best practices | FCPA Compliance and Ethics Blog

August 21, 2015

Archie Bunker, Batgirl and the International Fight Against Corruption

Filed under: Compliance,Compliance and Ethics,Corruption in Brazil,Corruption in China,FCPABlog,New York Times,Petrobras — tfoxlaw @ 12:01 am
Tags: best practices, Bribery Act, compliance, compliance programs, FCPA, FCPA Blog, NYT

This week saw the death of two notables from the television industry, Bud Yorkin and Yvonne Craig. According to his Obituary in the New York Times (NYT), Yorkin rose up the television industry ranks to eventually team with Norman Lear to produce one of the true “pioneering, provocative and singularly successful satirical series” in the history of television, All In The Family, introducing one of the most recognizable characters in all of TV – Archie Bunker. When I say he began at the bottom end of the business: it literally was that, as he began repairing TVs in New York City bars. All In The Family not only broke ground by discussing taboo subjects it also became “the first TV series to top the Nielsen ratings for five consecutive years.”

Yvonne Craig was known, according to her Obituary in the NYT, as the girl “who kept Gotham safe as Batgirl” whom she played in the 1960s TV series Batman. Craig was a classically trained ballerina who brought athleticism and “a scrappy girl-power element” to the series in its third and final season. However, I remember Craig as the green skinned slave girl in the “Whom The Gods Destroy” episode from the original Star Trek series. Her Obituary noted, “She performed a seductive, loose-limbed dance that seemed to nearly overwhelm William Shatner’s red-blooded Captain Kirk, while Leonard Nimoy’s Mr. Spock pronounced it “mildly interesting.””

Interestingly both of these televisions stars inform today’s compliance issue. Yorkin for the way he and his partner Lear held up a mirror, through All In The Family, to address such issues as “racism, sexism, abortion, gay rights and the war in Vietnam, among other television taboos” and Craig, “who kept Gotham safe as Batgirl.” Of course I am referring to the devastating disaster that occurred last week in the Chinese city of Tianjin. A NYT article, entitled “Report Details Role of Political Connections in Tianjin Disaster”, reported that the death toll now stands at 114, with 674 injured and more than 17,000 homes damaged. An unknown number of persons are still missing.

Is anyone really surprised corruption was involved in the tragedy? Enforcement of anti-corruption laws, such as the Foreign Corrupt Practices Act (FCPA), the UK Bribery Act or even Chinese domestic anti-bribery laws, is not a game for corruption can kill. While most corruption leads to economic damage, there have been clear instances where corruption led to the loss of life. The 2013 massacre at the Narobi Westgate shopping mall was clearly a result of corruption in Kenya that allowed guns used in the attack to be illegally smuggled into the country through bribery.

Now it has been reported that corruption led to the disaster in Tianjin. The FCPA Blog, in a post entitled “Report: Tianjin warehouse owners used guanxi to land phony safety licenses”, wrote that “The owners of the warehouse in the port of Tianjin that exploded last week and killed more than 100 people obtained fraudulent safety licenses through their connections with fire and safety officials, China state media said.” The warehouse where the fire started and spread from was illegally holding certain lethal chemicals. The post also noted, “Ruihai International Logistics owned the warehouse. The main shareholders of the company are ex-Sinochem executive Yu Xuewei and Dong Shexuan, the son of a late police chief, VAO News reported.” The FCPA Blog went on to quote the VOA report for the following, “In an interview with the official Xinhua news agency, Dong and Yu admitted to using their connections, or guanxi, with local officials to obtain various fire safety, land, environmental and safety certifications.”

In addition to the illegally stored chemicals, it turns out there should not even have been a warehouse in that location in the first place. In another NYT article, entitled “Report Details Role of Political Connections in Tianjin Disaster”, Dan Levin reported the warehouse itself was not far enough back from the prescribed distance for residential housing. It seemed clear from the confession of the Mayor of Tianjin that he had been involved in the corruption when he stated, “I bear the unshirkable responsibility for this accident as head of the city.”

Another indicia of Chinese corruption had come into play as well. The executives of the company, which owned the warehouse and illegally stored chemicals, Ruihai, hid their ownership interest. The article reported they “had other people list their shares to avoid the appearance of a conflict of interest.”

In yet another NYT article, entitled “Fear of Toxic Air and Distrust of Government Follow Explosions in China” also by Dan Levin, it was noted “Later on Tuesday, China’s anticorruption agency announced on its website that Yang Dongliang, a former deputy mayor of Tianjin who became the head of the State Administration of Work Safety, was under investigation for “suspected violations of party discipline and the law,” a common euphemism for corruption. The Beijing Youth Daily reported, however, that Mr. Yang has been under investigation for a half-year, raising questions about why the case was announced now. Two other officials accused of taking bribes are also under investigation.”

The fallout from this tragedy continues. However, with such widespread corruption many Chinese feel they are not being told the truth and that their government is protecting corrupt officials. Levin said, “Public reflection on man-made tragedies is politically risky for the ruling Communist Party, according to David Bandurski, an editor of the China Media Project at the University of Hong Kong. “The party leadership is very aware that questions of responsibility in a disaster like this can very quickly move to fundamental issues of power and legitimacy,” he said, explaining that in an authoritarian system, “the buck stops with you.” Mr. Bandurski noted that censors had struggled to control the Tianjin narrative because some Chinese journalists had pushed ahead with their own reporting. “This is a very messy story, and for Chinese media, messy means opportunity,” he said.”

The Petrobras scandal in Brazil is bringing into question the government of President Dilma, it could forebode the same in China. Corruption in all its forms is no laughing matter and enforcing anti-corruption laws is no game. While prosecuting companies engaging in bribery and corruption through the hiring of sons and daughters of government officials to retain or garner new business may seem quite a long way from the Westgate Mall massacre or the massive loss of life in Tianjin; they are clearly on a unidimensional continuum.

Just as Archie Bunker put a light up to many of the social ills of his time, the more light you can shine on corruption, the more you can root it out of the shadows. But do not forget to send in Batgirl and those fighting for justice against corruption as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Comments (1)

August 20, 2015

BNY Mellon and Lessons Learned In Hiring Family Members – Part II

Filed under: Best Practices,BNY Mellon,Bribery and Corruption,Compliance,Compliance and Ethics,compliance programs,Doing Compliance,FCPA,SEC — tfoxlaw @ 4:37 am
Tags: best practices, compliance, compliance programs, FCPA, Foreign Corrupt Practices Act, SEC

In yesterday’s post I reviewed the Securities and Exchange Commission (SEC) Foreign Corrupt Practices Act (FCPA) enforcement action involving the Bank of New York Mellon Corporation (BNY Mellon) around its hiring of sons and nephews of foreign governmental officials to obtain or retain business from certain foreign Sovereign Wealth Funds. I discussed the underlying facts and penalties assessed against BNY Mellon as laid out in the SEC Cease and Desist Order (the “Order”). Today I want to provide some guidance on what this enforcement action may mean for companies going forward when hiring the sons and daughters or close family relatives of foreign government officials.

