbell ringing with some serious sales.

Here the lesson is that if there is a new business opportunity that results in an explosion of sales it is probably because of some high risk involved. That may be financial risk, it may be political instability risk, it may be weather-related risk, it may be currency fluctuations risk or it may be some other type of risk. When a business is regulated down from the national to the provincial to the municipality level, it probably means multiples of government interactions for permits and licenses to do business. The compliance function must be integrated into the business operations of a company well enough to be put on notice when such an opportunity presents itself, perform some type of risk assessment and then plan out and implement a strategy to manage those risks going forward. If the first time the compliance function hears about something askance from a FCPA perspective is when it is brought up by internal audit, it is already too late.

The Compliance Committee and Geronimo’s Cadillac

Just as Michael Murphy’s song Geronimo’s Cadillac was intended to show every irony he could ever think of about American culture in two words, the Avon Compliance Committee was about as ironic; although and admitted it is three words. For a corporate Compliance Committee is not simply a vehicle to bring and show off when someone might be around to take pictures. A corporate Compliance Committee has to function and be involved, actively, in an appropriate level of oversight. If a Compliance Committee is informed of credible allegations of a FCPA violation, it simply cannot accept information that it is ‘unsubstantiated’ at a later date. A Compliance Committee must be actively involved in the investigation, it must review the investigation protocol, review information and findings as they become known, direct outside counsel in the investigation and, finally, take charge to remediate the issues involved. It has to have real authority, real power and be taken seriously, not simply have a meaningless title of “Compliance Committee”.

As 2014 draws to a close, I for one am glad that the long Avon FCPA saga has at least come to this stage. For bribe payments totaling over $8MM, Avon has or will pay upwards of $750MM to get through the FCPA Professor’s “three buckets” of FCPA enforcement action costs. This staggering cost should be a clear lesson that now is the time to implement or enhance a compliance program. The number of persons effected by the fallout from this case start with the former head of the company, Andrea Jung, several high ranking executives, the company’s balance sheet and perhaps even some of the lawyers involved in the investigation of this matter. One of the first things that Jung’s replacement did was bring in new counsel to advise the company. After all, someone had to come up with the low-ball opening bid to the DOJ and Securities and Exchange Commission (SEC) of $11MM and then advise Avon to negotiate in public with them using that figure.

On that note, I wish everyone a safe New Year’s Eve and prosperous New Year.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

December 22, 2014

Alstom Joins Santa’s Naughty List – In a Very Big Way

Naughty ListThe North Pole for Foreign Corrupt Practices Act (FCPA) enforcement action announcements seems to have temporarily moved south for the month of December. Last week there was the final announcement of the long-standing Avon FCPA enforcement action. On December 22, 2014, the Department of Justice (DOJ) announced settlement of the Alstom enforcement action. Certainly the DOJ is giving out presents to companies that have been very, very naughty. I am currently exploring the Avon enforcement action over several days of blog posts but I had to interrupt those posts to write something about the Alstom resolution for it was extremely significant gift for the Chief Compliance Officer (CCO), compliance practitioner and companies going forward.

The Fine

First and foremost was the fine amount. At $772MM it is the highest criminal fine for FCPA violations in the history of the world. Siemens’ prior of a reported $800MM was a combination of DOJ and Securities and Exchange Commission (SEC) fines and penalties. Alstom was not subject to the jurisdiction of the SEC so there was no component of this amount for either civil books and records or internal controls violations. But for those few remaining dunderheads out there who think their private company status insulates them from FCPA liability; wake up and smell the mistletoe, as the DOJ will be looking for you to smack a big one on. The fine brings the 2014 fine totals up to around $1.5bn, which comes a close second to the record-setting year of 2010, where the total amount of fines was $1.8bn.

