FCPA Risk Assessments: New Input into Current Best Practices

We believe that Risk Assessment is a tool and is one with which a company should begin to craft its Foreign Corrupt Practices (FCPA) or UK Bribery Act compliance program. The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face. Both the both the Principles of Federal Prosecution of Business Organization (US Sentencing Guidelines) and its section on corporate compliance programs and the UK Bribery Act’s Consultative Guidance list Risk Assessment as the initial step in creating an effective anti-corruption and anti-bribery program. So far, in 2011 the US Department of Justice (DOJ) has concluded three FCPA enforcement actions which specify some factors which a company should review when making a Risk Assessment.

The three enforcement actions, involving the companies Alcatel-Lucent, Maxwell Technologies and Tyson Foods all had common areas that the DOJ indicated were FCPA compliance risk areas which should be evaluated for a minimum best practices FCPA compliance program. In both Alcatel-Lucent and Maxwell Technologies, the Deferred Prosecution Agreements (DPAs) listed the seven following areas of risk to be assessed.

1.         Geography-where does your Company do business.

2.         Interaction with types and levels of Governments.

3.         Industrial Sector of Operations.

4.         Involvement with Joint Ventures.

5.         Licenses and Permits in Operations.

6.         Degree of Government Oversight.

7.         Volume and Importance of Goods and Personnel Going Through Customs and Immigration.

In the Tyson Foods DPA, this list was reduced to the following (1) Geography, (2) Interaction with Governments, and (3) Industrial Sector of Operations. It would seem that the DOJ did not believe that Tyson Foods had the same compliance risks as Alcatel-Lucent and Maxwell Technologies because (a) there limited internal sales market and (b) the fact it only has 6 food processing plants outside the United States.

These factors provide guidance into some of the key areas that the DOJ apparently believes can put a company at higher FCPA risk. These factors supplement those listed in the UK Bribery, Consultative Guidance which states, “Risk Assessment – The commercial organization regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” The Guidance points towards several key risks which should be evaluated in this process. These risk areas include:

1.         Internal Risk – this could include deficiencies in

•           employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks;

•           employee training or skills sets; and

•           the company’s compensation structure or lack of clarity in the policy on gifts, entertaining and travel expenses.

2.         Country risk – this type of risk could include:

(a) perceived high levels of corruption as highlighted by corruption league tables published by reputable Non-Governmental Organizations such as Transparency International;

(b) factors such as absence of anti-bribery legislation and implementation and a perceived lack of capacity of the government, media, local business community and civil society to effectively promote transparent procurement and investment policies; and

(c) a culture which does not punish those who seeks bribes or make other extortion attempts.

3.         Transaction Risk – this could entail items such as transactions involving charitable or political contributions, the obtaining of licenses and permits, public procurement, high value or projects with many contractors or involvement of intermediaries or agents.

4.         Partnership risks – this risk could include those involving foreign business partners located in higher-risk jurisdictions, associations with prominent public office holders, insufficient knowledge or transparency of third party processes and controls.

Risk Assessment as ‘Best Practices’

Both the Consultative Guidance and the recent DPAs provide guidance to the FCPA compliance practitioner and include ongoing Risk Assessment as a key component of any best practices program. A well-managed organization makes an assessment of the risks it faces now and in the future and then designs appropriate risk management and control mechanisms to control such risks. However, the key point is that a Risk Assessment is absolutely mandatory and must be used as a basis for the design of an effective compliance policy, whether under the FCPA or the UK Bribery Act. If a Risk Assessment is not used, it might be well nigh impossible to argue that your compliance program meets even the basic standards of either law.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Alcatel-Lucent-Did the Baby Get Thrown Out With the Bathwater?

Ed. Note-today we host a Guest Blog from our Colleague Mary Shaddock Jones, Assistant General Counsel and Director Of Compliance at Global Industries, Ltd.

The recent Alcatel-Lucent FCPA settlement in the amount of $137 Million has rightfully made headlines. Clearly no one other than the parties intimately involved know all of the facts and circumstances of the investigation. However, there are certainly lessons that can be learned from reading the eighty-three page deferred prosecution agreement (“DPA”). Two of the items which merit highlighting from page 3 of the DPA entitled “Relevant Considerations” are the following:

I. “(d) after limited and inadequate cooperation for a substantial period of time, Alcatel-Lucent substantially improved its cooperation with the Department’s investigation of this matter, as well as the SEC’s investigation”.

Contrast this language with that of the government its publicly filed sentencing memorandum for Siemens in 2008 wherein, the government noted Siemens’ “extraordinary cooperation” and “uncommonly sweeping remedial action.”