The first thing to remember is there is nothing in the FCPA which prohibits the hiring of a son, daughter or close family member of a foreign government official. What the FCPA does make illegal is an action where a company “or any officer, director, employee, or agent acting on behalf of such issuer, in order to obtain or retain business, from corruptly giving or authorizing the giving of, anything of value to any foreign official for the purposes of influencing the official or inducing the official to act in violation of his or her lawful duties, or to secure any improper advantage, or to induce a foreign official to use his influence with a foreign governmental instrumentality to influence any act or decision of such government or instrumentality.” [citation omitted]

The actions of BNY Mellon were clearly designed to not simply curry favor with the foreign governmental officials involved but also to either grow the business or help to retain what the company already had in place with the un-named foreign Sovereign Wealth Fund. At this point most companies have a written FCPA compliance program in place; consisting of policies and procedures. Note, this does not mean that the compliance program is effective because for a compliance program to be effective, a company must actually be doing compliance. Many FCPA enforcement actions occur because an exception was granted to a policy or procedure and either the reason for granting the exception was inappropriate or there was no documentation as to why the exception was granted. In the case of BNY Mellon, it was the latter.

BNY Mellon offered high value, high prestige summer internship programs for “undergraduates as well as a separate summer program for postgraduates actively pursuing a Master of Business Administration (MBA) or similar degree. Admission to the BNY Mellon postgraduate internship program was highly competitive and characterized by stringent hiring standards.” The main purpose of these internships was to give BNY Mellon an opportunity to evaluate the interns as potential permanent hires to the company. There was a designated track for nomination to the internship program and internal company evaluation prior to offering candidates an intern position. In other words, there were policies and procedures around the process but BNY Mellon did not follow them.

Hiring Process

The first Red Flag, which BNY Mellon seemingly ignored in this entire process, was that each of the candidates were recommended to the firm by foreign governmental officials who held control of business relations between Sovereign Wealth Funds and the bank. Their requests that their close family relations be hired by BNY Mellon was contra to the banks own process of selecting candidates for its internship program from a exclusive group of universities and colleges in the US and UK. The Order noted, “Successful applicants had to achieve a minimum grade point average, and had to advance through multiple rounds of interviews in addition to having relevant prior work experience and a demonstrated affinity for and interest in financial services work.”

None of these indicia were present in the hiring of the foreign governmental official’s relatives at issue. There was no evidence the candidates met any of BNY Mellon’s own internal criteria for consideration to the internship program. Indeed, as the Order stated, “as recent graduates not enrolled in any degree program, the Interns did not meet the basic entrance standard for a BNY Mellon postgraduate internship.” Finally, to top it off, all three were hired sight unseen and “BNY Mellon decided to hire the Interns before even meeting or interviewing them.”

The Internships

But BNY Mellon’s violative conduct did not stop by simply hiring the three close family relatives for its internship program. The three persons got benefits far more than simply a regular internship program. BNY Mellon designed special “Bespoke” internship programs for the three interns. As requested by their fathers and uncle, the three interns received “customized work experiences” which “were not regular undergraduate or graduate summer internships at all, but customized one-of-a-kind training programs. The internships were valuable work experience, and the requesting officials derived significant personal value in being able to confer this benefit on their family members.”

The internships were abnormally long, lasting six months, which was twice the normal length. Additionally they were “rotational in nature, meaning that Interns A, B and C had the opportunity to work in a number of different BNY Mellon business units, enhancing the value of the work experience beyond that normally provided to BNY Mellon interns.”

The Costs

In addition to the exceptions granted in the hiring process and the internships themselves, BNY Mellon also paid out money and non-monetary benefits in a manner different to others in the internship program. The Order stated, “BNY Mellon determined, because Interns A and B had already graduated from college, that Interns A and B should be paid above the normal salary scale for BNY Mellon undergraduate interns but below the scale for postgraduate interns. Intern C was unpaid. BNY Mellon also coordinated obtaining visas for all three of the Interns so that they could travel from the Middle East to work in the countries in which they were placed. BNY Mellon paid the legal fees and filing costs related to the visas. As the BNY Mellon Asset Management employee responsible for arranging two of the three internships wrote in a contemporaneous e-mail, the internships constituted an “expensive favor” for the requesting foreign official.” Indeed the Order cited to an email from one BNY Mellon employee who wrote, “I am working on an expensive ‘favor’ for [Official X] – an internship for his son and cousin (don’t mention to him as this is not official).” Further, BNY Mellon knew the request and accommodation was unethical, if not illegal, as the same employee wrote in another email, ““[W]e have to be careful about this. This is more of a personal request . . . [Official X] doesn’t want

[the Middle Eastern Sovereign Wealth Fund] to know about it.” The same employee later directed his administrative assistant to refrain from sending email correspondence concerning Official X’s internship request “because it was a personal favor.”

Lessons Learned Going Forward

I must emphasize once again that there is nothing illegal around the hiring of a close family member of a foreign governmental official. It does however present a higher risk for indicia of bribery and corruption and violation of the FCPA. A higher FCPA risk means you need to evaluate that risk more closely and manage that risk accordingly.

The obvious starting point for any hiring of a close family member of a foreign governmental official is whether the candidate is qualified for the position. If they are not qualified it is ‘Full Stop’ at that point. In the case of BNY Mellon there was no evidence any of the candidates had the academic background, the academic credentials, leadership traits or intangible skills to meet the bank’s normal internship hiring criteria. As with any other anomaly granted in a company’s normal process, there must be a documented reason for the exception, review by appropriate authority of the exception and documentation as to why the exception was granted. None of these steps were present in the BNY Mellon matter. Put another way, if you are hiring a family member or close relative of a foreign government official for any reason other than merit, it had better be a darn good one and well-documented as to your decision-making calculus with appropriate senior management oversight.

But your risk management does not stop simply with the hiring process. If the foreign governmental official is the person who made the request for the hiring of the family member, this is a Red Flag not to be overlooked. Your analysis needs to be on the role of that foreign governmental official in awarding new business to your company or in retaining old business. If the foreign governmental official has direct or even strong indirect control over such business relation, this may present such a direct conflict of interest, this may be a risk that you cannot manage. A good rule of thumb here is whether there is full transparency in the hiring with the foreign government involved with your company. In the case of BNY Mellon, they did not want anyone in the Sovereign Wealth Fund to know BNY Mellon had hired the son or nephew. That is a clear sign transparency is lacking and someone, somewhere is engaging in unethical conduct, if not breaking the law.

Finally, if you do decide to move forward and hire the close family member, you need to assign that new hire to work not associated with the business relationship between your company and the foreign government involved. Just as in the lifecycle of third party management, managing the relationship after a contract is inked is in many ways the most critical element; the same is true in the employment relationship involving close family members of foreign government officials.

Ultimately, you need to have internal controls to ensure effective compliance going forward. You cannot have customer relationship managers making the calls on hiring which over-ride the Human Resources (HR) procedures. There must be not only HR review but also mechanisms to flag for compliance review such hires. Lastly, there needs to be sufficient senior management oversight because this is such a high-risk proposition.

I hope you have enjoyed and found this two-part series on the BNY Mellon FCPA enforcement action and the lessons learned from it useful. The SEC Order provides a clear road map to the Chief Compliance Officer (CCO), compliance practitioner, HR professional or anyone else who reads it on the steps you should take in the hiring of a close family member of a foreign government official with which you are doing business. It may take some additional effort than simply having your business unit employees make the call on who to award prestigious internships to in order to obtain or retain business but in the long run you will have a better run company for doing so. FCPA enforcement is not a game and by doing compliance will make your company a more accurtely operated entity.

