Marine Transportation and Anti-Money Laundering

My recent article on the marine transportation industry and the Foreign Corrupt Practices Act (FCPA) generated some discussion ranging wider than simply the port agent issue regarding interaction with foreign government officials. One of the discussion points was how and where a company should pay the crew. One of the sacrosanct rules that I learned while working at Halliburton was that payments to any third parties had to be made to either (1) the location where the services were delivered or (2) the location where the third party was domiciled. It was called ‘Offshore Payments’ and the legal department was charged with making sure that all contracts specified payments to be delivered into one of the aforementioned locations. The rule was designed to comply with Anti-Money Laundering (AML) rules and regulations. This concept also appears in the FCPA as a red flag if a third party desires to be paid outside either of the locations stated because a corrupt entity or person could use funds already in the banking or financial system to disguise any movement that might reveal the corrupt action, such as a bribe to a foreign governmental official.

Obviously you cannot pay a ship’s crew in the location where the services are delivered if those services are delivered at sea. So that would seem to leave jurisdiction where a crew member is domiciled. But in addition to the home domicile there are other AML issues such as the bank to which the payments are wired into from the US.. The Financial Action Task Force (FATF) Recommendations on the International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation set out several in its White Paper released last year. These included due diligence on payees to determine politically exposed persons and specially designed individuals, record keeping, controls regarding payee banks and financial institutions and reporting of suspicious transactions, among others. In others words, there are many concerns about paying third parties; even those third parties a company might not normally consider in their own compliance regime.

Based upon these conversations, I thought a deeper look into AML issues was warranted. Fortunately Carol Switzer, President of the Open Compliance and Ethics Group (OCEG) just penned another piece in her series in Compliance Week on compliance related issues. This month Switzer has taken a look at AML issues in an article entitled “The Complex Mechanics of Money Laundering” and compended with the article is another of OCEG/Compliance Week, GRC Illustrated Series, where in an illustrated manner, they review how to build an effective AML program.

Switzer explains that there are several laws which deal with AML compliance. They include “the Intelligence Reform & Terrorism Prevention Act of 2004, which amended the BSA; the Money Laundering and Financial Crimes Strategy Act; and the Money Laundering Suppression Act).” There are numerous regulatory and enforcement agencies with domestic AML oversight. They include “the U.S. Department of the Treasury and its Financial Crimes Enforcement Network (FinCEN), to the Security and Exchange Commission to the Dodd-Frank Act’s Consumer Financial Protection Bureau (CFPB) to the New York Stock Exchange, IRS, FBI, and a number of federal banking regulators.”

In the illustrated section following Switzer’s article, it sets out three basic steps which are (1) Define the Risk; (2) Quantify the Risk; and (3) Manage the Risk.

I.                   Define the Risk

It all begins with a comprehensive organizational analysis so that you can understand how much exposure your organization has and where it originates. A company should keep track of the places it does business and how it does business, either directly or through third parties. A company should determine where threats are hiding in its operations and to identify any specific AML issues posed by a particular products or service line. A company should also understand the enhanced risks posed by any specific geographic markets and then identify the risks inherent in different customer types.

II.                Quantify the Risks

Under this prong, a company should determine the quantitative impact of defined risks, both from a customer and asset perspective, while understanding how operating locations may affect these identified risks. Next a business should profile and risk rate customers and assets based on risk attributes including customer geography, business structure, sources of funds, business type, products and services utilized and other factors. From these factors a company should then formulate a comprehensive business risk assessment.

III.             Manage the Risk

Based on steps one and two a company should then implement an AML program consisting of people, processes, and controls proportional to the quantified risks which can ensure compliance, visibility, and protection. This Step III has four subparts.

