Apollo 1 and a Compliance Dozen – How to Design a Program for Foreign Business Partners

Friday, January 27 was the 45^th anniversary of the Apollo 1 disaster. As reported by Brian Vastag, in an article in the Washington Post entitled “45 years after America’s first space tragedy, lessons linger”, it was a “launchpad fire which killed three NASA astronauts during testing of the then-new Apollo capsule. Reviews found that the early design of the craft was fatally flawed. Faulty wiring probably sparked the blaze that killed Roger Chaffee, Gus Grissom and Ed White. Among other problems, engineers saved weight by filling the capsule with pure, low-pressure oxygen instead of air, which is 80 percent inert nitrogen.”

One of the clear pieces of guidance from the Department of Justice (DOJ) is that a ‘tick-the-box’ compliance program is not only insufficient; it will not protect a company if a Foreign Corrupt Practices Act (FCPA) violation is discovered. However, many compliance practitioners do not know what should be analyzed regarding foreign business partners. I recently attended the ACI FCPA Boot Camp in Houston, home of the Johnson Space Center. One of the presentations dealt with how to design an overall program to evaluate, contract with, and manage foreign business partners. Furthermore, the presentation focused on how to assess the information obtained through the due diligence process. The presenters discussed a 12 point evaluation process for reviewing, assessing, then contracting with and managing foreign business partners. The steps are as follows:

1. Consider reputation for corruption in the country. You clearly need to review information from governmental organizations, such as the US Department of Commerce and State. A widely used source is from non-governmental organizations, such as Transparency International. Additionally, there are private sources such as World Check’s Country Check and the FCPA Database that you can use to review and determine a country’s overall reputation for corruption.
2. Competence of foreign business partner. This is a two-part analysis. It includes a review of the qualifications of the candidate for subject matter expertise and the resources to perform the services for which they are being considered. However, it also in includes an identification of the representative’s expected activities for your company.
3. Determine the integrity of the foreign business partner. There are several different methods that can and should be employed for this inquiry. Initially there should be an internal point of contact with the potential foreign business representative who can be used to obtain documents and financial, commercial and compliance references. After obtaining this initial information, you should review US and non-US restricted party lists and other media/internet searches. Next you should, at a minimum, obtain comments back from all references and if needed interview these references. Lastly, you should consider conducting an interview with the candidate. This can be done in house or through a company which specializes in investigations.
4. Identify relationships between agent and foreign governmental official. This inquiry requires a detailed review of the ownership and officers/directors and key employees of the foreign business partner. You will need to obtain and review entity information and documentation. If this is in a foreign language you will need to have it translated. One last point here is that you may now need  to look at customers as well to ascertain past and present relationships with government agencies.
5. Business justification for use of agent and reasonableness of compensation. Here you should begin the entire process by requiring the relevant business unit which desires to obtain the services of any foreign business partner to provide you with a business justification including current opportunities in territory, how the candidate was identified and why no currently existing foreign business relationships can provide the requested services. Your next inquiry should focus on the terms of the engagement, including the commission rate, the term of the agreement, what territory may be covered by the agreement and if such relationship will be exclusive.
6. Ensure that answers provided by the representative or business partner to due diligence questions are accurate and complete. This is the old Ronald Reagan maxim of ‘trust but verify’. You must verify information received from the prospective foreign business partner with interviews of business references and background searches.
7. Ensure compliance with local laws. This means that both the relationship that you envision is legal within the foreign jurisdiction and that the foreign business partner will comply with all local laws.
8. Integrate FCPA contract safeguards. You will need to incorporate the DOJ required language, listed in its 13 point minimum best practices compliance program. These compliance terms and conditions are found in Attachment C of all Deferred Prosecution Agreements (DPAs), entered into by the DOJ since at least November, 2010.
9. Provide for continuing oversight. After you have performed your due diligence, evaluated it and then entered into the contract for services, now the real work begins. You must manage that relationship. I suggest that you do so through a business unit sponsor for all foreign business partners. Such person must be assigned to and be responsible for ensuring continuing oversight of the foreign business partner.
10. Maintenance of books and records. This requirement also has two parts. Clearly your company must maintain appropriate internal controls over all its foreign business partners but your foreign business partner must also maintain such accurate records. I would go further to add that you should audit these records to ensure compliance.
11. Seek guidance from DOJ. As I mentioned above there are several different resources available to the compliance practitioner for information relating to foreign business partners. These include the minimum best practices as set forth in Attachment C to each DPA; DOJ Opinion Releases; Securities and Exchange (SEC) enforcement actions. Also remember your company can avail itself of the Opinion Release procedure and request guidance from the DOJ via that mechanism.
12. Use consistent standards and common sense. You should not check your common sense at the door when you become a compliance officer. The surest way to get into trouble is by ignoring your own internal warning signs. If a relationship feels bad to you, or something does not quite ‘smell right’ about a proposed foreign business partner, listen to that sensation. It may be a situation where more due diligence is required or a situation where you should walk away. Additionally, you should use consistent terms and conditions across industries and services, such as with customs brokers and freight forwarders.