© Thomas R. Fox, 2015

Leave a Comment

August 17, 2015

OIG Compliance Guidance for Health Care Governing Boards

Filed under: Board of Directors,Compliance,Compliance and Ethics,compliance programs — tfoxlaw @ 12:01 am
Tags: best practices, Board of Directors, BOD, compliance programs

On the front page of the Saturday New York Times (NYT) was an obituary for Edward Thomas, who joined the Houston Police Department (HPD) in 1948 and finally retired in 2011 at the age of 90. As reported in the article, entitled “Edward Thomas, Policing Pioneer Who Wore a Burden Stoically, Dies at 95”, when Thomas joined the HPD, “he could not report for work through the front door. He could not drive a squad car, eat in the department cafeteria or arrest a white suspect. Walking his beat, he was once disciplined for talking to a white meter maid.” The reason was that Thomas was the first African-America to don a uniform for the HPD. Yet through stoic service and professional leadership, Thomas became the longest serving Houston police officer and had the HPD Police headquarters renamed in his honor earlier this year.

I thought about how Thomas led the HPD to the modern era in the area of race relations in the context of a report, issued in April, by the Office of Inspector General (OIG), Department of Health and Human Resources, entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (the OIG Guidance). Through this paper, the OIG provided compliance practitioners and health care company Board of Directors its views on the proper role of a Board in overseeing a corporate compliance function.

As an introduction, the OIG Guidance states that a Board must act in good faith around its obligations regarding compliance. This means that there must be both a corporation information and reporting system and that such reporting mechanisms provide appropriate information to a Board. It stated, “The existence of a corporate reporting system is a key compliance program element, which not only keeps the Board informed of the activities of the organization, but also enables an organization to evaluate and respond to issues of potentially illegal or otherwise inappropriate activity.” The OIG Guidance sets out four areas of Board oversight and review of a compliance function; “(1) roles of, and relationships between, the organization’s audit, compliance, and legal departments; (2) mechanism and process for issue-reporting within an organization; (3) approach to identifying regulatory risk; and (4) methods of encouraging enterprise-wide accountability for achievement of compliance goals and objectives.”

While noting that a corporate compliance function should promote the prevention, detection and remediation of compliance violations, the OIG Guidance goes on to state that an organization’s Chief Compliance Officer (CCO) “should neither be counsel for the provider, nor be subordinate in function or position to counsel or the legal department, in any manner.” Rather the Board must ensure the CCO and compliance function have resources to fulfill their assigned role within an organization and access to the Board. The Board should “evaluate and discuss how management works together to address risk, including the role of each in:

identifying compliance risks,
investigating compliance risks and avoiding duplication of effort,
identifying and implementing appropriate corrective actions and decision-making, and
communicating between the various functions throughout the process.”

A key component of Board oversight is through the flow of information. The OIG Guidance says, “The Board should set and enforce expectations for receiving particular types of compliance-related information from various members of management. The Board should receive regular reports regarding the organization’s risk mitigation and compliance efforts—separately and independently”. These reports can come to the Board via a variety of reporting mechanisms; regular Board meetings, special Executive Sessions where the Board meets with the CCO or compliance leadership outside of the presence of senior management and ad hoc communications from the CCO. All of these help create a “continuous expectation of open dialogue” which is paramount for proper Board oversight. Of course, if a serious compliance issue arises, it needs to be communicated directly, and in a timely manner, to the Board.

But in addition to setting the expectations for the flows of information, a Board must also set expectations for holding senior management accountable for areas such as compliance. This can be through the assessment of “individual, department, or facility-level performance or consistency in executing the compliance program” and using this information to payout or withhold discretionary based bonuses “based upon compliance and quality outcomes.” The OIG Guidance also notes, “Some companies have made participation in annual incentive programs contingent on satisfactorily meeting annual compliance goals. Others have instituted employee and executive compensation claw-back/recoupment provisions if compliance metrics are not met.” However the key component is that “Through a system of defined compliance goals and objectives against which performance may be measured and incentivized, organizations can effectively communicate the message that everyone is ultimately responsible for compliance.”

A Board also needs to have regular reports on the risks that any organization may face. This means keeping abreast of “relevant and emerging regulatory risks, the role and functioning of an organization’s compliance program in the face of those risks and the flow and elevation of reporting of potential issues and problems to senior management.” The OIG Guidance speaks to technological solutions when it says, “Some Boards use tools such as dashboards—containing key financial, operational and compliance indicators to assess risk, performance against budgets, strategic plans, policies and procedures, or other goals and objectives—in order to strike a balance between too much and too little information. For instance, Board quality committees can work with management to create the content of the dashboards with a goal of identifying and responding to risks and improving quality of care.”

Moreover, a Board should also mandate that the company’s compliance function have the proper tools in place to facilitate compliance reporting internally. It states, “Boards should also consider establishing a risk-based reporting system, in which those responsible for the compliance function provide reports to the Board when certain risk-based criteria are met. The Board should be assured that there are mechanisms in place to ensure timely reporting of suspected violations and to evaluate and implement remedial measures. These tools may also be used to track and identify trends in organizational performance against corrective action plans developed in response to compliance concerns.”

Ultimately a Board should drive home of the message of compliance as “a way of life” so that it permeates into the DNA of a health care organization. For if a Board can help drive compliance into the fabric of an organization, it will have done more than simply fulfill its legal obligations starting in the Caremark decision and going forward. The Board will have helped to make the entire organization more compliance-centric and when a Board can help to facilitate such a change in attitudes, it will have moved the organization several steps down the road of doing business in compliance with relevant laws and issues.

The OIG Guidance is an excellent review for not only compliance professionals and others in the health care industry but a good primer for Boards around their own duties under a best practices compliance program. The US Federal Sentencing Guidelines, the Ten Hallmarks of an Effective Compliance Program, the “OIG voluntary compliance program guidance documents, and OIG Corporate Integrity Agreements (CIAs) can be used as baseline assessment tools for Boards and management in determining what specific functions may be necessary to meet the requirements of an effective compliance program. The Guidelines “offer incentives to organizations to reduce and ultimately eliminate criminal conduct by providing a structural foundation from which an organization may self-police its own conduct through an effective compliance and ethics program.” The compliance program guidance documents were developed by OIG to encourage the development and use of internal controls to monitor adherence to applicable statutes, regulations, and program requirements.”

It is a document well worth your consideration.

© Thomas R. Fox, 2015

Leave a Comment

August 13, 2015

Cymbeline – Doing Virtue and FCPA Compliance

Filed under: Best Practices,Compliance,Compliance and Ethics,Culture,Department of Justice,Doing Compliance,Ethics,FCPA,SEC — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, FT, SEC, Wall Street Journal, WSJ

Commentators still level the hue and cry that it is somehow the fault of the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) that companies continue to violate the Foreign Corrupt Practices Act (FCPA). Things would improve if only the DOJ and SEC would (1) prosecute companies more aggressively; (2) prosecute companies less aggressively; (3) make an example of ‘rogue’ employees who violate their corporate overseers pronouncements not to violate the law; (4) prosecute more corporate executives to ‘send a message’; (5) amend and clarify the FCPA because the concept of do not pay bribes is somehow too complicated for mere mortals to understand; (6) implement a compliance defense because apparently the DOJ does not consider that enough in any decision to prosecute; and/or (7) as The Donald desires, simply do away with the FCPA to restore the ability to pay a fair price for fair corruption.

I thought about all of these varied and contradictory reasons when considering one of Shakespeare’s most enigmatic plays, Cymbeline. In an article in the Wall Street Journal (WSJ) entitled “The Long, Painful Drama of Self-Knowledge”, Stephen Smith considered the character Posthumus who was thought of as virtuous yet, through the crush of the plot, has his virtuous image shattered. Smith poses the question of “Why is Posthumus such a poor leader of himself, and a danger to others?” He answers his own question by saying, “The play suggests that his lack of self-knowledge, along with the flattery of his culture, make him overconfident.” In other words, he was human.