1. Design: A company should define its internal roles and responsibilities. There should be designated risk categories which will inform the appropriate level of due diligence. A company should build and implement both suspicious activity controls and transaction monitoring.
2. Implement: This step involves the establishment of policies and procedures and training of employees and relevant third parties there. To the extent possible OCEG recommends using technology to monitor, review, escalate, and report suspicious activities using a risk-based and practical approach. Lastly, they recommend that companies should exchange knowledge with industry peers and experts.
3. Test and Analyze: A company should regularly test its controls and monitor personnel and third parties. A company should evaluate the data that it receives. Finally, as with all compliance regimes, there should be a confidential reporting mechanism to report suspicious activities or other violations.
4. Report: A company should report suspicious activity and any AML controls system weaknesses should be scheduled for analysis. A company should also document and file any suspicious activity for both its own internal use and regulatory reporting requirements.

A company must continually capture and update its understanding of threats and system weaknesses to influence continued evolution of an effective AML program. This should be coupled with the continuous evolution of your AML program because the nature of money laundering is ever-evolving as criminals construct new and “improved” methods to hide the proceeds of crime and funds for financing criminal action, making it ever more difficult to monitor and stop.

So how about the payment issue in marine transport industry and the ship’s crew? Most US companies no longer own and crew the ships they use to transport product or cargo and will typically use a charter party. The charterer gives orders for the employment of the vessel and payment of the crew. If your company is in such a position I would suggest that it make the following inquiries of your charter party. 1) Does the charter party have an International Organization for Standardization (ISO) program and policy in place for the hiring and paying of employees?; 2) Does the charter party vet all employees to include license checks; verify bank address to employee address and obtain background checks thereon?; 3) Does your charter party ensure that all banking transactions made to the employees are documented starting with hours worked, signature from masters and payments made to employees home country only?

If you are in the marine transport industry and use a third party to pay those working on your behalf you need to review the third party’s AML program. The same is true for any other business which uses a third party company to make payments to others outside the US.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

The Tube and Updating Your Compliance Policies

2013 is the 150^th anniversary of the London Underground, affectionately known as “The Tube.” It truly is one of the great urban architectural marvels of all-time. The oldest sections of the London Underground completed 150 years of operations on 10 January 2013. The Underground serves 270 separate stations and has 250 miles of track, 45% of which is underground. In 2011, it served over 1.2 billion riders but, like any transportation system, it has to be evaluated and upgraded. For my money, the most useful upgrade would be to air condition the cars as they can become unbearably hot in the summer but that may not be on the top of Prime Minister’s Cameron’s list about now.

I thought about this auspicious anniversary and maintenance of the London Underground when I read a recent article in the Compliance Week magazine by Michael Rasmussen, entitled “Improving Policies Through Metrics”. Rasmussen believes that effective policy management requires that a company must periodically review their policies to ensure that they are relevant and aligned with both current laws and corporate objectives. This is because today’s business environment is dynamic and involves both internal and external factors, so, consequently, as a company evolves and changes its policies need to be updated to reflect these changes.

One of the key components of any best practices compliance regime under any anti-bribery and anti-corruption program is policies. Policies tie together a company, its business environment, the risks it faces and the compliance requirements. Policies are a specific requirement for any anti-corruption/anti-bribery compliance regime. In the recently released Department of Justice (DOJ) Guidance on the Foreign Corrupt Practices Act (FCPA), it stated, “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” Under the UK Bribery Act, policies are discussed in the Six Principles of an Adequate Procedures compliance program under Principle V – Communication, where it states “The business seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the company through internal and external communication, including training, that is proportionate to the risks it faces.”

While I think that most compliance practitioners understand this need for policies one of the things that is not usually emphasized at a company is effective policy management. One technique which can be used is to elevate the policy function to the senior management level. One of my former employers, Halliburton, did this when it created a Vice President for Policies back in 2006. So kudos to Halliburton for leading the industry by creating the position of Vice President for Policies.

Rasmussen believes that at a minimum, policies must be reviewed annually. He recommends that each policy should go through a yearly review process to determine if it is still appropriate. There should be a “system of accountability and workflow that facilitates” any policy review process. The end product should be a decision to “retire the process, keep the policy as it is, or revise the policy.” Rasmussen lists five items that a policy owner should evaluate as a part of the policy review process.

