FCPA Compliance and Ethics Blog

November 17, 2014

Opinion Release 14-02: Dis-Linking The Illegal Conduct Going Forward

Dis-linkOne of my favorite words in the context of Foreign Corrupt Practices Act (FCPA) enforcement is dis-link. I find it a useful adjective in explaining how certain conduct by a company must be separated from the winning of business. But it works on so many different levels when discussing the FCPA. Last week I thought about this concept of dis-linking when I read the second Opinion Release of 2014, that being 14-02. One of the clearest ways that the Department of Justice (DOJ) communicates is through the Opinion Release procedure. This procedure provides to the compliance practitioner solid and specific information about what steps a company needs to take in the pre-acquisition phase of due diligence. However, 14-02 directly answers many FCPA naysayers long incorrect claim about how companies step into FCPA liability through mergers and acquisitions (M&A) activity.

From the Opinion Release it was noted that the Requestor is a multinational company headquartered in the United States. Requestor desired to acquire a foreign consumer products company and it’s wholly owned subsidiary (collectively, the “Target”), both of which are incorporated and operate in a foreign country, never issuing securities in the United States. The Target had negligible business contacts in the US, including no direct sale or distribution of their products. In the course of its pre-acquisition due diligence of the Target, Requestor identified a number of likely improper payments by the Target to government officials of Foreign Country, as well as substantial weaknesses in accounting and recordkeeping. In light of the bribery and other concerns identified in the due diligence process, Requestor also detailed a plan for remedial pre-acquisition measures and post-acquisition integration steps. Requestor sought from the DOJ an Opinion as to whether the Department would then bring an FCPA enforcement action against Requestor for the Target’s pre-acquisition conduct. It was specifically noted that the Requestor did not seek an Opinion from the Department as to Requestor’s criminal liability for any post-acquisition conduct by the Target.

Improper Payments and Compliance Program Weaknesses

In preparing for the acquisition, Requestor undertook due diligence aimed at identifying, among other things, potential legal and compliance concerns at the Target. Requestor retained an experienced forensic accounting firm (“the Accounting Firm”) to carry out the due diligence review. This review brought to light evidence of apparent improper payments, as well as substantial accounting weaknesses and poor recordkeeping. The Accounting Firm reviewed approximately 1,300 transactions with a total value of approximately $12.9 million with over $100,000 in transactions that raised compliance issues. The vast majority of these transactions involved payments to government officials related to obtaining permits and licenses. Other transactions involved gifts and cash donations to government officials, charitable contributions and sponsorships, and payments to members of the state-controlled media to minimize negative publicity. None of the payments, gifts, donations, contributions, or sponsorships occurred in the US, none were made by or through a US person or issuer and apparently none went through a US bank.

The due diligence showed that the Target had significant recordkeeping deficiencies. Nonetheless, documentary records did not support the vast majority of the cash payments and gifts to government officials and the charitable contributions. There were expenses that were improperly and inaccurately classified. It was specifically noted that the accounting records were so disorganized that the Accounting Firm was unable to physically locate or identify many of the underlying records for the tested transactions. Finally, the Target had not developed or implemented a written code of conduct or other compliance policies and procedures, nor did the Target’s employees show an adequate understanding or awareness of anti-bribery laws and regulations.

Post-Acquisition Remediation

The Requestor presented several pre-closing steps to begin to remediate the Target’s weaknesses prior to the planned closing in 2015. Requestor aimed to complete the full integration of the Target into Requestor’s compliance and reporting structure within one year of the closing. Requestor has set forth an integration schedule of the Target that included various risk mitigation steps, dissemination and training with regard to compliance procedures and policies, standardization of business relationships with third parties, and formalization of the Target’s accounting and record-keeping in accordance with Requestor’s policies and applicable law.

DOJ Analysis

The DOJ noted black-letter letter when it stated, ““It is a basic principle of corporate law that a company assumes certain liabilities when merging with or acquiring another company. In a situation such as this, where a purchaser acquires the stock of a seller and integrates the target into its operations, successor liability may be conferred upon the purchaser for the acquired entity’s pre-existing criminal and civil liabilities, including, for example, for FCPA violations of the target. However this is tempered by the following from the 2012 FCPA Guidance, “Successor liability does not, however, create liability where none existed before. For example, if an issuer were to acquire a foreign company that was not previously subject to the FCPA’s jurisdiction, the mere acquisition of that foreign company would not retroactively create FCPA liability for the acquiring issuer.””

This means that because none of the payments were made in the US, none went through the US banking system and none involved a US person or entity that this would not lead to a creation of liability for the acquiring company. Moreover, there would be no continuing or ongoing illegal conduct going forward because “no contracts or other assets were determined to have been acquired through bribery that would remain in operation and from which Requestor would derive financial benefit following the acquisition.” Therefore there would be no jurisdiction under the FCPA to prosecute any person or entity involved after the acquisition.

The DOJ also provided this additional information, “To be sure, the Department encourages companies engaging in mergers and acquisitions to (1) conduct thorough risk-based FCPA and anti-corruption due diligence; (2) implement the acquiring company’s code of conduct and anti-corruption policies as quickly as practicable; (3) conduct FCPA and other relevant training for the acquired entity’s directors and employees, as well as third-party agents and partners; (4) conduct an FCPA-specific audit of the acquired entity as quickly as practicable; and (5) disclose to the Department any corrupt payments discovered during the due diligence process. See FCPA Guide at 29. Adherence to these elements by Requestor may, among several other factors, determine whether and how the Department would seek to impose post-acquisition successor liability in case of a putative violation.”

Discussion

Mike Volkov calls it ‘reading the tea leaves’ when it comes to what information the DOJ is communicating. However, sometimes I think it is far simpler. First, and foremost, 14-02 communicates that there is no such thing as ‘springing liability’ to an acquiring company in the FCPA context nor such a thing as simply buying a FCPA violation, simply through an acquisition only, there must be continuing conduct for FCPA liability to arise. Most clearly beginning with the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) have communicated what companies need to do in any M&A environment. While many compliance practitioners had only focused on the post-acquisition integration and remediation; the clear import of 14-02 is to re-emphasize importance of the pre-acquisition phase.

Your due diligence must being in the pre-acquisition phase. The steps taken by the Requestor in this Opinion Release demonstrate some of the concrete steps that you can take. Some of the techniques you can use in the pre-acquisition phase include (1) having your internal or external legal, accounting, and compliance departments review a target’s sales and financial data, its customer contracts, and its third-party and distributor agreements; (2) performing a risk-based analysis of a target’s customer base; (3) performing an audit of selected transactions engaged in by the target; and (4) engaging in discussions with the target’s general counsel, vice president of sales, and head of internal audit regarding all corruption risks, compliance efforts, and any other major corruption-related issues that have surfaced at the target over the past ten years.

