FCPA Compliance and Ethics Blog

November 28, 2014

The Network in Houston-FCPA Best Practices: Internal Controls & Compliance Risk Assessments

Filed under: Best Practices,FCPA,Internal Controls,Stephen Martin,The Network — tfoxlaw @ 10:43 am

Downtown HoustonWhen it comes to FCPA compliance, ethics and compliance professionals face the U.S. Sentencing Guidelines’ 7 Elements of an Effective Compliance Program; the 13 Good Practices by the OECD on Internal Controls, Ethics, and Compliance; the UK’s 6 Principles for “Adequate Procedures”; the 9 Hallmarks of Effective Compliance Programs according to the DOJ’s FCPA Guidance… and the list goes on.  It’s essential that companies routinely assess their organizations’ FCPA risk and ensure they have the proper internal controls to effectively comply with the law. If you want to know more about  Internal Controls & Compliance Risk Assessments I hope that you can join me next Thursday, December 4th in Hosuton. The Network is hosting is a complimentary, half-day event for a limited audience in the Houston area, where you’ll have the chance to hear from top ethics and compliance professionals including Stephen Martin, founder and managing director of Baker & McKenzie Compliance Consulting, and myself.

LEARNING OBJECTIVES

  • Baker McKenzie’s 5 Essential Elements of Corporate Compliance
  • Best practice compliance risk assessment methodology
  • How to avoid the 12 common pitfalls of compliance risk assessments
  • What a company’s obligations are regarding internal controls under the FCPA
  • What internal controls are required to meet this obligation
  • How you can determine which internal controls your company needs

AGENDA:

1:00 pm – Registration & Networking
1:30 pm – Welcome & Introductions
1:45 pm – Session 1: Conducting Effective Compliance Risk Assessments
3:15 pm – Networking Break & Solution Demos
3:45 pm – Session 2: Understanding Your Internal Control Obligations
4:45 pm – Group Discussion / Q&A
5:00 pm – Cocktail Reception

=================================================================================================================================================================================================

You can find out more about this exciting and informative event by clicking here.

February 19, 2014

Welcome to the Hotel California: FCPA Enforcement

Hotel CaliforniaThis past weekend I saw The Eagles on their ‘History of The Eagles Tour. It truly was that, a complete musical history of the group, from the beginning in 1971 up until now. They played for well over 3 hours and it was fantastic. The Eagles were at their peak in the 70’s when I was at my peak as a rock and roller, both in high school and college, so the concert was a very memorable experience. In one interesting twist they did not allow videos to be taken of the concert with cell phones or any other types of recordings. Of course the concert ended with song Hotel California and its iconic line “You can check out but you can never leave.”

I thought about that final line and how true it was in the late 70s and how true it is now in the world of international anti-corruption enforcement when I read a front page article in Sunday’s New York Times (NYT), entitled “Eavesdropping Ensnared American Law Firm”, and an blog post by the FCPA Professor, entitled “FCPA Lawyers Would Be Wise to Review Recent Third Circuit Decision”.

We know from the American Spectator article, “Rise of the Surveillance State”, by James Bovard about the National Security Agency (NSA) program ‘Echelon’, which he described as “a spy satellite system run by the National Security Agency along with the United Kingdom, Australia, New Zealand, and Canada. Echelon reportedly scans millions of phone calls, e-mail messages, and faxes each hour, searching for key words.” Further, Bovard stated, “A February report by the European Union alleged that Echelon has been used for economic espionage. Former CIA Director James Woolsey told a German newspaper in early March that Echelon collects “economic intelligence.”” One example Woolsey gave was espionage aimed at discovering when foreign companies are paying bribes to obtain contracts that might otherwise go to American companies. Woolsey elaborated on his views in a March 17, 2001 Wall Street Journal (WSJ) Op-Ed piece, justifying Echelon spying on foreign companies because some foreigners do not obey the Foreign Corrupt Practices Act (FCPA).

After the NYT article, we know that US law firms can also fall under surveillance. The firm of Mayer Brown was monitored by the NSA’s Australian counterpart, the Australian Signals Directorate (ASD), regarding work the law firm was doing for the government of Indonesia in trade disputes with the US. It is of no consequence that it was the Australians doing the spying as under the “Five Eyes Alliance”, Australia is one of five countries the US shares intel with and agrees not to spy on. While most Americans would understand the need to place those dealing with terrorists under surveillance, the need to monitor US law firms giving legal advice in a legal trade dispute seems one or two steps past the safety of the US homeland. While only mentioned in the article, I also wonder about the effect of this surveillance on the attorney-client privilege, the basic reason that clients come to lawyers, for confidential legal advice. If you know that you are susceptible to espionage, why would a client ever trust the confidentiality of your communications or even that they are confidential to start with. Moreover, if you know you are subject to surveillance, is the privilege destroyed if a country does so and passes the information along to the US?