• Violations. Here Rasmussen believes that information from reporting systems such as hotlines or other anonymous lines as well as internal or external investigations must be reviewed. Not only would such information indicate if a company policy was violated but the follow-up investigation would help to determine how the policy might have failed, whether it was through “lack of awareness, unauthorized exceptions [or] outright violations.”
• Understanding. Here Rasmussen writes that there should be an analysis of “training and awareness programs, policy attestations” and attendant metrics to determine an appropriate level of policy understanding. He believes that questions to a helpdesk or compliance department could help to discover any ambiguities in a policy that might need to be corrected.
• Exceptions. If you have a policy it should be followed. If an exception to a policy was granted the reason for the exception should have been documented. If there are too many exceptions granted for a policy, it might indicate that “the policy is inappropriate and unenforceable” and therefore should be revised.
• Compliance. A policy should govern and authorize internal controls. These internal controls should be reviewed in conjunction with the policy review to determine overall policy effectiveness. This is because “At the end of the day the policy needs to be complied with.”
• Environment. All the factors around a policy are in flux. This includes a company’s risk profile, its business strategy, laws and regulations. Since a business’ climate is dynamic, a policy should be reviewed in the context of a company’s overall situation and revised accordingly.

If there is a change in a policy it is important that not only the correct change be made but that any change is documented. An audit trail is a key component for a company to internally understand when a change is made and the reason for that change but also to demonstrate to a regulator effective policy management and to present “a defensible history of policy interactions on communications, training, acknowledgements, assessments and related details needed to show the was enforced and operational.” This audit trail should include “key data points such as the owner, who read it, who was trained, acceptance acknowledgements and dates for specific policy versions”. In addition to an audit trail, policy revisions should be archived for referral back at a later time. So, once again, the key message is document, document and document.

Just as best practices in the FCPA compliance arena evolve, so do business practices, markets and risks. If you throw in the complexities from an inter-connected global business milieu, the task becomes even tougher. Business policies are one of the keystones of a company’s communications to its employees on what it expects and what is required of its employees. To keep policies up-to-date and properly take advantage of this valuable tool, policies need to be evaluated and updated as appropriate. If your company fails to do so this takes away from the value of having policies in the first place. I hope that you will use the techniques which Rasmussen has described to help you effectively manage your policies going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

How the Noir Novel Informs Your Compliance Program

In the Work Matters column in the December 3 Issue of the Texas Lawyer, in an article entitled, “Ten Phrases Lawyers Hear That Portend Disaster” author Michael Maslanka explored his love of noir fiction, which I share, through listed 10 phases that show the “it” so famous in noir novels is coming. The ten warning signs that he listed are as follows:

1. “Isn’t it obvious?” I hear this from managers when a company refuses to hire a disabled applicant, as in, “Isn’t it obvious that a man with one arm can’t do this job?” The manager unwisely forecloses the inquiry required by the Americans With Disabilities Act: An employer must determine if the employee can perform the essential functions of the job, with or without a reasonable accommodation.

Another example is when a supervisor says, “Isn’t it obvious that we don’t want to hire a convicted felon for this job?” That person unwisely ignores the EEOC’s new emphasis that automatic exclusion of an applicant with a criminal record may be a proxy for race discrimination.

2. “This is a no-lose case with a guaranteed two-comma verdict.” Listen to this quotation from Proverbs 28:20: “[H]e that maketh haste to be rich shall not be innocent.” Isn’t that the truth?

From the fictional Gordon Gekko to the all-too-real Bernie Madoff, those who greedily grasp after riches may be slow to reveal their lack of integrity. They show their true character only under careful attention and scrutiny. The best antidote: Be a person of character. As W.C. Fields wisely remarked, “You can’t cheat an honest man.”

3. “We must decide today!” Here is the greatest enemy of an integrity-based decision: time pressure. “Fire the employee now!” “We have to get this order of widgets out by 5 p.m. — no ifs, ands or buts.”