Whether you can make these inquiries or not, you will also need to engage in post-acquisition integration and remediation. 14-02 provides you with some of the steps you need to perform after the transaction is closed. If you cannot perform any or even an adequate pre-acquisition due diligence, the time frames you put in place after the acquisition closes may need to be compressed to make sure that you are not continuing any nefarious FCPA conduct going forward. But it all goes back to dis-linking. If a target is engaging in conduct that violates the FCPA but the target itself is not subject to the jurisdiction of the FCPA, you simply cannot afford to allow that conduct to continue. If you do allow such conduct to continue you will have bought a FCPA violation and your company will be actively engaging and participating in an ongoing FCPA violation. That is the final takeaway I derive from this Opinion Release; it is allowing corruption and bribery to continue which brings companies into FCPA grief. Opinion Release 14-02 provides you a roadmap of the steps you and your company can take to prevent such FCPA exposure.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 16, 2014

Implementing compliance programme at the emerging markets of the former Soviet Union

Filed under: Uncategorized — tfoxlaw @ 12:01 am

TimurEd. Note-today we have a guest post from Timur Khasanov-Batirov, Chief Compliance Officer at DTEK and Co-Chairman at Compliance Club of the American Chamber of Commerce in Ukraine. He can be reached at tkhasanovbatirov@gmail.com. 

It will be a challenge. I mean to build a program that will give you at least certain level of comfort in the Russian, Kazakh or Ukrainian business reality. Obstacles are well known-high level of corruption, transforming economies, ambiguous laws. And here goes the main problem-do people (including you) believe that it is possible to act ethically at these markets? There are some thoughts below which hopefully could give an idea about ways to manage risks of those profitable but extremely risky jurisdictions.

Define the Scope of the Programme

In-house rule of the games traditionally incorporated in the Code of Ethics and anticorruption norms is a must have minimal standard. It is a pretty obvious custom. You should also think about compliance with sanctions regime imposed by the USA/EU on both Russians and Ukrainians. There is always a risk that your business is dealing with an entity ‘controlled’ by a blacklisted person. Considering a pretty wide interpretation of   the ‘control’ concept by the Western regulators just be sure that there is at least minimal control aiming on checking if those bad guys are among your current counterparties and system on preventing cooperation with them.

Who is in the Ethics Dream Team?

There is always someone who support ethical behavior and few that say it is impossible to implement ethical behavior in a local business reality. Just probably in many other countries. Tone at the Top is critical for success here. Unless you have it you have been playing Russian roulette. Here is the reason. Locals are used to face corruption and fraud both in their daily and professional lives in many spheres. They know that often rights words of their managers are not supported by real actions. Thus they might find natural to participate or not to report unethical acts which could lead to regulatory enforcement again your company and sometimes you personally. So find out in your team who is really devoted to ethics on different levels of the corporate hierarchy to support you compliance efforts. It will facilitate the process and allow winning hearts of your employees. Just have in mind that out there folks are used to follow people they trust rather than follow written instructions.

Risks Are Everywhere

Emerging markets are risky markets. Risk based approach is a platform for decision making process. You may accept compliance risk, transfer it to the third party, mitigate it but in any case be sure that   it is a well informed decision. In the reality of Russia and Ukraine specifically consider compliance risks in the areas relating to obtaining licenses, taxation (see for example Archer Midland case of 2013 in Ukraine), customs clearance, occupational fraud (mainly kickbacks in bidding). Local consultants offering services on obtaining governmental permits in the majority of cases are tied with the officials from the governmental bodies responsible of issuance of such permissions. Just have it in mind. The US criminal enforcement is not excusing those managers who are not asking questions. Thus ‘willful blindness’ is also punished.

Devoted Compliance Personnel

A few criteria for selection right safeguards of your corporate integrity in the oil reach Kazakhstan, Russia or Ukraine. They should really care about what they have been doing, have access to the senior managers, know anticorruption rules, wish to solve the problems, help employees who approach them. And to say ‘No’ when it should be said ‘No’.

Is It Really Allowed to Raise Concern?

Here the corporate culture comes into the light. By default your employees in Russia, Kazakhstan or Ukraine will not ring the corporate bell even if they clearly see the misconduct. Not used too. There is a recipe to minimize risks of corruption or unethical acts in this particular region. First, duly investigate raised concerns. Investigation reports should be escalated to the senior management level for consideration (for example, to the Compliance/HR committee or regional director). It is very important to ensure that viable and clear corporate ‘verdict’ becomes an outcome of such consideration. Double check whether it was enforced by your subsidiaries at that region.

Second, show people that you have cured the problem. It is not about naming bad guys but rather indicating in the corporate mass media typical types of bad behavior which were detected and stopped. To ensure your staff in this region will be raising concerns protect the whistleblowers. It will be the biggest difficulty. The local culture is not tolerating them. Unless you give level of comfort to whistleblowers you will not fully control the company and might face violations which lead to investigations, dismissals and penalties.

While it is impossible to predict all compliance risks generated by the CIS markets for sure a trustworthy corporate atmosphere along with genuine will of the key managers to make right things   could significantly mitigate risk exposure.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.

September 30, 2014

Discipline and Rigor in Your Internal Controls

DisciplineIn a recent New York Times (NYT) Op-Ed by David Brooks, entitled “The Good Order”, he discussed how routine can lead to creativity. He cited to the example of three well-known authors whose habits included the following. “Maya Angelou would get up every morning at 5:30 and have coffee at 6. At 6:30, she would go off to a hotel room she kept — a small modest room with nothing but a bed, desk, Bible, dictionary, deck of cards and bottle of sherry. She would arrive at the room at 7 a.m. and write until 12:30 p.m. or 2 o’clock.” Another example was John Cheever, who “would get up, put on his only suit, ride the elevator in his apartment building down to a storage room in the basement. Then he’d take off his suit and sit in his boxers and write until noon. Then he’d put the suit back on and ride upstairs to lunch.” Finally, there was the example of Anthony Trollope, who “would arrive at his writing table at 5:30 each morning. His servant would bring him the same cup of coffee at the same time. He would write 250 words every 15 minutes for two and a half hours every day. If he finished a novel without writing his daily 2,500 words, he would immediately start a new novel to complete his word allotment.” Brooks thesis for his piece seemed to be summed up by a quote from Henry Miller (of all people), “I know that to sustain these true moments of insight, one has to be highly disciplined, lead a disciplined life.” Sort of gives a whole new meaning to the word ‘discipline’.