In addition, as previously noted in this blog, in the RAE Systems settlement agreement, despite having actual knowledge of an FCPA violation, RAE Systems did not have a criminal prosecution brought against it. It appears that this decision was at least in part based upon the cooperation RAE Systems provided to the government during the investigation. The letter to the Siemens DPA contained the following statement:

“…non-prosecution agreement based, in part, on the following factors: (a) RAE Systems’s timely, voluntary, and complete disclosure of the facts described in Appendix A; (b) RAE Systems’s thorough, real-time cooperation with the Department and the U.S. Securities and Exchange Commission (“SEC”); (c) the extensive remedial efforts already undertaken and to be undertaken by RAE Systems; and (d) RAE Systems’s commitment to submit periodic monitoring reports to the Department.”

There was no indication in terms of actual dollars in the Siemens or RAE Systems settlement agreements how much higher the fine would have been without such “extraordinary cooperation” and/or “thorough, real-time cooperation”. Nor does the Alcatel-Lucent agreement provide the reader with any indication of how much lower the $137 million fine would have been if Alcatel-Lucent would have provided “extraordinary cooperation” , “thorough, real-time cooperation and/or “uncommonly sweeping remedial action” similarly to that noted by the DOJ in the RAE Systems and Siemens settlements. The “Lesson to be Learned” from both of these settlement agreements; however, is a reiteration that the DOJ and SEC clearly consider the cooperation or lack thereof by the company during the internal investigation when calculating the ultimate fine.

II. “(f) on its own initiative and at a substantial financial cost, Alcatel-Lucent determined as a matter of company policy to no longer use third party sales and marketing agents in conducting its worldwide business”.

Does this mean that if one of the subsidiaries of Alcatel-Lucent hires a third party sales and marketing agent anywhere in the world for the term of the DPA (3 years) that the DOJ could determine that the Alcatel-Lucent breached the agreement under Paragraph 16 and continue with criminal prosecution against the company? What is the difference between “sales and marketing agents” described above and “agents and business partners” described in the Corporate Compliance Program Attachment C described below? The more concerning aspect is the DOJ’s announcement focused on Alcatel’s business model- that of pursuing business opportunities in foreign countries using third-party agents and consultant and stated that “this business model was shown to be prone to corruption”. In previous DPA agreements (such as the RAE settlement previously discussed in this blog), the focus has not been on walking away from the use of third party sales and marketing agents (or Agents and Business Partners?), but rather strengthening the due diligence and controls surrounding the use of these third parties. The Corporate Compliance Program agreed to by RAE (and interestingly enough by Alcatel-Lucent) contains the following elements:

11. Use of Agents and Other Business Partners. To the extent that the use of agents and business partners is permitted at all by RAE, it should institute appropriate due diligence and compliance requirements pertaining to the retention and oversight of all agents and business partners, including:

a. Properly documented risk-based due diligence pertaining to the hiring and appropriate and regular oversight of agents and business partners;

b. Informing agents and business partners of RAE’s commitment to abiding by laws on the prohibitions against foreign bribery, and of RAE’s ethics and compliance standards and procedures and other measures for preventing and detecting such bribery; and

c. Seeking a reciprocal commitment from agents and business partners.

12. Contractual Compliance Terms and Conditions. RAE should include standard provisions in agreements, contracts and renewals, thereof, with all agents and business partners that are reasonably calculated to prevent violations of the anticorruption laws, which may, depending upon the circumstances, include: (a) anticorruption representations and undertakings relating to compliance with the anticorruption laws; (b) rights to conduct audits of the books and records of the agent or business partner to ensure compliance with the foregoing; and (c) rights to terminate an agent or business partner as a result of any breach of anti-corruption laws, and regulations or representations and undertakings related to such matters.

At this point, it is unclear from just reading the Alcatel-Lucent DPA what facts were considered by the company in agreeing to completely walk away from the use of third party sales and marketing agents. One would hope that such a drastic step would not become a common tool in settlement agreements with the DOJ/SEC. It appears from Attachment A pages A:11-15 that the issue was not so much the use of third party sales and marketing agents as it was the decentralized business structure and approval process wherein the due diligence performed (if any) was done by local employees who, according to the statement of facts, were “more interested in obtaining business than ensuring that business was won ethically and legally”. In addition to the apparent lack of an adequate due diligence was the apparent lack of attention paid to the invoices and/ or commission rates being charged by the third party sales and marketing agents. There really is no need to “throw the baby out with the bathwater”, it is just better to have a “cleaner baby” in the bathwater!

Mary Shaddock Jones is Assistant General Counsel and Dir. Of Compliance at Global Industries, Ltd. Mary can be reached at maryj@globalind.com. The views and opinions expressed here are her own and not necessarily those of her employer.