To paraphrase H.L. Mencken, decisions made under unnecessary time pressures usually are “swift, sure, and wrong.” When under pressure to do something “now,” the wise attorney should ask the client, “If we had 10 times as much time to make this decision, would it be the same decision?”

4. “That’s the other side’s problem.” I hear this from time to time, and I bet many lawyers do. These two statements always are cause to take a timeout:

• “That’s not our problem; it’s the other side’s problem”

• “Let them worry about that.”

When people start saying things like that, ask whether they’re doing so because the statements are true or because the underlying issue involves unpleasant facts that it’s easier not to acknowledge. Recall Ben Franklin’s wise advice: “Half a truth is often a great lie.”

Litigators and deal makers hear phrases like these. Events are percolating along, and someone on the team asks, “Should we be doing this?” or “Does the other party know about this issue?” When the question answers itself, it’s time for the lawyer to ask whether truth or convenience is driving the client’s position. Convenience never trumps ethics.

5 “Everybody else is doing it.” Here is just some of what I have heard in 31 years of practicing law:

• “Companies in my industry don’t pay overtime, so why should I?”

• “The guy with the company down the road fired the union organizer among the employees, and nothing happened to him.”

• “Don’t tell me what I can’t do; I’m paying you for telling me what I can do.”

Those who win the race to the bottom still lose. Stephen Cope, in his book “The Great Work of Your Life: A Guide for the Journey to Your True Calling” explains that “The Bhagavad Gita” teaches that it is better to follow one’s true dharma and fail than to follow others’ false dharma and succeed monetarily. And, let’s face it: The truth comes out in the end.

6. “We can’t change course now. We have too much invested.” This is false-dichotomy territory. How can a lawyer break through this either/or mindset? Mary C. Gentile offers advice in her book, “Giving Voice to Values: How to Speak Your Mind When You Know What’s Right.” She suggests changing the frame. Reject “We did not get what we wanted.” Embrace “What did we learn from this experience?”

Failing to do so conjures up, for me, lines from W. H. Auden’s “The Age of Anxiety”: “We would rather be ruined than changed/We would rather die in our dread/than climb the cross of the moment/and let our illusions die.” Change course. It’s the smart play.

7. Another pair of eyes on the project? You’re joking, right? What a waste.” True, projects are overlawyered and overanalyzed. But active resistance to advice is a telling sign that something maybe seriously amiss. Take it as a warning to press all the more for that other set of eyes.

An ostrich-like attitude of self-delusion can lead to disaster. Listen to Proverbs 1:30-31: “They would none of my counsel: they despised all my reproof. Therefore shall they eat the fruit of their own way, and be filled with their own devices.”

8. “We’ve always thought about it this way, and we always will.” I can do no better than Justice Felix Frankfurter, who decided a legal issue one way in 1943 and then completely reversed course in 1949. He gave this explanation in his opinion in Henslee v. Union Planters Bank: “Wisdom too often never comes, and so one ought not to reject it merely because it comes late.” Genius.

9. “It is what it is.” Huh? This phrase now is used principally by those who want to sound insightful and wise but who are just dazed and confused. Only Buddhist monks are allowed to talk like Buddhist monks.

10. “You are the most wonderful person I have ever met. We were meant to start this business/do this deal/win this suit.” Beware flattery without facts, especially when it comes too fast, too soon. It is a sign of a sociopath. They target their victims (people they can use), compromise their targets’ integrity, exploit them and toss them aside when finished. The whole cycle starts with false flattery.

These also have application for the compliance practitioner. If you hear a third party mention any of these, either in the due diligence process or in your relationship going forward, you need to drop what you are doing and begin an investigation. If you hear anyone in your company utter these, move post-haste as well. But most of all, these phrases should remind you just how great this classic American fiction is and how you can use it to inform your compliance program.

===========================================================================================

For those of you unaware, the Houston Texans will play the New England Patriots in Foxboro this weekend. I have friendly wagers with two of my favorite Patriot fans, Matt Kelly, Editor of Compliance Week and Jay Rosen, Vice President, Language Solutions Merrill Brink International. For the Compliance angle, see the piece by Matt entitled, “Sportsmanlike Conduct”. Go Texans!