Equally unsettling as the revelations in the NYT article is the FCPA Professor’s report on a Third Circuit, Court of Appeals decision, entitled “In Re: Grand Jury Subpoena”. In this matter, an attorney was consulted on an international transaction, which was described as follows: “In April 2008, Client approached Attorney to discuss issues he was having with the project. Client explained that he planned on paying Banker in order to ensure that the project progressed swiftly, as Banker was threatening to slow down the approval process. Attorney did some preliminary research, found the FCPA, and asked Client whether the Bank was a government entity and whether Banker was a government official. Although Attorney could not ascertain given his limited research whether the planned action was legal or illegal, he advised Client not to make the payment. Despite this advice, Client insisted that his proposed payment did not violate the FCPA, and informed Attorney that he would go ahead with the payment. Attorney gave Client a copy of the FCPA. After this communication, Attorney and Client ended their relationship.” The opinion stated that the Client made a payment to the banker’s sister.

In other words, the client came for legal advice regarding an international transaction, the attorney advised against the transaction in question but the client did so against the advice of his attorney and the attorney thereafter terminated the relationship. There was no evidence the lawyer advised the client how to violate the FCPA or in any way helped the client ‘get around’ the law.

The attorney-client privilege is not sacrosanct. There are some limited exceptions to it and one of those is the ‘crime-fraud exception’ which the Court of Appeals explained is, “To circumvent [the attorney-client] privilege under the crime-fraud exception, the party seeking to overcome the privilege . . . must make a prima facie showing that (1) the client was committing or intending to commit a fraud or crime, and (2) the attorney-client communications were in furtherance of that alleged crime or fraud.” (All citations omitted) But, in this case, there was no evidence presented that the attorney involved gave advice that was in the furtherance of a crime but only that “The communication between Attorney and Client was brief, and consisted mainly of informing Client on the applicable law and advising that he not make the payment. However, we believe that the questions posed by Attorney to Client and the information that Client could gain from those questions are sufficient for us to conclude that the District Court did not abuse its discretion in determining that the advice was used in furtherance of a crime or fraud.”

What were the questions posed by the client or put another way, what was the legal advice sought by the client? The Court stated, the “questions about whether or not the Bank was a governmental entity and whether Banker was a government official would have informed Client that the governmental connection was key to violating the FCPA. This would lead logically to the idea of routing the payment through Banker’s sister, who was not connected to the Bank, in order to avoid the reaches of the FCPA or detection of the violation. Of course, it is impossible to know what Client thought or how he processed the information gained from Attorney. But the District Court did not abuse its discretion in determining that Client “could easily have used [the advice] to shape the contours of conduct intended to escape the reaches of the law.””

What does the spying on a US law firm and this court decision invalidating the attorney-client privilege mean for FCPA enforcement? I think that it means if you find yourself in the position of having violated the FCPA; your company now has an even greater incentive to self-disclose. If you are a non-US based company subject to the FCPA, the NSA is watching you. Further, if you are a non-US company, which seeks legal advice, you are now on notice that US laws firm are being spied on. Lastly, if you have violated the FCPA and seek legal advice; it may well come to pass that the lawyer whose advice you sought, can be compelled to testify about those conversations. So in the words of The Eagles, if you engage in conduct that arguably violated the FCPA, you can check out but you can never leave.

———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————–

If you will be in Dallas this coming Thursday, February 20, I hope that you will join myself and fellow FCPA Blog Contributor Marc Bohn at the Corporate Compliance Summit on 2014 FCPA Concerns You Cannot Afford to Ignore. The event is complimentary and is sponsored by The Network. You can check it out and register by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 27, 2014

The Abbey Grange, the Quality of Justice and Codes of Conduct

Abbey GrangeIn honor of the return of Sherlock Holmes to PBS with Season 3, I begin a week of Sherlockian themed posts. Today we consider the quality of justice that Holmes discussed in The Abbey Grange, he allowed a man who murdered a wife-abusing husband to go free. Holmes concern with justice, as opposed to simply following the letter of the law, is an excellent introduction into the subject of Codes of Conduct.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), explored some of these questions in a recent article in Compliance Week, entitled “The Code of Conduct Conundrum”. As a part of her article, Switzer interviewed Jimmy Lin, Vice President (VP) of Product Management and Corporate Development at The Network and Kendall Tieck, VP of Internal Audit at Workday, for their thoughts on what makes an effective Code of Conduct.