However moving back to somewhat salacious concepts, I thought about those words in the context of internal controls around a Foreign Corrupt Practices Act (FCPA) compliance program. Brooks’ thoughts on building and maintaining order inform today’s post. In the area of internal controls, I believe it is incumbent to consider not only the most obvious risk areas for your internal controls but also the universe of potential transactions within the operations of a particular company. Once again relying on my friend and internal controls expert Henry Mixon I queried him about some of the other types of internal controls a company should consider around gifts, travel, business courtesies and entertainment.

One area that companies need to be mindful of is corporate checks and wire transfers, in response to falsified supporting documentation, such as check requests, purchase orders, or vendor invoices. Here Mixon believes that the Delegation of Authority (DOA) is a critical internal control. So, for example a wire transfer of $X between company bank accounts in the US might require approval by the Finance Manager at the initiating location and one officer. However, a wire transfer of $X to the company’s bank account in Nigeria, could require approval by the Finance Manager, a knowledgeable person in the Compliance function, and one officer. The key is that the DOA should specify who must give the final approval for such an expense.

I asked Mixon about the situation where checks drawn on local bank accounts in locations outside the US “off books” bank accounts, commonly known as slush funds. Petty cash disbursements in locations outside the US – the unique control issues regarding locations outside the US will be discussed in a future podcast. Some petty cash funds outside the US have small balances but substantial throughput of transactions. In this instance, Mixon said that the DOA should address replenishment of petty cash funds in countries outside the US, as well as approval of expense reports for employees who work outside the US, including those who travel from the US to work outside US.

Another area for concern is travel, the reason for this being that a company’s corporate travel department and independent travel agencies can buy tickets, hotel rooms, etc., for non-employees. Mixon noted that internal controls might be needed to ensure policies are enforced when travel for non-employees can be purchased through a corporate travel department or through independent travel agencies. As was demonstrated with GlaxoSmithKline PLC (GSK) in China, a company must not discount the risk related to abuse of power internally and collusion with independent travel agencies. Mixon advises that you should implement procedures to ensure compliance with your company policies regarding payment of travel and related expenses for third parties, for not only visits to manufacturing or job sites but also any compliance restrictions that might be in place.

An area for fraud, corruption and corporate abuse has long been Procurement cards or “P Cards”. Mixon cautions that if your company uses procurement cards, assume this to be a very high-risk area, not just for FCPA but also for fraud risk generally. Banks have made a great selling job to corporations for the use of P-Cards to help to facilitate “cash management” but, more often than not, they can simply be a streamlined way to allow embezzlement and misbehavior to go undetected. Here a control objective should be put in place along the lines of a written policy and procedures defining the acceptable and unacceptable use of company Procurement Cards, required forms, required approvals, documentation and review requirements.

An interesting analogy that Mixon used is that misbehavior, like water, seeks its own level. Mixon explained that this meant if the pre-approval process and strong controls over expense reports prevent misbehavior, employees who wish to misbehave will seek other ways to do it where controls are not so strong. This means you should use your risk assessment process to help prioritize where controls are most needed. If your company prohibits gifts and any travel other than for the submitting employee from being included in the expense report, you should consider requiring instead a check request form be used, which, Mixon noted, would be subject to stringent controls. He added that in such cases a checklist should be completed and attached to the check request which includes questions and disclosures designed to flush out exactly what was provided in the way of a business class airline, pocket money, event tickets, side trips, leisure activities, spouses or other relatives who might be traveling and why the travel had business purpose. Such an internal control would allow for a more streamlined processing of expense reports and still elevates the gifts/travel items to the appropriate level of review and requires appropriate documentation.

I inquired as to why a Compliance Officer relies on the audit controls that are in place regarding gifts because in many companies, internal audits of expense reports are common. Mixon noted that it is important to keep in mind that, with respect to gifts, internal audits most often constitute, at best, a detect control, which only gives comfort for some historical period and is not necessarily representative of the controls in place to prevent future violations. So, it will be a false sense of security if a Compliance Officer relies on the internal audit of expense reports to be the control needed over violation of Gift policies.

I thought about one line in Brooks’ piece, which seemed to echo Mixon’s thoughts on internal controls, where Brooks wrote, “Building and maintaining order…requires toughness of mind and rigid discipline to properly serve your own work.” By having the rigor to institute and enforce the types of internal controls Mixon has identified, you can go a long way towards detecting and more importantly preventing a FCPA violation from occurring.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 19, 2014

A Surprise in Progressive Rock – FCPA Internal Investigations

Prog RockThis past weekend I saw some great bands and heard some great music. On Friday night I finally got to see Yes perform two fabulous albums, Close to the Edge and Fragile complete uncut and straight through. To say I was blown away would be putting it mildly. But there was one great revelation that I received from the show and that was the opening band, Syd Arthur. They are an English band, from Canterbury, and very much the inheritors of the prog rock mantle from bands such as Yes. Their sound was simply amazing and if you are into progressive rock at all, I would suggest you check them out.

I thought about my surprise on finding a more current and certainly younger band so proudly carrying the prog rock mantle when I returned back to Houston and was contacted by a reporter asking for my comments about the appeal of Shell v. Writt to the Texas Supreme Court. For those compliance practitioners amongst you who may have placed this state court libel action to the recesses of your mind or never even heard about it; it is something you should pay attention to as the case has some clear implications about the manner in which companies conduct and use internal investigations.

The case has a long involved Foreign Corrupt Practices Act (FCPA) history. It involves Panalpina and its customer Shell. David Smyth, in his great blog Cady Bar the Door, reported, in a post entitled “Texas Court of Appeals Has Put Some FCPA Internal Investigations in an Awkward Spot”, the Department of Justice (DOJ) contacted Shell about its dealings with Panalpina. Sometime later, “Shell agreed to conduct an internal investigation into its dealings with Panalpina. As Shell’s “managing counsel” later testified, “Shell agreed to conduct the internal investigation with the understanding that it would ultimately report its finding to the DOJ . . . .” A DOJ Fraud Section attorney wrote a follow-up letter noting, “[I]t is our understanding that Shell intends to voluntarily investigate its business dealings with Panalpina Inc. and all other Panalpina subsidiaries and affiliates.”” Unfortunately for all involved, “Shell submitted an investigative report that pointed the finger at Writt.  Specifically, Shell said Writt had been involved in illegal conduct in a Shell Nigerian project by recommending that Shell reimburse contractor payments he knew to be bribes and failing to report illegal contractor conduct he was aware of.”