I thought about this analysis in the context of the recent accounting and financial scandal that engulfed the Toshiba Corporation in Japan. For those who did not follow the news, Toshiba announced last month that it had overstated its profits from 2008-2014 by over $1 billion dollars. This was in the face of the company having been publicly recognized for its good governance standards and practices. In an article in the Financial Times (FT), entitled “Japan Inc left shaken by Toshiba scandal”, Kana Inagaki reported, “On paper, it had a structure that gave its external directors the authority to many top executives and an auditing committee to monitor the behaviour of the company’s leaders. It was lauded for its efforts. In 2013, the group was ranked ninth out of 120 publicly traded Japanese companies with good governance practices in a list compiled by the “Japan Corporate Governance Network.””

But it was all a sham as it turned out that chairman of the audit committee was in on the fraud in addition to a plethora of top executives. Kota Ezawa, an analyst at Citigroup was quoted in the piece that “Toshiba was lauded as the frontrunner in governance efforts but that was a misunderstanding. Its governance structure looked good but the execution was not.” Ezawa further stated, “We need to make sure that companies understand that having structures is not enough.” So even a company with $52bn in annual sales must have more than a paper program.

For those who want to point to some defect in the Japanese corporate character, reminding us of the Olympus scandal from 2011, where successive corporate executives covered up long running accounting fraud, Andrew Hill, also writing for the FT in an article entitled “The universal dangers shown by Toshiba’s failings”, says not to point that self-righteous finger quite so quickly. He reminds readers of WorldCom from earlier this century. Being from Houston, I would remind readers of Enron and its accounting fraud as well. Hill cites to the work of Professor Michael Jones to identify four main types of accounting fraud, (1) increasing income, (2) decreasing expenses, (3) increasing assets, and (4) decreasing liabilities. Hill further notes that one common failing in all of these examples is the failure of internal controls. A second key failing is the “Unwillingness to challenge authority, a trait attributed to employees at Toshiba and Olympus — and often given an “only in Japan” spin — is a recurring problem everywhere, from Royal Bank of Scotland under Fred Goodwin to Fifa under Sepp Blatter.”

Hill’s explanation of the how and why of these accounting scandals is as age old as the time of Cymbaline. He wrote, “The most important lesson from Toshiba is about the malign impact of top-down pressure to meet unrealistic targets. Toshiba’s ex-chief executive denies having given direct instructions to staff to inflate profits. But the investigating panel said he told executives to “use every possible measure to achieve profitability” and added that Toshiba’s corporate culture did “not allow employees to go against the will of their superiors”.”

The lessons that Hill finds in the Toshiba accounting scandal are equally applicable to FCPA compliance and enforcement. It is not the DOJ or SEC’s “fault” when companies do not comply with the FCPA. It is up to the companies to which the law applies to comply with it. Make no mistake; it is quite simple not to pay bribes. One only has to wake up and say “I am not paying a bribe today, no matter what the economic benefit is to me”. Yet for a company, it is not easy because you have to not only put the appropriate controls in place, but you have to do compliance by ensuring these controls are executed upon. That was the failing of Toshiba, it had the controls in place but it did not execute on them.

I think this speaks directly as to why FCPA violations continue to occur and be prosecuted. Hill ended his piece by noting, “When aggressive targets, irresistible management pressure and weak controls coincide, misconduct can spread quickly. Rival companies see the inflated numbers and strain to match them. To suggest such weaknesses are confined to one corporate or national culture is a first step into dangerous complacency.” As long as humans are involved with corporations and there are incentives in place for more and greater sales, you will always have the motivation to cut corners and pay bribes. That impulse can be brought on by a bump in salary, a nice bonus, a promotion or sometimes simply keeping your job. That is why a compliance program must be put in place and those controls must be effective.

In Cymbeline the protagonist Posthumus learns that one key component of virtue is prudence. Near the end of his article on Shakespeare’s play Smith writes, “In his story, we glimpse one goal of Shakespearean drama: to help forge just such a character – an integrated human person capable of leading himself and others to peace, with the help of virtue.” For FCPA compliance, as long as there are incentives in place to make money, there will be people who cut corners by paying bribes. Yet companies can temper this by putting an effective compliance program in place and actually doing compliance. Much like Posthumus learns in Cymbeline it is one’s actions which lead to being virtuous; for a company, it is doing compliance that leads to it being called ethical.

© Thomas R. Fox, 2015

Leave a Comment

August 11, 2015

What Goes Downhill May Go Uphill in FCPA Compliance

Filed under: Best Practices,Brazil,Corruption in Brazil,Department of Justice,FCPA,Petrobras — tfoxlaw @ 12:01 am
Tags: best practices, Bribery Act, compliance, compliance programs, Department of Justice, DOJ, FCPA, FT, NYT

Usually the question I am posed is how far down the chain must you go in your due diligence to ensure that your suppliers are in compliance with the Foreign Corrupt Practices Act (FCPA). I would pose that now, after the Petrobras scandal, a company may need to examine the flow in the other direction. I thought about this directional shift when I read an exhaustive report in the Sunday New York Times (NYT) on the Petrobras scandal, entitled “Brazil’s Great Oil Swindle”, by David Segal. The article reviews the genesis of and details the ongoing nature of the Petrobras scandal.

While I have previously written about the other Brazilian companies that have been caught up in the scandal, such as Oderbrecht, Camargo Corrêa and UTC Engenharia, Segal’s article detailed a level of immersion in corruption that should concern every US Company subject to the FCPA and catch the eye of Department of Justice (DOJ) prosecutors handling FCPA cases. It appears that the companies that had direct contracts with Petrobras also colluded in the old-fashioned anti-trust sense, so that not only did they control all the subcontract work done on any Petrobras project but they would also demand bribes from the subcontractors which they then passed up the chain to Petrobras executives and eventually Brazilian politicians. If this scheme turns out to be true, it literally could explode potential FCPA exposure for any US Company doing business on any subcontract where Petrobras was the eventual beneficiary.

Segal reported, “according to prosecutors, these companies stopped competing and started to collaborate. They formed a cartel and decided, in advance, which of them would win a particular deal. A charade competition was orchestrated, and the anointed winner could charge vastly more than it would in a free market.” Further, “A document obtained by prosecutors laid out what it called the “rules of the game.” The trumped-up bidding process was labeled a “sports tournament”, with an assortment of rounds and a “trophy.” There was a no-sore-loser codicil, too: “The teams that participate in a round should honor the rules that have been agreed on, even when they are not the winner.”

But the corruption did not stop simply at these non-Petrobras entities. These companies would demand bribes from their subcontractors that they passed up the line to Petrobras. Segal wrote, “From 1 to 5 percent of the value of a given contract was diverted to those on the receiving end of the scheme, a group that included 50 politicians from six parties, according to prosecutors. Money from cartel members took a circuitous route to politicians’ pockets, passing through ghost corporations whose owners made bribes look like consulting fees.”

Think about all of this for a minute. What happens when everyone and every company associated with a National Oil Company (NOC) is in on the corruption? I thought about this question when I read an article in the Financial Times (FT) by Andres Schipani, entitled “We were terrorized by the drop in oil prices”, where he discussed how the drop in world oil prices has negatively affected Venezuela more than any other top oil producing company. Part of the country’s trouble is the rampant corruption around its NOC PDVSA. Schipani quoted a former minster for the following, “The design of the political economy here only benefits the corrupt.” Moreover, the country is near the bottom of the Transparency International Corruption Perceptions Index (TI-CPI) coming in at 161^st out of 175 countries listed.