The Apollo 1 tragedy still haunts NASA today. Vastag noted that “The tragedy is still etched on NASA’s collective psyche.” One NASA veteran, Travis Thompson, worries that the commercial companies which now lead most of American’s space efforts “have not absorbed the prime lesson of Apollo 1 — that bad design begets tragedy.” The 12 point program set out above will help your company to work through any issues with foreign business partners and by following it, you may well prevent your company from having its own compliance failure.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Country Risk Rating: A More Sophisticated Approach

One of the areas of risk which is traditionally assessed is that of geography or country risk. The UK Bribery Act Guidance defines country risk as:

Country risk: this is evidenced by perceived high levels of corruption, an absence of effectively implemented anti-bribery legislation and a failure of the foreign government, media, local business community and civil society effectively to promote transparent procurement and investment policies.

This definition would seem to call for more than an analysis of whether countries are perceived as “the usual suspects” when it comes to risk. Most compliance practitioners to date have used the Transparency International Corruptions Perceptions Index to assess country risk. The Corruptions Perceptions Index, as defined by Transparency International,  “ranks more than 150 countries in terms of perceived levels of corruption, as determined by expert assessments and opinion surveys.” However, the guidance for best practices, as set forth in the most recent Bribery Act Guidance the concept of ‘compliance convergence’ and the recent Deferred Prosecution Agreements (DPAs) entered into by the US Department of Justice (DOJ), would seem to indicate that a more robust risk assessment should be utilized regarding the corruption and compliance risks of individual controls.

I recently had the opportunity to review another tool with which companies can assess an overall geographic or country risk. It is a product called “Country-Check” and it was developed by World-Check (Full Disclosure: World-Check is the sponsor of the World-Check FCPA Speaking Tour, of which I am a participant.) The Country-Check tool is a customizable risk index that ranks the overall risk levels in 244 jurisdictions across the globe.

Country-Check measures risk using over 140 input sources. From these input sources, a company can access up to 42 dimensions of risks from a wide spectrum of different types of threats which may need assessment. These types of risks include: (1) political – varying from governance types to civil liberties, regulatory control, control of corruption and human rights issues; (2) financial – from GDP, overall country debt, military expenditure, average per capita savings and economic freedom; (3) criminality – factors ranging from money-laundering and fraud to terrorism, corruption, export control and the overall country crime rate.

In addition to the above, the Country-Check model can be custom developed which allows a company to make individual adjustments for not only the inputs it perceives as important for its own business but also allows an industry weighted assessment. This factor would come into play with the risk assessments discussed in the initial three DPAs, released in 2011. These DPAs were with Alcatel-Lucent, Maxwell Technologies and Tyson Foods respectively. In each of these DPAs, the DOJ mandated that the companies assess the geographic risks which each of these companies face in the areas where they conduct business. However, these mandated risk assessments went beyond simply geography to such areas as government touch points in conducting business. The Country-Check model would allow a company to customize the product so that a report is generated which measures this type of risk.

In the concept of compliance convergence risks posed beyond simply those relating to the violations of the US Foreign Corrupt Practices Act (FCPA) or UK Bribery Act should also be assessed. This means that a company should also review such areas as propensity of a country to engage in or have lax enforcement of anti-money laundering laws and regulations and have issues related to vigorous enforcement of export controls. The Country-Check tool provides standardized risk intelligence for all of these areas. The beauty of such a tool is that not only does a company garner a more sophisticated picture of the overall risk it may be facing and perform enhanced due diligence as required, such an analysis allows a company to manage these risks more effective by deploying stronger management assets as called for through such a risk analysis.

As companies and regulators grow more sophisticated in the areas of anti-bribery and anti-corruption, best practices keep evolving. The risk assessment that a company does should inform its overall compliance program. The Country-Check tool is a very powerful instrument by which companies can perform a sophisticated risk analysis of a country which they are assessing. I suggest that you head over to the Country-Check website and take a look at the offering.

—————————————————————————————————————————————————————-

If you are in Phoenix or San Diego, the World Check FCPA Tour will be in your city this week. Please come out and here about the most current FCPA best practices.

Tuesday, May 3 from 8-10 AM PDT at McCormick & Schmick’s Seafood Restaurant, in Phoenix, AZ. For information and registration details click here.

Wednesday, May 4 from 8-10 AM PDT at San Diego Marriott Del Mar: Santa Fe Ballroom, in San Diego, CA. For information and registration details click here.

——————————————————————————————————————————————————————

My colleague Howard Sklar had an interesting idea. It was that he and I do a video chat each week on the past week’s stories from the world of compliance. We have begun this journey and the results are “This Week in FCPA“; which can be found here.