Writt sued Shell for libel and Shell defeated Writt at the trial court on the basis that it had an “absolute privilege to say what it did in its investigative report to the DOJ.” In Texas absolute privilege applies because the unfettered flow of information to the judicial system and administrative proceedings is favored over the worry that someone might be wrongly named in such information.

However, a Texas Court of Appeals reversed the trial court ruling holding that absolute privilege does not apply where a party voluntarily turns over information to a prosecutor before a judicial proceeding is initiated or contemplated.

As Smyth explained, “In the court’s view, DOJ was acting purely in a prosecutorial and non-judicial capacity.  Shell submitted its investigative report on February 5, 2009, and DOJ did not file a criminal complaint against the company until November 2010, 20 months later.  As the court said, “Just because the DOJ ultimately filed a judicial proceeding against Shell does not establish that it was proposing that one be filed when it contacted Shell on July 3, 2007 or received Shell’s report on February 5, 2009.””

Shell has appealed this matter to the Texas Supreme Court. Under Texas law, an appeal to the Texas Supreme Court is discretionary and at this point, the Texas Supreme Court has not indicated whether it will accept the case. Interestingly the US Chamber of Commerce submitted a letter brief, on behalf of its members, urging the Texas Supreme Court to accept the case for review. In its penultimate paragraph it states, “At the end of the day, it is an unavoidable truth that any business that wishes to be a good corporate citizen by reporting its FCPA violations to regulators will necessarily implicate its own employees of wrongdoing. Thus, any rule that imposes costs on a company implicating its employees in wrongdoing will necessarily chill voluntary reporting of FCPA violations and impose unfair burdens on those companies who nonetheless choose to self-report.”

One of the more interesting arguments made by the Chamber was that there is currently enough incentive for companies to get investigations right. While noting that the Court of Appeals had worried about the “concern that absolute immunity from suit might motivate parties to “deflect blame” for FCPA violations onto its employees “without fear of consequence””; the Chamber said, “But there are more effective ways to prevent false reports. For example, false statements to government officials are already a crime punishable under 18 U.S.C. § 1001. Moreover, a false report against an employee would also implicate the business itself. After all, corporations act through their employees. Far from deflecting blame, then, a false accusation of an FCPA violation against an employee would incriminate the company as well.”

The real problem with this argument is that it leaves no remedy for any employee who is wrongly accused (libeled in legal parlance) in an internal FCPA investigation report. It has always been against the law to give false reports to government officials so nothing is new in that argument. One might argue that the civil justice system is better to evaluate such wrongful claims. But Smyth points to another reality when he ended his piece with the following, “FCPA investigations these days are a different animal, and probably deserving of different treatment by the courts.  As of now, a company conducting an internal FCPA investigation in Texas has to ask, what do we do if one of an investigation reveals one of our employees as a bad actor?  Do we say as much in the report we turn over to the government, as the government surely expects? If we do, are we signing on for libel litigation by the employee?”

Whatever the Texas Supreme Court decides, this case points to the need to do your best to get it right. That means having an investigation protocol that you can follow. It may mean having outside counsel handle an investigation when it is appropriate. If you conclude that one or more of your employees has violated the FCPA, you need to be able to back up that assertion with facts, evidence and reasonable inferences therefrom.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

June 2, 2014

The Mann Gulch Fire and How Far Down the Chain Do You Need to Go?

Young Men and FireRobert Sallee died last week. A smoke jumper, he was the last survivor of the Mann Gulch Fire, one of the worst disasters in the history of the US Forest Service. Sallee’s story and that of the Mann Gulch Fire was detailed in Norman Maclean’s posthumously published book, Young Men and Fire. There are only a handful of books I have ever read that drove me to tears and this was one of them. It was that powerful to me.

As reported in Sallee’s obituary in the New York Times (NYT), “In 1978, both Mr. Rumsey [one of two other survivors out of 15 men] and Mr. Sallee went back to Mann Gulch with Mr. Maclean, whose detailed account of their recollections and their court testimony fails to unravel precisely what happened; rather, it succeeds in illustrating the terror of being caught in such a monstrous natural maelstrom. Mr. Maclean wrote: “Sallee talks so often about everything happening in a matter of seconds after he and Rumsey left Dodge’s fire that at first it seems just a manner of speaking. But if you combine the known facts with your imagination and are a mountain climber and try to accompany Rumsey and Sallee to the top, you will know that to have lived you had to be young and tough and lucky.””

Sallee was only 17, and not yet a high school graduate, at the time of the Mann Gulch Fire; he had only just finished his fire service training course. The Mann Gulch jump was his first as a smoke jumper. The Forest Services was “accused of insufficiently preparing the smoke jumpers and sending them into Mann Gulch recklessly.” One of the Forest Service’s responses was to increase its research into fire behavior and also “to develop new training techniques and better safety measures for its firefighters.” As you might be able to ascertain from my lengthy discussion Maclean’s book and the event itself, I am still moved by the story of the Mann Gulch Fire. When I was growing up I thought smoke jumpers were about the bravest men I had ever heard of, parachuting into the wilderness to fight wildfires.

What are the lessons for the compliance practitioner? As with many such events, it is to evaluate factors from the risk perspective. One of the questions I am often asked is how far down the chain a company must go in managing its third party relationships? While a black book legal answer is that you are responsible for all your third parties down the chain under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act; the practical reality is that a company cannot manage all of its direct relationships and those direct relationship sub-relationships. They are too far down the chain and too remote to effectively control.

Jan Farley, the Chief Compliance Officer (CCO) at Dresser-Rand, has said that it is important for compliance officers, not to stretch your compliance program so thin that you try and cover everything; so that you miss the larger FCPA or UK Bribery Act risks that your company faces. I believe Jan’s comments also echo something that I believe is clear from the Guidance: Don’t focus on the small stuff. Indeed the Guidance states, “Thus, it is difficult to envision any scenario in which the provision of cups of coffee, taxi fare, or company promotional items of nominal value would ever evidence corrupt intent, and neither DOJ nor SEC has ever pursued an investigation on the basis of such conduct.” In other words, do not waste your compliance time, resource or energy around these small issues. However, if these small issues are a part of a larger systemic or long standing course of conduct that violates the FCPA then the Department of Justice (DOJ) may well look into these issues. You will want to show the DOJ you are focusing on the “big stuff”.

The Guidance also makes clear that each company should assess and manage its risks. The Guidance specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and Securities and Exchange Commission (SEC) take into account when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.

One of the approaches which I thought made a lot of sense in this area was comes from a presentation made by Randy Corley, Executive Vice President (EVP), Global Compliance Officer at Edelmen Inc., where he describes a a five-step process for his evaluation of third parties. I found his questions to be very relevant when considering how far down the chain a company must go.