Most Chief Compliance Officers (CCOs) and compliance practitioners had focused their third party risk management program around third parties, first on the sales side and then in the Supply Chain (SC). However now companies may well have to look at other relationships, particularly those where the company is a subcontractor involved in a country prone to corruption with a NOC or other key state owned enterprise. Last year the Wall Street Journal (WSJ) in an article entitled “Venezuelan Firm Is Probed In U.S.”, by José De Córdoba and Christopher M. Matthews, reported that a US company ProEnergy Services LLC (ProEnergy), a Missouri based engineering, procurement and construction company, sold turbines to Venezuelan company Derwick Associates de Venezuela SA (Derwick), who provided them to the Venezuelan national power company. The article reported that the DOJ’s “criminal fraud section are reviewing actions of Derwick and ProEnergy for possible violations of the Foreign Corrupt Practices Act”. Derwick was reported to have been “awarded hundreds of millions of dollars in contracts in little more than a year to build power plants in Venezuela, shortly before the country’s power grid began to sputter in 2009”. All of this with a commission rate paid by ProEnergy to Derwick of a reported 5%.

The Brazilian investigation poses far more dire consequences for any US Company that did business with the cartel of Brazilian companies that had locked up the Petrobras work. It means that you need to go back immediately and not only review the underlying due diligence which you did (probably none); then review the contracts with those entities; and, finally, cross-reference to see if there were any contract over-charges which were rebated back to the cartel members. If so, you may well have a serious problem on your hands as any unwarranted rebates, refunds, customer credits or anything else that could have been readily converted into cash to be used to fund a bribe.

This second part is one thing that challenges many compliance officers. The compliance function does not always have visibility into the transactions assigned to specific contracts or projects like your company might be engaged in for Petrobras in Brazil. However it also speaks to the need for transaction monitoring as not simply a cutting edge technique or even best practice but a required financial controls tool that is also applicable to compliance internal controls as well.

As Brazilian prosecutors expand ever outward from Petrobras, US companies subject to the FCPA and UK companies and others subject to the UK Bribery Act would do well to review everything around their Brazilian operations, contracts and dealings. The Petrobras scandal has shown two clear trends to-date. First is that we are far from the end of this scandal. Second, the prosecutors have been fearless so far in following the corruption trail wherever it may go. If they follow it to US companies, they could prosecute them on their own in Brazil for violation of domestic anti-bribery and anti-corruption laws or turn the evidence over to the DOJ. The thing to do now is to get out ahead of this all too certain waterfall.

© Thomas R. Fox, 2015

Comments (1)

July 17, 2015

Great Structures Week V – The Tacoma Narrow Bridge Failure and Preventing Failure in Your Compliance Program

Filed under: Best Practices,Compliance,Compliance and Ethics,compliance programs,FCPA,Third parties — tfoxlaw @ 12:01 am
Tags: best practices, compliance programs, Department of Justice, FCPA, Foreign Corrupt Practices Act

I conclude my Great Structures Week with a focus on structural engineering failures: suspension bridges and the challenges of wind in their construction and maintenance. I am drawing these posts from The Great Courses offering, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. In his chapter on suspension bridges he notes that the “Tacoma Narrows Bridge was the third longest span in the world when it opened to the world, this month of July in 1940.” Yet it collapsed only four months later, in one of the most famous visual images of a bridge’s collapsing. This is due to the “inherent flexibility of cable as a structural form”. A bridge can move in longitudinal vibration, that is up and down and in torsion, where it twists from side-to-side.

Most people recognize unstiffened suspension bridges as old as man and engineering itself. It was not until the 1820s that serious study was brought to bear on the issue of wind-related collapse of suspension bridges. The initial solution was to simply use more weight to reinforce the span. However, while that solution did bring some stability, it reinforced damage as the structure became a textbook example of Newton’s Second Law of Motion, which states that the acceleration of an object is dependent upon two variables – the net force acting upon the object and the mass of the object; meaning that once a heavy weight is in motion, it is more resistant to deceleration.

Yet it was scientific methodology that led to the disaster with the Tacoma Narrows Bridge. An engineer named Leon Moisseiff had developed a theory that long spanned suspension bridges were heavy enough that they did not require stiffening trusses because “their mass stabilized them against wind-induced vibrations.” However this theory failed to take into account how air flows around a bridge and the “dynamic response of the structural system.” Ressler concludes this section by stating, “this case has become a classic symbol of the dangers of arrogance born of overconfidence in science-based design methods, and belt-and-suspenders engineering has made a bit of a comeback.”

I thought about the catastrophic failure of the Tacoma Narrows Bridge in the context of one of the greatest risks in Foreign Corrupt Practices Act (FCPA) compliance; that being third parties. Many non-compliance corporate employees assume that if a third party passes due diligence muster; they are in the clear. After all, you cannot stop a third party from making a bribe or other corrupt payment. Fortunately the Department of Justice (DOJ) does not take such a myopic view as many business types. Under the FCPA, a company is responsible for the actions of its third party representatives.

The real work around your third party compliance program begins after the contract is signed and it is in the management of the third party relationship. While the FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. Diana Lutz, writing in the White Paper by The Steele Foundation entitled “Global anti-corruption and anti-bribery program best practices”, said, “As an additional means of prevention and detection of wrongdoing, an experienced compliance and audit team must be actively engaged in home office and field activities to ensure that financial controls and policy provisions are routinely complied with and that remedial measures for violations or gaps are tracked, implemented and rechecked.”

Carol Switzer, writing in the Compliance Week magazine, set out a five-step process for managing corruption risks, which I have adapted for third parties.

Screen – Monitor third party records against trusted data sources for red flags.
Identify – Establish helplines and other open channels for reporting of issues and asking compliance related questions by third parties.
Investigate – Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
Analyze – Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
Audit – Finally, your company should have regular internal audit reviews and inspections of the third party’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.

Additionally there several different functions in a company that play a role in the ongoing monitoring of the third party. While there is overlap, I believe that each role fulfills a critical function in any best practices compliance program.

Relationship Manager

There should be a Relationship Manager for every third party which your company does business. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party.

Compliance Professional

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. This role can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the relationship manager to provide advice, training and communications to the third party.

Oversight Committee

A company can have an Oversight Committee review documents relating to the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk.

After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment is within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests.

Audit

A key tool in managing the relationship with a third party post-contract is auditing the relationship. I hope that you will have secured audit rights, as that is an important clause in any compliance terms and conditions. Your audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed.

Perhaps now you will understand why I say that managing the relationship of your third party’s is where the real work of your FCPA compliance program comes to the fore. It also demonstrates a key difference in having a paper compliance program and doing compliance. Having a paper compliance program is simple but doing compliance is not always easy; you have to work at it to maintain an effective program.

I hope that you have enjoyed this week’s offering based around some of the world’s greatest structures, their engineering concepts and innovations and how they all related to a best practices compliance program. I am a huge fan of The Great Courses offerings and if you are interested in learning in a great many areas it is one of the best resources available to you. For a more detailed discussion of how you can develop and implement a best practices anti-corruption compliance program, I hope you will check my book Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.

For a dramatic video of the collapse of the Tacoma Narrows Bridge on YouTube, click here.