Disclosure, Cooperation and Conduct

While I am in the middle of lambasting Avon for its conduct that led to its FCPA violations, one really has to step aside and give some credit to Alstom for some of the worst actions a company can engage in when dealing with bribery and corruption. If there was anyone on the naughty list, it certainly was Alstom. First is the company’s failure to self-disclose its obvious criminal conduct. The second was the clear foot-dragging in dealing the DOJ, during the pendency of the investigation. Finally, to complete this triumvirate of idiocy was the company’s refusal to timely engage in remediation. Dick Cassin, writing in the FCPA Blog, pointed out that Alstom’s conduct included the following:

  • Alstom’s refusal to fully cooperate with the department’s investigation for several years
  • The breadth of the companies’ misconduct, which spanned many years, occurred in countries around the globe and in several business lines, and involved sophisticated schemes to bribe high-level government officials
  • Alstom’s lack of an effective compliance and ethics program at the time of the conduct, and
  • Alstom’s prior criminal misconduct, including conduct that led to resolutions with various other governments and the World Bank.

Individual Prosecutions

Alstom’s conduct was so bad during the investigation that the DOJ obtained indictments against four company executives during the pendency of the investigation. Three of these executives have pled guilty and are awaiting sentencing. Cassin wrote, “Alstom began cooperating only after the DOJ publicly charged several Alstom executives, the government said.” The UK Serious Fraud Office (SFO) has also brought charges against individuals.

Post Acquisition FCPA Liability

I promised a Christmas present for companies out there and neither Santa nor I want to disappoint those not on the naughty list, for the Alstom enforcement action makes clear that the company which is acquiring them, GE, is not responsible for the fine going forward. This enforcement action reinforces the message the DOJ presented in Opinion Release 14-02; that a company which engages in pre-acquisition due diligence, discloses and then remediates the issues after they acquire the entity, can rest easier about purchasing a FCPA violation. For if GE can purchase a company with the clear attitude about doing business in compliance with anti-corruption laws, such as Alstom, with confidence that it will not be subject to a FCPA enforcement action, it means that any other company can do so as well.

Cassin reported, “Alstom SA pleaded guilty to a two-count criminal information in federal court in Connecticut. The DOJ charged the company with violating the Foreign Corrupt Practices Act by falsifying its books and records and failing to implement adequate internal controls. Alstom admitted its criminal conduct…In addition, Alstom Network Schweiz AG, a Swiss subsidiary, pleaded guilty to a criminal information charging it with conspiracy to violate the antibribery provisions of the FCPA.” Finally, “Two U.S. subsidiaries — Alstom Power Inc. and Alstom Grid Inc. — both entered into deferred prosecution agreement with the DOJ. They admitted that they conspired to violate the antibribery provisions of the FCPA.” The settlement documents have not been released as yet but hopefully they will be by the time of the final sentencing hearing before US District Judge Janet B. Arterton in June 2015.

The significance of this enforcement action will reverberate for a long time to come.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

The Avon FCPA Settlement, Part I

AvonIt is finally done. The long awaited Avon Foreign Corrupt Practices Act (FCPA) enforcement action is on the books. I would say what a long, strange trip it has been but that does not really seem to capture everything that went on in this case. Before we only knew such things as a whistleblower contacting the Chief Executive Officer (CEO) of the company with allegations of bribery in the company’s China business unit, to the Head of Internal Audit being caught up directly in the scandal, put on administrative leave and then terminated; to a professional fee burn rate on the case which would rival the Gross National Product (GNP) of many countries; to Grand Jury subpoenas being issued (or threatened to be issued) to corporate executives to secure their testimony in criminal proceedings; to publicly negotiating with the Department of Justice (DOJ) and Securities and Exchange Commission (SEC); we all thought this FCPA matter had it all. But it turns out just how little we knew about the company’s conduct and just how bad it was which led to this settlement because to say it was bad would demean and belittle the word bad. So over the next few blog posts, I will be exploring Avon, its conduct and the FCPA enforcement action.

For the Record

The amount of the total fines and penalties was $135 million. As noted by the FCPA Professor, “the settlement is the third-largest ever against a U.S. company.” The enforcement action included several resolution vehicles, including a Criminal Information against Avon China resolved via a Plea Agreement; a Criminal Information against Avon Products resolved via a Deferred Prosecution Agreement (DPA) with an aggregate fine amount of $67.6MM. There was a separate SEC resolution through a Civil Complaint against Avon Products, which it agreed to resolve without admitting or denying the allegations through payment. The amount of the SEC settlement was $67.4MM. While the company’s internal investigation began in China, it quickly expanded so that it went far beyond China, including Japan, Argentina, Brazil, India and Mexico.