Step 1: How Much is Enough? Here your goal is to have a realistic process so that it can be effectively managed and still be of sufficient value for the business unit decision makers, who have the ultimate responsibility over the company’s third parties.

Step 2: How Deep Do We Dig? Here I think the question you should consider is how many tiers down you must go in managing your third parties? Clearly you should manage all direct counter-parties in the sales chain and those considered high-risk in the supply chain. Further, in the sales chain, I think you need to know directly if your business representatives are sub-contracting down your business representation, at least through one tier. On the supply chain, if a high-risk truly is a high-risk for bribery and corruption under your internal evaluation system, you should also consider digging down one tier. 

Step 3: What Do You Need To Know? While with your first tier relationships you may scope your review depending on your internal risk assessment and attendant risk ranking, your data collection down the chain may not need to be as robust. For counter-parties further down the chain than tier 2, a list of actual and beneficial owners, coupled with commitments to follow relevant anti-corruption legislation is needed. Such commitments should be secured through each tier’s contract with its counter-parties.

Step 4: What Did We Learn? If there is any information from which Red Flags appear, they must be cleared. If additional information is needed or points clarified, now is the time to do it and not wait until later in the process. Here I would rely on Jan Farley’s proscription not to stretch your compliance program too thin. Focus your training, communication and management on your direct counter-parties and communicate to them that your company expects them to manage their relationships with their direct counter-parties, which would include the clearing of any Red Flags that may have appeared.

Step 5: Then What? After you have made your decision you still need to manage the relationship. This will entail continuing compliance communications with your direct counter-parties on an ongoing basis. Preferably your business unit sponsor will do this but as the compliance practitioner, you should also be mindful of checking in from time-to-time with your third parties. As your compliance program matures, you also reach the point where you will need to consider auditing of your third parties from the compliance perspective. Finally, do not forget the three most important things about your FCPA compliance program: “Document, Document and Document” the entire process.

Fortunately, we in compliance do not deal with life or death situations like those th smoke jumpers faced. . But that does not diminish the lessons we can derive from experiences from the practice of safety and evaluation of risk. In the area of third parties, consider what risks you face in both your sales and supply chain. If there is a key player several tiers down the line who creates or builds a key component or delivers a critical service, you may want to put more management around that relationship from the compliance perspective. For anything below a tier 2; you may be able to manage your risks through having your direct tier 1 counter-party take the lead in managing such compliance risks. But make sure that the expectation is communicated to your direct counter-party so that if the government comes knocking you can show that not only did you contractually obligate your direct counter-party to do so but that you provided them the tools and training to do so. Finally, you will need to be able to show that your direct counter-party did so.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

May 20, 2014

Maybellene and the 2014 Anti-Bribery and Corruption Benchmarking Report

Filed under: Uncategorized — tfoxlaw @ 10:33 pm

Chuck BerryToday, we celebrate an event, which is not ‘the day the music died’ but one that might properly be called one of the seminal moments in the creation of Rock N’ Roll. On this date in 1955, Chuck Berry recorded his first song, Maybellene. John Lennon once said of Chuck Berry “if you tried to give rock and roll another name, you might call it ‘Chuck Berry.'” Chuck Berry created the do-it-yourself template that most rock-and-rollers still seek to follow. If there can be said to be a single day on which his profound influence on the sound and style of rock and roll began, it was this day in 1955, when the unknown Chuck Berry paid his first visit to a recording studio and cut the record that would make him famous.

I am attending Compliance Week 2014 for the 5th consecutive year. Once again Matt Kelly and his team have put together one of the top compliance events of the year. The sessions have been first rate, the conversations highly informative and the sponsors are talking about their compliance solutions in an exciting and engaging manner. If you did not make Compliance Week 2014, I hope that you will make it next year for Compliance Week 2015.

One of the sessions I attended was a presentation of the joint Kroll/Compliance Week 2014 Anti-Bribery and Corruption Benchmarking Report. Compliance Week Editor, Matt Kelly, moderated the panel with Kroll Inc., representatives Alan Brill, Senior Managing Director, and Lonnie Keene, Managing Director, which discussed some of the reports key findings, the highlights of which are as follows.

Risks

For the second year in a row, large US Corporations were much more likely to say they expect bribery and corruption risks to increase than smaller or overseas

Corporations do. Some 51 percent of respondents said they expect more such risks in the next two to three years – as did 57 percent of US companies, and 57 percent of large companies, which was defined as having $5 billion or more in annual revenue. However, only 37 percent of overseas businesses, and 46 percent of smaller companies expect their corruption risks to keep rising. A question that Chief Compliance Officers (CCOs) may ask, then, is whether their assessment of bribery risks is accurate? The “risk perception gap” between large and small, or US and overseas, does exist, and an erroneous understanding of one’s risk profile can have dire consequences.

Third Part

The conundrum of third party risks continues to be a major weakness for anti-corruption programs and the problem may well be getting worse. The respondents this year reported an average of 3,868 third parties, yet 58 percent say they never train third parties on anti-corruption efforts. That number is higher than last year, when 47 percent said they do not educate third parties on anti-corruption policies. Significantly, the number of companies that conduct due diligence on third parties has increased, from 87 percent in 2013 to 97 percent this year – which suggests that companies do now grasp the importance of performing due diligence and have the processes in place to do so. That next step of training third parties (which can indeed be expensive) is where compliance programs start to falter.

Third party risks do hinge on several factors, such as the number of third parties one has or the corruption environments where they are. Another question that CCOs can ask themselves, then, is how the need for the services provided by their third parties matches up with the risk they pose to their companies.

Due Diligence

This was an area noted to be “a bright spot in the 2014 ABC Report.” In addition to the 97 percent of respondents who perform due diligence on third parties, 92 percent say they perform at least some due diligence on merger and acquisition (M&A) targets to identify possible corruption risks before a deal is done. What’s more, 74 percent say they start by investigating the target company’s management team – which is where the most serious corruption risks typically hide. Due diligence on a target company’s third parties fell off sharply: only 54 percent also performed due diligence on a target’s agents, 52 percent on its distributors, 50 percent on its consultants, and 46 percent on its suppliers. The report indicates that larger companies were much more likely than smaller ones to perform due diligence on a target’s third parties.

 

Overall Compliance Program Effectiveness

 

The Report revealed that seventy percent of respondents rated their policies for domestic employees as effective or very effective – and larger companies were more bullish about their domestic employees than smaller ones (77 percent to 61 percent, respectively). That statistic edged downward for confidence in training overseas employees, to 66 percent, driven by considerably fewer companies saying they were very confident in their training of overseas workers.