Tieck views a Code of Conduct as not simply a static piece of paper or document but “but as a set of expected behaviors that are integral to the fabric of the business and an organization’s value system. A Code of Conduct is not a compliance activity, but how an entity demonstrates integrity and acquires trust from markets, shareholders, customers, partners, and governments. To achieve these outcomes, a careful plan, aligned with a policy lifecycle management framework, should articulate how the Code is integrated in the core of the company’s activities and culture.”

Switzer believes that one of the key components of a best practices Code of Conduct is to integrate the connection between a business’ objectives, its risk and compliance management. There are numerous factors, which can move a company towards having such an effective integration. Switzer wrote that some of these include, “external stakeholder expectations and pressures, internal culture and context, objectives for the code, process of development and implementation, content of the code, consequences for non-conforming conduct, strength of sub-codes (e.g. policies), and employee character.”

In a GRC Illustrated series, provided with Switzer’s article, entitled “The Next Generation Code of Conduct”, lays out six steps for the compliance practitioner to think through and implement during a Code of Conduct upgrade or rewrite. These six steps are (1) design; (2) deliver; (3) interact; (4) measure; (5) maintain; and (6) improve.

Design

Under this step, a company needs to define the behavior that it desires to inspire and allow employees to collaborate at all levels. Lin said that a key aspect was relevancy, “But times change—business environments change, cultures change, risk appetites change. We all need to keep in mind that the Code, the ultimate policy, should not be a stale document on the shelf. It needs to inspire, engage, and change with the organization.” Tieck said that your Code of Conduct should be “considered a part of the entity’s overall policy landscape. Leveraging an effective policy lifecycle management framework will promote integration and alignment across the policy governance landscape.”

Deliver

Switzer also identified the delivery of a Code of Conduct as a key element of its effectiveness. She said, “modern communication methods that allow the user to engage, interact, and research further behind the Code into related policies, procedures, and helplines for additional guidance can be better monitored and measured. Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.” This should also include relevant third parties such as suppliers and sales agents. “And failure to comply with the Code can be better identified and tracked, indicating possible need for clarification, additional training, or better screening of employees.”

Interact

Lin pointed out that a Code of Conduct is both a corporate governance document and a marketing document. As such you will need to create a marketing campaign to get the message of your Code of Conduct out to not only your employee base but also relevant third parties, such as suppliers and agents. If you have a large number of non-English speaking personnel or employees without access to online training, these factors needs to be considered when determining the delivery method.

Measure

Initially, you should prioritize both qualitative results with positive feedback by including such metrics as speed of completion, reminders, which must be sent to facilitate completion of Code of Conduct training, and the percent of employees and third parties who attest to review of your Code of Conduct. You should also measure the effectiveness of your communication campaign. Tieck suggests drilling down further because each component of your Code of Conduct sets “an expected behavior. Selecting a few critical behaviors to measure and monitor may be adequate for most organizations. These selected measures might represent an aggregate measure of the overall conformance to the code. Large organizations may be able to mine HR data to capture statistics associated with the identified behaviors. For instance, termination reason codes may be one source.”

Maintain

All commentators note that it is important to keep your Code of Conduct design and conduct fresh. One of the ways to do so is by employee feedback, which can assist you in identifying if your Code of Conduct is not only effective, but truly reflective of your company’s culture. Lin pointed out that to gain these insights you need to incorporate both formal and informal techniques for gauging the relevant employee and third party populations. Some of these techniques include “Questionnaires, surveys, forms and hotlines can be good anonymous sources, but engaging employees in conversation is just as, if not more, important. Make sure executives and managers alike spend time in small-group and one-on-one conversations. Have these conversations throughout the year and across your employee base to get the “real” story. This helps engage the employees and ensure they know you value their input.”

Improve

OCEG advocates that your Code of Conduct should be evaluated for revision at least every two years. This should be done to keep abreast of the changes in laws and regulations and your own business operations and risk tolerances. Switzer said that “Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.”

Switzer ends her piece by relating that there is a huge benefit to a company for a well thought out Code of Conduct, as a tool to drive both corporate values and sinew the expectations of conduct into the fabric of the company. By designing a Code of Conduct, which can be measured for effectiveness, you can continuously keep the goals moving forward and as Holmes did in the Abbey Grange, further your cause beyond the simple letter of the law.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Blog at WordPress.com.