How Did We Get Here?

It all began back in May 2008, when an employee from Avon’s China business unit sent a letter to the head of the company alleging the China entity had engaged in bribery and corruption. In October 2008, Avon reported, in a Statement of Voluntary Disclosure, that it was investigating an internally reported allegation by an undisclosed whistleblower that corrupt payments had been made in its China operations. These allegations claimed that certain travel, entertainment and other expenses might have been improperly incurred. Although the details of the Avon case have not been disclosed, direct selling was not allowed in China under a law passed in 1998. The National Review reported that Avon was able to secure permission in late 2005 to begin direct selling on a limited basis. Later the Chinese government issued direct-selling regulations and granted Avon a broader license in February 2006 to make such sales.

In its 2009 Annual Report, Avon noted that the internal investigation and compliance reviews, which started in China, had now expanded to its operations in at least 12 other countries and was focusing on reviewing “certain expenses and books and records processes, including, but not limited to, travel, entertainment, gifts, and payments to third-party agents and others, in connection with our business dealings, directly or indirectly, with foreign governments and their employees”. The FCPA Professor, citing the Wall Street Journal (WSJ), reported that Avon suspended four employees, including the President, Chief Financial Officer (CFO) and top government affairs executive of Avon’s China unit as well as a senior executive in New York who was Avon’s head of Internal Audit.

One of the significant pieces of information to come out of the Avon matter is the related costs. As reported in the 2009 Annual Report the following costs were incurred and were anticipated to be incurred in 2010:

Investigate Cost, Revenue or Earnings Loss
Investigative Cost (2009) $35 Million
Investigative Cost (anticipated-2010) $95 Million
Drop in Q1 Earnings $74.8 Million
Loss in Revenue from China Operations $10 Million
Total $214.8 Million

Marketwatch also reported that after these investigations were made public Avon’s stock prices fell by 8%. Lastly, in addition to the above direct and anticipated costs and drop in stock value, the ratings agency Fitch speculated about the possibility of a drop in Avon’s credit ratings. But as bad as these numbers appear they only got worse for Avon as by 2012 its spend on professional fees was estimated to be over $247MM. As of this date, the total professional fees are closer to $300MM.

Grand Jury Investigation and Terminations

The WSJ reported in February 2012 that the DOJ had gone to a grand jury with evidence of FCPA violations against US executives at Avon. Joe Palazzolo and Emily Glazer reported that several company employees were terminated for their role in the scandal. They wrote, “The company said it fired Vice Chairman Charles Cramb on Jan. 29 [2012] in connection with the overseas corruption probe and another investigation into allegedly improper disclosure of financial information to analysts. Mr. Cramb couldn’t be reached for comment. In May [2011], Avon said it fired Ian Rossetter, its former head of global internal audit and security and previously Avon’s head of finance in Asia. Mr. Rossetter didn’t respond to requests for comment and his attorney declined to comment. Bennett Gallina, a senior vice president responsible for the company’s operations outside the U.S. and Latin America, left Avon in February 2011, two days after being put on leave in connection with the internal corruption investigation, the company said at the time.”

Negotiating in Public

I do not know who was advising Avon but the decision to try and force the government’s hand by making public its negotiating position was one of the most bone-headed moves I have seen a similarly situated company make. Avon initially announced that it had opened negotiations with the US government over the terms of a resolution in August 2012. In mid 2013, the FCPA Blog reported that Avon low-balled the SEC with an opening offer of $12MM. Later, in 2013, the company reported in an SEC filing that the “Securities and Exchange Commission offered an FCPA settlement last month with monetary penalties that were ‘significantly greater’ than the $12 million the company had offered.” But not to take such government tactics sitting down, Avon publicly announced in the filing that “Monetary penalties at the level proposed by the SEC staff are not warranted.” That certainly was great information to put out to the public enforcing that you are taking a hardball approach with the SEC and telling them their fines and penalties are not deserved for a company that has gone through all Avon has during this FCPA journey.

As I said, this matter was a long strange journey but as strange as things were that we knew about before last week, they became much stranger. Tomorrow we take a look at the facts that came out through the settlement documents to see the nefariousness of Avon’s conduct.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 5,097 other followers