However, compliance practitioners were more confident in their ability to vet third parties at the start of a relationship, but less confident in monitoring third parties once that onboarding examination had passed. Fifty-seven percent of respondents rated their vetting procedures as effective or very effective. Then the numbers marched downward for monitoring compliance after a relationship starts, auditing compliance of third parties, and training third parties on anti-bribery and corruption procedures.

This led to the conclusion that effective compliance programs can help a company identify corruption risks when the CCO is not specifically hunting for them. That may come from strong training in a speak-up culture, or strong audits of third parties, or any number of other techniques. The key question here is to ask what metrics and corruption risk indicators match the risks you believe you have, and how your compliance can implement those solutions.

These trends stand against a background where large US Corporations report that they expect bribery and corruption risks to increase considerably more than smaller or overseas corporations do. Given the globalized nature of modern business, with more regulatory scrutiny from more regulators, and the “extended enterprise” extending to include even more third parties, the Report then asks “Do smaller or non-U.S. businesses truly have fewer corruption risks, or do they misunderstand the risk profile they have?”

While perhaps not as groundbreaking as Chuck Berry’s achievement in 1955, this 2014 Anti-Bribery and Corruption Benchmarking Report, captures important information about the current state of compliance and, more importantly, where it may need to go.

For a YouTube clip of Chuck Berry belting out Maybellene, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

May 2, 2014

Recent Interviews on the FCPA Compliance and Ethics Report

Filed under: Uncategorized — tfoxlaw @ 11:01 am

If you are looking for something about different for your Friday viewing or listening pleasure, I would invite you to head over to my podcast site, the FCPA Compliance and Ethics Report to check out some of my recent interviews. The length of each show is around 20 minutes so hopefully you can digest it in one sitting. A sampling of some of my recent episodes include:

Episode 46-Interview with Virna Di Palma, Senior Director of Global Strategy and Communications at TRACE, who talks about the recently announced TRACE scholarship program for graduate studies in anti-corruption.

Episode 49-Interview with Candace Tal, Founder and President of Infortal, who discusses a deep dive due diligence investigation and how it can be used.

Episode 50-Interview with Matt Kelly-Editor of Compliance Week, who discusses the upcoming Compliance Week 2014.

Episode 51-Interview with Tim Haidar, Editor-in-Chief of Oil & Gas IQ who talks about some of the current issues faces the energy sector with regard to Ukraine and Russia.

Episode 52-Interview with Raymond Barrett- Washington DC Bureau Chief of PaRR, who discusses bribery and corruption issues that companies face in the Middle East and North Africa.

If you are interested in listening to some of my recent solo shows you can check out the following:

Episode 47-I am Interviewed by Brian Kindle of ACFCS on lawsuits brought by the Libyan Sovereign Wealth Fund.

Episode 48-I discuss the recent Hewlett-Packard FCPA settlement.

All of the above episodes are also available for download on iTunes, under the show’s name, The FCPA Compliance and Ethics Report.

If there is a topic that you might like explored in greater detailed, send me an email and I will see if I can work it into an upcoming episode. You can reach me at tfox@tfoxlaw.

May 1, 2014

The Red Headed Stranger and the Arachnys Open Data Compass

Filed under: Uncategorized — tfoxlaw @ 12:01 am

Willie NelsonToday we celebrate one of the great state of Texas’ greatest gifts to the musical world – the red headed stranger, Willie Nelson, who was born 29th April 1933. Nelson played and sang from an early age and began his career penning songs in Nashville, including Crazy, which was recorded by Patsy Cline and became an international hit. However, his run in Nashville ended by the late 60s and he returned to Texas where he reinvented himself and his music into the new monikered ‘Redneck Rock’ subgenre of both rock and country. He became world famous, lost his fortune, recorded a record with the profits going to the IRS to pay off tax debts, called The IRS Tapes, and earlier this week, at the ripe of age of 80, was awarded a Black Belt in judo. A true Texas original.

I thought about Nelson when I came across a recent release by the UK Company Arachnys Information Services Ltd (Arachnys), entitled Open Data Compass, about their tool which is designed to help businesses identify “information blind spots and evaluate online access to corporate, litigation and news records from emerging markets.” The Compass as Arachnys refers to the report, does not measure corruption or the ease of doing business but instead focuses on “the ease with which investors and businesses can access, reconcile, and analyse business-critical data in any given market.” As such it is a valuable tool for the compliance practitioner to use in a company’s risk analysis in evaluating countries. And, best of all, it is available at no charge.

To create Compass, Arachnys focused on three metrics: (1) Size of news industry, which was used because “The media is a rich source of information for everything from macro political and economic trends, to specifics and even hearsay pertaining to an entity or individual.” (2) Availability of corporate registration and ownership information, because transparency of corporate information is a good sign for good corporate governance. (3) Accessibility of official litigation information, because access to litigation information makes it easier to spot red flags earlier on in the investigation process.

Compass did have some interesting findings. While corruption is still a big problem in Eastern Europe, it was noted “EU membership or the prospect of accession seems to have sparked significant improvements in the availability of corporate data in particular.” Further, this region’s “investment in online infrastructure to open up official data” has paid off. Unfortunately this positive finding contrasted directly with that of the United States, about which Compass reported “Attempts to push for greater corporate transparency in the United States have mostly foundered. The long-debated Incorporation Transparency and Law Enforcement Assistance Act was recently reintroduced by Senator Carl Levin but is unlikely to be passed. Instead, individual states like Delaware offer companies “internal offshore” arrangements, where the lack of obligation to reveal financial statements, officers or shareholders satisfies companies seeking weak disclosure requirements and further obfuscates the corporate information landscape.” A sad commentary indeed.

Latin America generally received high marks for the openness of data, with the report stating, “the region is defined by strong availability of news and litigation sources.” I also found it interesting that both India and China, countries generally perceived to have high instances of corruption, scored well because “when it comes to open data the sources available are comprehensive, accessible and mainly functional.” For the Middle East, defined in Compass as “MENA”, it said, “it seems to be a case of quantity not quality. The majority of the Gulf Cooperation Counsel states have an open, functional and centralised corporate registry, but the actual information available is often lacking in detail. Rather than being repositories of relevant company information, in some GCC states the portals are little more than investment promotion sites.” Basically in the Middle East, you will still need ‘boots-on-the-ground’ spadework to be able to dig out anything substantive.

For comparison, the report takes a look at several other well-recognized metrics used in anti-bribery/anti-corruption and anti-money laundering (AML). These include comparisons of the Compass rating with the country’s level of development; the Transparency International Corruption Perceptions Index (TI CPI); GDP per capita in each country and the Reporters without Borders-Press Freedom Score. All of these are useful and interesting comparisons for your consideration. Of course the report has a full set of rankings.