© Thomas R. Fox, 2015

Leave a Comment

July 16, 2015

Great Structures Week IV – The Gothic Cathedral and Compliance Incentives

Filed under: Best Practices,Compliance,Compliance and Ethics,compliance programs,FCPA — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, FCPA, Foreign Corrupt Practices Act

I continue my Great Structures Week with focus on great structural engineering and its innovations in the medieval world – that being the Gothic Cathedral. I am drawing these posts from The Great Courses offering, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. When it comes to Gothic Cathedrals, Ressler notes that they are a rich case study in the development of “architecture and the limits of empirical design, literally written into the walls of the buildings.”

The innovation of the Gothic Cathedral was to use elements of the Roman basilica but to add “height and light, featuring ever taller naves, pierced by ever-larger clerestory windows, and delineated by ever-more-slender engaged columns”. The first innovation came with the pointed arch followed by ribbing on the columns to help stiffen and strength them more effectively. However the truly dynamic innovation was the creation of flying buttresses, which were huge additional columns outside the structure yet were designed to become load-bearing members so the highest point inside the cathedrals could be filled by light through ornately stained glass windows. Two of the finest examples of these Gothic Cathedrals are both found in France. They are the Cathedral of Our Lady at Chartres and Cathedral of St. Stephens at Bourges.

Just as the medieval world built up the structural engineering techniques from their forebears, as your compliance regime matures you can implement more sophisticated strategies to make your Foreign Corrupt Practices Acct (FCPA) compliance program a part of the way your company does business. Using an article in the Spring 2014 issue of the MIT Sloan Management Review, entitled “Combining Purpose with Profits”, as a basis, I have developed six core principles for incentives, for the compliance function in a best practices compliance program.

1. Compliance incentives don’t have to be elaborate or novel. The first point is that there are only a limited number of compliance incentives that a company can meaningfully target. Evidence suggests the successful companies are the ones that were able to translate pedestrian-sounding compliance incentive goals into consistent and committed action.
2. Compliance incentives need supporting systems if they are to stick. People take cues from those around them, but people are fickle and easily confused, and gain and hedonic goals can quickly drive out compliance incentives. This means that you will need to construct a compliance function that provides a support system to help them operationalize their pro-incentives at different levels, and thereby make them stick. The specific systems which support incentives can be created specifically to your company but the key point is that they are delivered consistently because it signals that management is sincere.
3. Support systems are needed to reinforce compliance incentives. One important form of a supporting system for compliance incentives “Is to incorporate tangible manifestations of the company’s pro-social goals into the day-to-day work of employees.” Make the rewards visible. As stated in the FCPA Guidance, “Beyond financial incentives, some companies have highlighted compliance within their organizations by recognizing compliance professionals and internal audit staff. Others have made working in the company’s compliance organization a way to advance an employee’s career.”
4. Compliance incentives need a “counterweight” to endure. Goal-framing theory shows how easy it is for compliance incentives to be driven out by gain or hedonic goals, so even with the types of supporting systems it is quite common to see executives bowing to short-term financial pressures. Thus, a key factor in creating enduring compliance incentives is a “counterweight”; that is, any institutional mechanism that exists to enforce a continued focus on a nonfinancial goal. This means that in any financial downturn compliance incentives are not the first thing that gets thrown out the window and if my oft-cited hypothetical foreign Regional Manager misses his number for two quarters, he does not get fired. So the key is that the counterweight has real influence; it must hold the leader to account.
5. Compliance incentive alignment works in an oblique, not linear, way. The authors state, “In most companies, there is an implicit belief that all activities should be aligned in a linear and logical way, from a clear end point back to the starting point. The language used — from cascading goals to key performance indicators — is designed to reinforce this notion of alignment. But goal-framing theory suggests that the most successful companies are balancing multiple objectives (pro-social goals, gain goals, hedonic goals) that are not entirely compatible with one another, which makes a simple linear approach very hard to sustain.” What does this mean in practical terms for your compliance program? If you want your employees to align around compliance incentives, your company will have to “eschew narrow, linear thinking, and instead provide more scope for them to choose their own oblique pathway.” This means emphasizing compliance as part of your company’s DNA on a consistent basis — “the intention being that by encouraging individuals to do “good,” their collective effort leads, seemingly as a side-effect, to better financial results. The logic of “[compliance first], profitability second” needs to find its way deeply into the collective psyche of the company.”
6. Compliance incentive initiatives can be implemented at all levels. Who at your company is responsible for pursuing compliance incentives? If you head up a division or business unit, it is clearly your job to define what your pro-social goals are and to put in place the supporting structures and systems described here. But what if you are lower in the corporate hierarchy? It is tempting to think this is “someone else’s problem,” but actually there is no reason why you cannot follow your own version of the same process.

Looking for some specific compliance obligations to measure against? You could start with the following examples of compliance obligations that are measured and evaluated.

For Senior Management

• Lead by example in your own conduct and in the decisions you take, to the resources and time you commit to compliance.
• Facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally.
• Support specific initiatives from the Chief Executive Officer (CEO), legal and compliance functions.

For Middle Management

• Demonstrate, facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally.
• Support specific initiatives from the legal and compliance functions.
• Ensure that all employees, agents and contractors directly or indirectly reporting to you fully complete all required training and communications in a timely manner.
• Provide full cooperation with investigations conducted by the compliance or legal functions of any alleged violation of compliance policies.
• Include the Chief Compliance Officer (CCO) or another legal or compliance function representative in your management meetings at least twice per year, per geography.
• Identify instances of non-compliance and support compliance monitoring and reporting systems.
• Partner with compliance in resolving compliance issues.

For Business Development or Company Sales Representatives

• Certify that all employees, agents and contractors directly or indirectly reporting to you have fully reported all sales and marketing interactions with all government officials in a timely manner.
• Certify that all employees, agents and contractors directly or indirectly reporting to you have fully, promptly and accurately reported all expenses with third party sales representatives have occurred.

The Gothic Cathedral is one of the greatest structural engineering feats mankind has ever created. It combined a dimension of height not surpassed for nearly 1000 years with an ingress of light not previous seen in structures. This use of light facilitated the development of the artistry of stained-glass windows.

For a review of what goes into the incentive structures of a best practices compliance program, I would suggest you check my book Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2015

Leave a Comment

July 15, 2015

Great Structures Week III – The Roman Arch and Resourcing Your Compliance Program

Filed under: Best Practices,Chief Compliance Officer,Compliance,Compliance and Ethics,compliance programs,Department of Justice,Doing Compliance,FCPA,FCPA Guidance,Resources for your Compliance Program,Stephen Martin,Ten Hallmarks of an Effective Compliance Program — tfoxlaw @ 12:01 am
Tags: best practices, compliance programs, Department of Justice, Doing Compliance-The Book, FCPA

I continue my Great Structures Week with focus on structural engineering innovations from ancient Rome. I am drawing these posts from The Teaching Company course, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler who said “When I think of Rome, the first image that comes to mind is an arch.” It is present in aqueducts, in the triumphal arches that adorn the city of Rome, in the city gates and even in the Coliseum.