===========================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

What is Your Magic Number? Creation, Implementation and Administration of a Hotline

For the Astros, it is not this season’s ignominious record of 107 losses, which they achieved yesterday with a season ending loss to the Chicago Cubs, but the magic number of 186; which is the number of days until the Astros open the 2013 season and the next time they will be tied for first place in the American League (AL) West Division.

For the compliance practitioner, the same might be asked of your company’s hotline. However apocryphal the story might be it is too good to pass up so here we go: When, in final negotiations with a company to resolve a Foreign Corrupt Practices Act (FCPA) violation, the Department of Justice (DOJ) attorney asked for the phone number of the company’s hotline. Counsel representing the company dutifully provided the number and the DOJ attorney called the hotline only to find it was “not a working number.” Oops.

I thought about the above story in the context of the maxim that not all hotlines are created, or more importantly, administered equally. In an article entitled “Hotline Report Reveals Compliance Concerns” author Karen Kroll looked at the “2012 Corporate Governance and Compliance Hotline Benchmarking Report” and found what she termed “troubling findings”, which are that not only are instances of fraud increasing but that retaliation against whistleblowers is increasing as well. Kroll noted that “despite greater protection for whistleblowers in the Dodd-Frank Act, calls concerning potential retaliation against an employee who has made an inquiry through a hotline increased to 2.9 percent of overall incidents, up from just 2.1 percent in 2010.” But as bad as these figures are they seem to only presage Kroll’s penultimate conclusion, which is that internal reporting will slowly wither away with the protections offered by whistleblowers under the Dodd-Frank Act and the attendant bounties that can be paid to a whistleblower in the event a violation is uncovered and an enforcement action results in a fine or penalty paid to the US government.

I recently saw a White Paper by Business Controls, Inc., released through Compliance Week, where an un-named author posited that there are seven essential features to create an effective hotline. I found this article to be useful in that it provided information by which a compliance practitioner could quickly review how his or her company might set up a hotline. The seven criteria are as follows.

1.  The hotline is developed and maintained externally. The author believes that em­ployees tend to trust hotlines maintained by third parties more than they do internally maintained systems. By submitting reports through an external hotline there is a perceived extra layer of anonymity and impartiality compared to a sys­tem developed in-house. A third party provider is also more likely to bring specialist expertise that’s difficult to match within the organization.
2. The hotline supports the collection of detailed infor­mation. If information can be gathered and re­corded at every point during the complaint life cycle, then compli­ance officers should have greater insight into the situation and a company can protect itself more effectively from accusations of negligence or wrongdoing. A hotline reporting system should provide consolidated, real-time access to data across all departments and locations, plus analytic capabilities that allow you to un­cover trends and hot spots. All report materials should be consolidated in one comprehensive, chronologi­cally organized file, so that you can monitor ongoing progress and make better, more informed decisions.
3. The hotline meets your company’s data retention poli­cies. Retaining data in a manner consistent with your internal data retention policies is important. Make sure your hotline offers a secure, accessible report retention database, or you may be faced with making your own complicated and costly arrangements for transmitting and storing older reports to a permanent storage location.
4. The hotline is designed to inspire employee confidence. Kroll’s article discussed above cites the fear of retaliation as strong but also increasing among potential whis­tleblowers. This can destroy the effectiveness of the internal reporting process and poison the corporate culture. The hot­line must be seen to offer the highest levels of protection and anonymity. To encourage employee participation, the hotline should allow them to bring their concerns directly to some­one outside their immediate chain of command or workplace environment – especially when the complaint concerns an immediate superior. The hotline should also enable employees to submit a re­port from the privacy of an off-site computer or telephone. It may seem like a small convenience, but giving employees the freedom to enter a complaint from a location that “feels safe” can make a huge difference to participation rates.
5.  The hotline offers on-demand support from subject matter experts. Opening lines of communication can bring new issues to your compliance group. It is therefore important that once those reports are entered into the system, a person or function has the responsibility to follow up in a timely manner.
6.  The hotline provides inbuilt litigation support and avoidance tools. Ascertain that your hotline is preconfigured to meet the legal requirements for document retention, at­torney work product protection procedures, and attorney privilege. Developing these tools in-house can add signifi­cantly to your costs, and maintaining a hotline without one exposes your organization to unacceptable risk.
7.  The hotline supports direct communication. A hotline should open the lines of communication and give you a di­rect sight-line into the heart of your company. Look for a system that enables you to connect directly, privately, and anonymously with the person filing a complaint. Direct communication also signals to employees that their complaints are being heard at the highest levels.