The report ends with several interesting overall conclusions.

  • The trend in emerging markets is positive for increased transparency and openness. This certainly will help in due diligence efforts going forward.
  • Even most of the laggards are improving. The reports notes that “Countries below this threshold are showing signs of significant progress…and are moving in the right direction with litigation information becoming increasingly more open.”
  • Grow and openness to hand-in-hand. Here the report states, “There also seems to be a correlation between economic growth and corporate data openness, suggesting that as countries move towards developed market status their corporate transparency also improves. All of the BRIC countries and their MINT peers score comparatively well and overall there is also broad correlation between GDP and the Compass scores.”
  • International organizations matter. Here the story is the advance of the EU, where “EU membership and economic growth over the last ten years has grown along with strong corporate transparency.”

Compliance practitioners often grumble that the TI CPI is the only tool available to them. While the Arachnys Open Data Compass does not focus on corruption it certainly is a useful adjunct to any compliance practitioner whose company might be looking to move into a new region. It gives you a manner in which to access a country and region’s transparency and incorporate it into your overall risk analysis.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 22, 2014

Gifts, Travel and Entertainment under the FCPA – Part I

Travel and GiftsEd. Note-Today’s blog post will begin a two-part review of gifts, travel and entertainment under the FCPA.

One of the first thing that many companies will try to put in place is a gifts, entertainment and travel policy when looking at an overall compliance program. I find the reality to be that not only is this one of the more easier things to implement because one of the most consistent things taught at any organization, of one person or more, is to record the even and keep receipts. The base reason is not corporate or even Foreign Corrupt Practices Act (FCPA) record keeping. It is IRS Regulations. Even lawyers know you have to keep receipts. This means getting employees to document, document and document, who they may have taken to dinner or entertained, the amount, the business purpose and if they were a foreign government official, their title, this does not seem like too much of a stretch to ask.

The part that does seem different, or new, to employees is the limit. By this I mean the amount of money which can be spent on a dinner, gift or entertainment without prior approval from the compliance function. For any expenditure above those predefined limits an employee must seek pre-approval from the compliance function prior to exceeding or incurring the expense.

An on-going debate is whether to take a hard and fast line over which all employees must come to the compliance function for pre-approval regarding any gifts and entertainment. Many sales people like this approach because they want to know precisely what the line is that they can go up to. Companies may take a more values-based approach, which looks at the overall value an employee may spend over a one year or other time period but the monitoring is at the backend of the transactions.

A rules based approach is one which generally sets a dollar threshold for gifts and entertainment in two general categories; they are gifts and entertainment for foreign governmental officials and gifts and entertainment for non-foreign governmental officials. Below the threshold, employees can provide gifts and entertainment without the need for pre-approval, above the threshold; employees have to seek pre-approval from the compliance function. Limits are typically lower for foreign governmental officials than non-governmental officials. The gift or entertainment request from the employee requires a reasonably detailed business purpose and the monetary request involved should not appear to be unreasonable.

The second approach is a more values based approach. It allowed the regions to set their own top end values to gifts and entertainment, based upon the nuances and risks of the geographic area. The responsibility of the compliance department in such a values based approach would be two-fold. The first would be to engage in more training for employees on gifts and entertainment issues. The second would be greater monitoring of employee gifts and entertainment.

Values based monitoring is more extensive than for rules based monitoring. If an employee goes above the overall company limit, the matter must be investigated through an independent review of the amount spent; who it was spent on and the business purpose. This must then be written up and the independent investigator must make a determination of whether a compliance issue violation has occurred. While this post-event work seems costly and disruptive to the business, company representatives say this works for them.

One of the interesting tangents in the area of gifts and entertainment is the issue of proportionality. Proportionality in the context of gifts and entertainment in anti-corruption compliance programs generally relates to the appropriate types of gifts or entertainment to be provided to a high-level company official. One rule of thumb is if the entertainment provided was typical for a company executive and that executive could routinely pay for it, this was indicia that it was reasonable if provided from one senior level executive to another. But you must remember about how such information will be viewed in the context of a FCPA investigation, as to what is reasonable or even ‘modest’ is usually very different than the view of a sales person.

A. The Statute

Under the FCPA, the following affirmative defense regarding the payment of expenses exists:

[it] shall be an affirmative defense [that] the payment, gift, offer or promise of anything of value that was made, was a reasonable and bona fide expenditure, such as travel and lodging expenses, incurred by or on behalf of a foreign official, party, party official, or candidate and was directly related to…the promotion, demonstration, or explanation of products or services; or…the execution or performance of a contract with a foreign government or agency thereof. 15 U.S.C. § 78dd-1(c)(2)(A)-(B).

There is no de minimis provision. The presentation of a gift or business entertainment expense can constitute a violation of the FCPA if this is coupled with the corrupt intent to obtain or retain business.

B. FCPA Guidance

There was a good discussion of gifts and entertainment in the FCPA Guidance. In it the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) made clear that “A small gift or token of esteem or gratitude is often an appropriate way for business people to display respect for each other. Some hallmarks of appropriate gift-giving are when the gift is given openly and transparently, properly recorded in the giver’s books and records, provided only to reflect esteem or gratitude, and permitted under local law…”

Just as reasonably priced gifts are appropriate to give out, the FCPA Guidance specifies that “… Items of nominal value, such as cab fare, reasonable meals and entertainment expenses, or company promotional items, are unlikely to improperly influence an official, and, as a result, are not, without more, items that have resulted in enforcement action by DOJ or SEC.” However, as the costs and value begin to rise, so does the potential FCPA risk. The FCPA Guidance states, “The larger or more extravagant the gift, however, the more likely it was given with an improper purpose. DOJ and SEC enforcement cases thus have involved single instances of large, extravagant gift-giving (such as sports cars, fur coats, and other luxury items) as well as widespread gifts of smaller items as part of a pattern of bribes. For example, in one case brought by DOJ and SEC, a defendant gave a government official a country club membership fee and a generator, as well as household maintenance expenses, payment of cell phone bills, an automobile worth $20,000, and limousine services. The same official also received $250,000 through a third-party agent.”

The FCPA Guidance does specify some types of examples of improper travel and entertainment as follows:

  • $12,000 birthday trip for a government decision maker from Mexico that included visits to wineries and dinners;
  • $10,000 spent on dinners, drinks, and entertainment for a government official;
  • A trip to Italy for eight Iraqi government officials that consisted primarily of sightseeing and included $1,000 in “pocket money” for each official;
  • A trip to Paris for a government official and his wife that consisted primarily of touring activities via a chauffeur-driven vehicle.