The arch was a major engineering advancement because the prior method for traversing horizontal distance was the beam, which was limited in its use. Ressler notes “because the arch carries its load entirely in compression, its span isn’t limited by the tensile strength of the material, the size of its stones, and it can span greater distances which might be conceived of with stone beams”. The arch itself has two essential characteristics. First it carries an entire load in compression, that is it counter-balances against itself, which allows for construction using the most basic building materials known in the ancient world: stone, brick and concrete. Arch of Titus

Yet the second characteristic of the arch is equally significant. An arch requires “both vertical and horizontal reactions to carry a load. The downward load of the arch is balanced by an upward reaction from the base”. Both the Arch of Titus and Pont du Gard aqueduct are still standing and can be seen today as magnificent examples of this Roman innovation.

I wanted to use the dual load system whereby an arch supports not only great weight but also esthetic engineering designs to discuss how a Chief Compliance Officer (CCO) or compliance practitioner might develop resources to implement a best practice anti-corruption compliance program under the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-bribery law. Funding of a compliance program is always one of the biggest challenges. Short of being in the middle of a worldwide FCPA, UK Bribery Act or other anti-corruption investigation, you are never going to receive all the funding you want or even think that you are going to need.

However, this corporate reality is not going to save you if the government comes knocking. The FCPA Guidance provides the following, “Moreover, the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

Stephen Martin often says that an inquiry a prosecutor might make is along the lines of the following. First what the company’s annual compliance budget was for the past year. If the answer started with something like, “We did all we could with what we had ($100K, $200K, name the figure), the next inquiry would be, “How much was the corporate budget for Post-It Notes last year?” The answer was always in the 7-figure range. Then the KO punch question would be, “Which is more business critical for your company; complying with the FCPA or Post-It Notes?” Unfortunately, most companies spent far more on Post-It Notes than they were willing to invest into their compliance program.

However this corporate reality will allow you to look to other areas to assist the compliance function. An obvious starting place is Human Resources (HR). There are several areas in which HR can bring expertise and, in my experience, enthusiasm to the compliance function. Some of the reasons include the fact that HR is physically located at or touches every site in the company, globally. HR is generally seen as more approachable than many other departments in a company, unfortunately including compliance. A person’s first touch point with a company is often HR in the interview process. If not in the interview process, it is certainly true after a hire is made. Use this approachability.

HR has several key areas of expertise, such as in discrimination and harassment. But beyond this expertise, HR also has direct accountability for these areas. It does not take a very long or large step to expand this expertise into assistance for compliance. HR often is on the front line for hotline intake and responses. These initial responses may include triage of the compliant and investigations. With some additional training, you can create a supplemental investigation team for the compliance department.

Clearly HR puts on training. By ‘training the trainers’ on compliance you may well create an additional training force for your compliance department. HR can also give compliance advice on the style and tone of training. This is where the things that might work and even be legally mandated in Texas may not work in other areas of the globe; advice can be of great assistance. But more than just putting on the training, HR often maintains employee records of training certifications, certifications to your company’s Code of Conduct and compliance requirements. This can be the document repository for the Document, Document, and Document portion of your compliance program.

Internal Audit is another function that you may want to look at for assistance. Obviously, Internal Audit should have access to your company’s accounting systems. This can enable them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. Similarly, one of the areas of core competency of Internal Audit should also be internal controls. You can have Internal Audit assist in a gap analysis to understand what internal controls your company might be missing.

Just as this corporate function’s name implies, Internal Audit routinely performs internal audits of a company. You can use this routine job duty to assist compliance. There will be an existing audit schedule and you can provide some standard compliance issues to be on each audit. Further, compliance risks can also be evaluated in this process. Similar to the audit function are investigations. With some additional training, Internal Audit should be able to assist the compliance function to carry out or participate in internal compliance investigations. Lastly, Internal Audit should be able to assist the compliance function to improve controls following investigations.

A corporate IT department has several functions that can assist compliance. First and foremost, IT controls IT equipment and access to data. This can help you to facilitate investigations by giving you (1) access to email and (2) access to databases within the company. Similar to the above functions, IT will be a policy owner as the subject matter expert (SME) so you can turn to them for any of your compliance program requirements, which may need a policy that touches on these areas. The final consideration for IT assistance is in the area of internal corporate communication. IT enables communications within a company. You can use IT to aid in your internal company intranet, online training, newsletters or the often mentioned ‘compliance reminders’ discussed in the Morgan Stanley Declination.

Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence. Such local assets can provide feedback for new policies to let you know if they do not they make sense. In some new environments, a policy may not work. If your company uses SAP and you make an acquisition of an entity which does not use this ERP system, your internal policy may need to be modified or amended. A business unit asset can also help to provide a push for training and communications to others similarly situated. One thing that local compliance champions can assist with is helping to set up and coordinate personnel for interviews of employees. This is an often over-looked function but it facilitates local coordination, which is always easier than from the corporate office.

All of these other corporate functions can greatly assist you in the actual doing of compliance. Moreover, in a resource-constrained environment, these other corporate disciplines can be used to strengthen your compliance program, in a manner similar to vertical and transverse integration of structural integrity presented in an arch. Finally, just as the arch utilized some of the most basic construction elements in existence, by using the other corporate disciplines, engaging in precisely their corporate functions, you can create a strong foundation in your compliance program going forward.

For a more detailed discussion of how you can internally resource your FCPA compliance program, I would suggest you check my book Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.

Leave a Comment

July 14, 2015

Great Structures Week II – Structures from Ancient Egypt and Greece

I continue my Great Structures Week with a focus on great structures from the earliest times, ancient Egypt and Greece. I am drawing these posts from The Teaching Company course, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. From Egypt there are of course the Pyramids, of which Ressler says, “They’re important, not just because they’re great structures, but also because they represent some of the earliest human achievements that can legitimately be called engineering. The Great Pyramid of Giza stands today as a testament to the strength and durability of Egyptian structural engineering skills.”

From Greece we derive what Vitruvius called the “Empirical Rules for Temple Design” which define a “single dimensional module equal to the radius of a column in the temple portico, then specify all other dimensions of the building in terms of that module.” These rules are best seen in Greek temples, largely consisting of columns, which are defined as “a structural element that carries load primarily in compression” and beams, which are “structural elements subject to transverse loading and carry load in bending.” My favorite example of the use of columns is seen in the Parthenon; the most famous of all Greek temples still standing.

In many ways these two very different structures stand as the basis of all structural engineering and Great Structures that come later throughout history. For any anti-corruption compliance regime based on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-bribery statutes, the same is true for a Code of Conduct and written policies and procedures. They are both the building blocks of everything that comes thereafter.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2^nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.” Parethnon

There are several purposes identified by the authors that should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the FCPA Guidance, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.

Another way to think of policies, procedures and controls was stated by Aaron Murphy, now a partner at Foley & Lardner, in his book “Foreign Corrupt Practices Act”, when he said that you should think of all three as “an interrelated set of compliance mechanisms.” Murphy went on to say that, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Borrowing from an article in the Houston Business Journal (HBJ) by John Allen, entitled “Company policies are source and structure of stability”, I found some interesting and important insights into the role of policies in any anti-corruption compliance program. Allen says that the role of policies is “to protect companies, their employees and consumers, and despite an occasional opposite outcome, that is typically what they do. A company’s policies provide a basic set of guidelines for their employees to follow. They can include general dos and don’ts or more specific safety procedures, work process flows, communication guidelines or dress codes. By establishing what is and isn’t acceptable workplace behavior, a company helps mitigate the risks posed by employees who, if left unchecked, might behave badly or make foolhardy decisions.”

Allen notes that policies “are not a surefire guarantee that things won’t go wrong, they are the first line of defense if things do.” The effective implementation and enforcement of policies demonstrate to regulators and the government that a “company is operating professionally and proactively for the benefit of its stakeholders, its employees and the community it serves.” If it is a company subject to the FCPA, by definition it is an international company so that can be quite a wide community.