Every week, Howard and I will get together and talk about the week’s events in FCPA. This week, we talk about the UK Bribery Act, and how companies should react; we discuss the Johnson & Johnson deferred prosecution agreement and J&J’s added undertakings; and we discuss the recent challenges to the idea that state-owned entities can be foreign officials. We also talk about what contract provisions should be in every contract, and whether audit rights are a good thing or not.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

What a Prosecutor Might Ask During a FCPA Investigation?

Hopefully, one area that many compliance practitioners will not have much experience in is dealing with prosecutors, at least in the in-house, corporate context. Further it may be the case that most in-house lawyers come from a civil law background, as opposed to the criminal law side of the legal profession. Therefore, if an in-house compliance practitioner is required to disclose to, and work with, a federal prosecutor, the in-house practitioner usually does not have experience to draw upon in connection with the types of inquiries a Department of Justice (DOJ) prosecutor might ask during a Foreign Corrupt Practices Act (FCPA) investigation.

Over the past 9 months, and continuing for the next several months, I have been privileged to tour the US with World Check discussing various aspects of the FCPA. Another member of the team is Stephen Martin, the General Counsel of Corpedia. Stephen worked as a prosecutor in the DOJ during the Clinton administration before moving into the corporate world and has a wealth of knowledge on the types of inquiries that a prosecutor might ask during the pendency of a FCPA investigation. In his presentation Stephen suggests that, during a FCPA inquiry, your company might be asked some of the following questions:

• What resources were apportioned for compliance? If you plead that you did your best given the resources your company allocated to the compliance department, a simple question that a prosecutor might ask is along the lines of “How much did your company spend last year on yellow sticky notepads, or pencils or paper clips, you get the picture, $1MM or more? Is, or are, those items business critical but compliance is not?
• How do I know your risk assessment was objective? Did your company bring in an outside profession to perform the risk assessment under which your compliance program is based? Under the US Sentencing Guidelines, in implementing [the elements of an effective compliance and ethics program] the “organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement [as set forth in the elements] to reduce the risk of criminal conduct identified in this process”. Can you demonstrate that you periodically assessed your risk and if so how was it done?
• Were compliance risks in the C-Suite and Boardroom addressed? Even if your compliance policy is thorough in the ranks of the organization, were those at the highest level also a part of your overall compliance strategy. Not only was there an appropriate “Tone at the Top” but was this communicated throughout your organization? Was your Board active and engaged? Was there thorough reporting to the Board. Where are the records to document both?
• How was risk examined at the vendor/agent level? Did your risk assessment look at both your sales distribution model and the individuals or entities involved and has your company assessed its compliance risk with vendors in the supply chain? If yes, what methodology did your company use? How is both the methodology and results documented? If your raw work product was not retained, does your final report provide sufficient detail on the methodology that your company utilized?
• Was culture and attitude measured? This begins with the tone at the middle and lower ranks of your organization. Did the measure come down from on high ( i.e.: the Top) and if so did it percolate throughout the ranks of this organization? Has your company surveyed its employee’s attitudes regarding compliance? As with your risk assessment(s), what was the methodology and how valid is it and the results?
• How was knowledge assessed? Although this is related to the above inquiry, the focus is somewhat different. If you had live training, did you interview employees to determine the results? If there was computer training, did you require any type of test after the completion of the course and did you require some form of passing grade? How did you document the results?
• Was anyone terminated or disciplined as a result of the risk assessment? Most companies understand the need to discipline or terminate employees as a result of a FCPA investigation which finds a violation. However if your company has never terminated or even disciplined any employees as a result of a compliance assessment, this may bode poorly for you in the eyes of a prosecutor. Has your company ever looked at its top sales persons or agents outside the US in a detailed, systematic way to determine if they are within your compliance guidelines? If so what was the methodology, what was the result and how is all of this documented?
• Who among the governing authority of your company received the final report or was briefed on the outcome? While this is related to the 2nd question above, it goes further. If the very highest level was not so engaged, it speaks poorly on your company’s commitment to compliance. The Board needs to demonstrate commitment to full engagement in both the successes and the non-successes and be involved in using lessons learned to resolve any problems which may have arisen.
• How was the risk assessment outcome used? While it certainly is a positive step to follow the sentencing guidelines and perform a risk assessment, such assessment should be utilized. The UK Ministry of Justice says that your risk assessment should “inform” your compliance program. A prosecutor might conclude that your program lacks strength and vitality if your company does not use what it may have learned in a risk assessment to make any necessary or even changes suggested by a risk assessment.

This list is not exhaustive and there will be many, many more queries, both large and small from any prosecutor. However, this sample makes clear that your ability to respond, and respond with documentation, will be critical in establishing your company’s credibility in the compliance area.

—————————————————————————————————————————————————————–

Stephen and I will be continuing our FCPA presentations, hosted by World Check this spring. All of the events are free and CLE is provided. Our upcoming schedule is as follows and if you are in one of these areas I hope you can join us.

Tuesday, April 5-Portland. For details, click here.

Wednesday, April 6, Seattle. For details, click here.

Thursday, April 7, Denver. For details, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011