The FCPA Guidance points out something that is rather obvious. If a company has a culture of compliance in the area of gifts, travel and entertainment that allows violations of the FCPA, it probably is lax in other areas. We recently saw this played out in the Hewlett-Packard (HP) FCPA enforcement actions where lax internal controls allowed HP-Poland to pay over $600,000 in cash to a Polish government official; pay for his travel to Las Vegas at full HP expense and also purchase him gifts valued at over $30,000. The gifts, travel and entertainment on their own could have been stand-alone FCPA violations but they were certainly symptomatic of an entire culture at HP-Poland, which allowed such conduct to occur.

Tomorrow we will review some enforcement actions and Opinion Releases.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 12, 2014

FDR’s Fireside Chat and Risk Ranking of Third Parties Under the FCPA

FDR Fireside ChatOn this date in 1933, just eight days after he was inaugurated, President Franklin Roosevelt (FDR) gave his first Fireside Chat to the American public. FDR began his chat by stating, “I want to talk for a few minutes with the people of the United States about banking.” He went on to explain his recent decision to close the nation’s banks in order to stop a surge in mass withdrawals by panicked investors worried about possible bank failures. FDR had correctly assessed that the public had lost confidence in the US banking industry and, based on that assessment, he closed them in his famous Bank Holiday. In 1929, over 600 banks folded, the number by 1932 had increased to over 5100. But more than simply these bank failures was the perception that the US banking system was on the verge of collapse. FDR also announced that he was reopening the banks the next day. The US banking system has been secure since that time.

I thought about FDR’s ability to correctly assess the risk to the US banking system. As compliance programs mature, one of the things that companies struggle with is how to better assess third party risks so that the right resources can be delivered to manage these risks. In the most recent issue of Compliance Insider an article, entitled “Building a Risk-Scoring Methodology for Distributors and Resellers”, lays  out a decision making calculus which can assist a company to best utilize its resources to not only quantify a large number of third party risks, but manage those risks more efficiently.

The article notes that there are two main resources that a compliance practitioner will need to rate the risks of third parties. The first is information about the entity. This category of information can come from a number of sources including the third party itself, in the form of a questionnaire through  to various levels of due diligence. The second  resource is the people who use the information to make decisions.  As there is only a finite amount that you, the compliance practitioner, can find out about your third parties use the resources available as there is a substantial need to make the best use of that information. All of this must be balanced between spreading the decision making across a large number of people whilst ensuring that the decisions made are consistent. To assist in answering these issues, the article suggests a methodology “to help focus your controls and resources more efficiently”. 

1.          What is your aim? 

The initial step in any risk-scoring exercise is to clearly define what you are trying to achieve. The second part of clarifying the aim is to build an expectation and means of measurement so that you can assess the validity of your calculus. 

2.             Which information is relevant? 

Most generally, the main criteria are the location of the partner or where they will deliver the product or services, the type of service or product that the partner is providing and the value of that service. This initial analysis can help you to create a high, medium and low risk model. But other factors should be weighed which can provide a more sophisticated approach. Some of these factors include the following:

  • Are they new or existing partners?
  • Are they touching end-users?
  • Are they selling to government customers?
  • Do you have contracts with them?
  • Do they obtain licenses for selling products in that country on your behalf?
  • Do you provide market development funds to them? 

3.             Where can I find the information? 

This speaks to the heart of your due diligence process. Obviously a questionnaire forwarded to your potential third party is a starting point. However such information should be verified and cross-checked. Additional factors should be geographic risk, the value(s) of potential transactions and compensation to the third parties. Lastly is the traditional levels 2 and 3 due diligence.

4.             Consider the questions you will ask the third parties 

Here the author believes that an additional analysis of both the criteria required and the possible resources to garner datum to support the criteria should be considered. These considerations include:

  • Which is the most cost-effective source for the information?
  • What is the most accurate way of obtaining information?
  • Do you need to ask the question at all?
  • How should the questions be worded to ensure the greatest efficiency in getting to the required answer?
  • How do you write the questions to ensure the scores are usable?
  • Which questions and responses should be scored? 

5.             Are the responses accurate? 

Here is where ‘a second set of eyes’ is critical. The article suggests that “sanity checks to ensure that the answers respond to the question and that the responder seems to have understood the question – this is especially useful when the questions have been translated into other languages.” You should also endeavor to cross-check against other information known about the partner, with reviews by multiple persons in your organization. Finally, on the back you should build into your program audits and spot-checks to assess the accuracy and consistency of approvals.

6.             What does it all mean?

Now you have to start using the information. Recognizing that you may need to tinker with your system, it is important that you “design the overall process to allow changes to be made in the future, as you learn more about the results.”

7.             What happens next?

Now the time has arrived to score the results. After you determine who will make the decision and the path for review and escalation, if required, also you should consider the Tom Fox Mantra, Document, Document, and Document. In other words, how does the scoring and decision making process get documented in your organization?

8.             How will you carry out the review process? 

At this point, it is appropriate to consider whether you have met or are moving in the direction that you attempted to establish back in Step 1. You should consider:

  • Does your program accurately reflect the risks that you understood the partners posed?Is the final result of your process consistent?
  • Were decisions on the risk level made by the right people in your organization?
  • Were the necessary issues escalated to the right people?
  • Have the risks changed?
  • Can the process be changed, or has it been built into an inflexible technology or workflow? 

Once the review is complete any necessary changes should be communicated to the staff involved in the process to ensure they know how their role is impacted. The author ends with some reservations that you should expect to run into. These include:

  • don’t expect to use scoring to fully automate a process – the information available is generally not complete enough to provide an accurate model, so scoring is far better when used as a guide;
  • don’t assume you will get it right first time (or second) – it is important to have a clear understanding of what you are aiming at, and to build regular review into the program to recalibrate the scoring;
  • keep the process and scoring as simple as possible – most of the relevant risk-related information can be found in a few key criteria; and
  • your perception of risk will change when new information comes to light, so remember to document the decision-making process so that you can justify the final risk outcome. 

While FDR may have more intuitively known the real problem with the US banking system it was the perception that it was not solvent, you do not have to rely solely on your gut when making informed decisions about the Foreign Corrupt Practices Act (FCPA) risks that a third party may present to your company. For the Department of Justice (DOJ), I think the key is that you assess the risk and document that assessment. If you do so and a third party gets you into FCPA hot water, you have the best chance of coming out on the other side as well as the US banks did after their ‘holiday’ with FDR.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

« Previous PageNext Page »

Blog at WordPress.com.