Allen believes that there are five key elements to any “well-constructed policy”. They are:

identify to whom the policy applies;
establish the objective of the policy;
explain why the policy is necessary;
outline examples of acceptable and unacceptable behavior under the policy; and
warn of the consequences if an employee fails to comply with the policy.

Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, the logistics alone of such training can appear daunting. Consider gathering small groups of employees, where detailed questions about policies can be raised and discussed, as a powerful teaching tool. Allen even suggests posting Frequently Asked Questions (FAQ’s) in common areas as another technique. And do not forget that one of the reasons Morgan Stanley received a declination to prosecute by the Department of Justice (DOJ) was that it sent out bi-monthly compliance reminder emails to its employee Garth Peterson for the seven years he was employed by the company.

The FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” Allen puts a bit differently in that “it is important that policies are applied fairly and consistently across the organization.” He notes that the issue can be that “If policies are applied inconsistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated.” This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

For a review of what goes into the base structures of a best practices compliance program, I would suggest you check my book Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.

Leave a Comment

July 13, 2015

Great Structures Week I: Vitruvius, the Brooklyn Bridge and Compliance

Filed under: Best Practices,Bribery Act,Compliance,Compliance and Ethics,compliance programs,Department of Justice,FCPA,FCPA Guidance,OECD,Ten Hallmarks of an Effective Compliance Program — tfoxlaw @ 12:01 am
Tags: best practices, Bribery Act, compliance programs, Department of Justice, DOJ, OECD, The Teaching Company, Vitruvius

I recently completed a course from The Teaching Company, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. It was a wonderful learning experience about some of the world’s greatest structures and the development of structural engineering throughout history. As I worked my way through the course, it occurred to me that many structural engineering concepts are apt descriptors for an anti-corruption compliance program. So today, I will begin the ‘Great Structures Week’ as an entrée into an appropriate topic for your Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption/anti-bribery compliance program. Each day I will discuss a structural engineering concept together with one my favorite examples from Professor Ressler’s course.

To open the series I will consider what makes a structure great. Marcus Vitruvius Pollio (Vitruvius) was a Roman author, architect, and civil engineer during the 1st century BC, known for his work entitled De Architectura. Vitruvius is famous for proclaiming that a structure must exhibit the three qualities of firmitas, utilitas and venustas, meaning that it must be solid, useful and beautiful. These are sometimes termed the Vitruvian Triad and today these are loosely translated that great constructions must have form, function or structure. Form is the arrangement of space and harmony. Function is the measure of usefulness. Structure contains innovative techniques in its creation.

My favorite example of a structure that incorporates all three of these concepts is the Brooklyn Bridge. The beauty of the form follows the functions of the scientific principles that underlie the bridge’s structure. As Ressler noted “Each element of the form of the Brooklyn Bridge serves a structural purpose based on mathematical principles.” First the form itself is one of great beauty. The function remains the same, even if the modes of transport have evolved; the Bridge was designed to carry people from Brooklyn to Manhattan. Yet as Ressler notes, “beyond the aesthetic, these features are a direct reflection of the scientific principles underlying the bridge’s design. They are, in a word, structure – a system of load carrying elements that cause the bridge to stand up.” We have a graceful and elegant design, which operates to safely conduct people over the Hudson River, through an engineering design that allows the structure to act as intended.

This convergence of Vitruvius’ tripartite view of what makes a great structure is an appropriate analogy for a best practices anti-corruption compliance program to facilitate compliance with the FCPA, UK Bribery Act or similar regime. Over the years both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear that each company should have a compliance program that fits its needs. Indeed, in the FCPA Guidance, it could not have been made clearer when it stated, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors. When it comes to compliance, there is no one-size-fits-all program.” The Guidance goes on to state the obvious when it notes, “companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs. Indeed, small- and medium-size enterprises likely will have different compliance programs from large multi-national corporations”.

The Guidance goes on to note, “Compliance programs that employ a “check-the-box” approach may be inefficient and, more importantly, ineffective. Because each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.”

Yet when viewed through Vitruvius’ prism, it is clear that an anti-corruption compliance program is much more holistic, with form, function and structure. A good compliance program is really about good financial controls. I think this is one outlook of FCPA compliance which is not discussed enough. Stanley Sporkin, in many ways the progenitor of the law, recognized that if a company was going to engage in corruption it would have to hide such activity through falsified books and records. Hence, he articulated the basis for having the accounting provisions included when Act was originally written and enacted into law. These provisions include both the books and records provision and the internal controls provision. The Guidance says, “the accounting provisions ensure that all public companies account for all of their assets and liabilities accurately and in reasonable detail”. So the form of a compliance program should be largely in financial controls that are baked into a company.

The formula of a compliance program can follow several forms. It can be based on the Ten Hallmarks of an Effective Compliance Program from the FCPA Guidance, the Six Principles of Adequate Procedures as contemplated by the UK Bribery Act; the OECD 13 Good Practices or other formulations such as the Five Elements of an Effective Compliance Program developed by Stephen Martin and Paul McNulty from the law firm of Baker & McKenzie. The form of any of these articulations meets the Vitruvius definition.

Next is the function. Here I think it is appropriate to consider what the FCPA Guidance says regarding internal controls, that being “Internal controls over financial reporting are the processes used by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.” This language points to function of any best practices compliance program, to make the company a better-run company.

Finally, in the area of structure it is incumbent to recall that any best practices anti-corruption compliance program continues to evolve. It evolves with technological innovations such as transaction or continuous controls monitoring. But a compliance program must evolve as your company evolves. Changing commercial realities and conditions can create new or increased FCPA compliance risks. Your compliance program needs to be able to detect, assess and manage new risk as your business creates new products; moves into new territories or develops new sales channels. The FCPA Guidance states, “They are dynamic and evolve as the business and the markets change.” To do so, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry.”

For a review of what goes into a best practices compliance program, I would suggest you check out my book, entitled “Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program”, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.

Leave a Comment

FCPA Compliance and Ethics Blog

August 21, 2015

Archie Bunker, Batgirl and the International Fight Against Corruption

August 20, 2015

BNY Mellon and Lessons Learned In Hiring Family Members – Part II

August 17, 2015

OIG Compliance Guidance for Health Care Governing Boards

August 13, 2015

Cymbeline – Doing Virtue and FCPA Compliance

August 11, 2015

What Goes Downhill May Go Uphill in FCPA Compliance

July 17, 2015

Great Structures Week V – The Tacoma Narrow Bridge Failure and Preventing Failure in Your Compliance Program

July 16, 2015

Great Structures Week IV – The Gothic Cathedral and Compliance Incentives

July 15, 2015

Great Structures Week III – The Roman Arch and Resourcing Your Compliance Program

July 14, 2015

Great Structures Week II – Structures from Ancient Egypt and Greece

July 13, 2015

Great Structures Week I: Vitruvius, the Brooklyn Bridge and Compliance

January

Blogroll

Pages

Admin

Read by Email

Recent Posts from FCPA Compliance and Ethics Report: FCPA Compliance and Ethics Report

Episode 240-Bill Coffin on Compliance Week 2016

Episode 239-Jonathan Armstong On EU Privacy Shield

Episode 238-John Allen on HR Touch Points in Compliance

Episode 237-Steve McCalmont on the Avior Risk Management Platform

Episode 236-Adam Turteltaub and SCCE CCO Survey