Like other risk management issues, hotlines must also be managed effectively after implementation and roll-out. Here are some practical tips which will help you make your hotline an effective and useful tool.

Get the word out. If employees don’t know about the hotline, they won’t use it. Allocate a portion of your time and budget to promoting the corporate hotline through multiple channels. Put up posters and distribute cards that employees can keep in their wallets or desk drawers. Deliver in-person presentations where possible. And don’t think of the promotional initiative as a one-time effort. It’s important to remind employees regularly, through in-person communications, via e-mail, or through intranets, newsletters, and so on, that this resource is available to them. Some hotlines offer promotional materials to help make the job easier; make sure you ask what type of promotional support may be available.

Train all your employees. Getting employees to use the system is one half of the challenge; ensuring they use it properly is the other half. This is where training becomes essential. Make sure people understand what types of activities or observations are appropriate for reporting and which are not. HR and compliance staff will need training too, to help them understand how the hotline impacts their day-to-day activities. Company leaders also need to understand the role the hotline plays in the organizational culture, and the importance of their visible support for this compliance initiative.

Take a look at the data. Use the data derived from or through the hotline to identify unexpected trends or issues. Examples might be what percentage of employees use the hotline and what issues are they submitting? A healthy hotline reporting system will yield reports from .5 to 2 percent of your employee base. If your reporting patterns are higher or lower, it may indicate mistrust of the hotline, misuse, or a widespread compliance issue. Isolate the data by location and department to identify micro-trends that could indicate problems within a subset of your corporate culture. Analyzing the data can help you stay a step ahead of emerging issues.

 Response is critical to fairness in the system. Seeing a hotline system in action in this way can go a long way toward dispelling employee fears of being ostracized or experiencing retaliation because if see that their concerns are heard clearly and addressed fairly, they will learn to view the hotline as a valuable conduit. If your compliance group responds promptly and appropriately to hotline complaints, you can ensure robust participation and ongoing success. Even when a complaint proves to be unfounded, it can still provide an opportunity to open a dialogue with employees and clear up any misunderstandings. Responding to reported issues also gives compliance officers a chance to prove that issues can be resolved or addressed while protecting the privacy and anonymity of the whistleblower.

As with the management of third party representatives, your real work begins are the contract is signed. You simply cannot set up a hotline without managing it. A fairly administered hotline and investigation protocol is a key component of fair process in your compliance regime. So take a look at your hotline based upon the above concepts. It may be that your magic number needs to change.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

What Are Some of the Benefits of a Compliance Hotline?

Is your hotline working for you? The Securities and Exchange (SEC) Whistleblower line certainly appears to be working according to an article in the August issue of Compliance Week Magazine, entitled “Promoting Effective Us of the Compliance Hotline” by Columnist José Tabuena. In the article, Tabuena quotes SEC Deputy Director of Enforcement George Canellos, who related at a recent conference that “What’s really clear is quality of those tips has greatly improved and that market manipulation, dishonest accounting and potential violations of the Foreign Corrupt Practices Act (FCPA) are the most popular topics of whistleblower reports.”

In his article Tabuena gave an excellent example of the power of a hotline. He wrote about the case study of a company which had not integrated its IT function into its regular compliance and ethics training programs. As such there were zero calls into the hotline by employees from the IT department. This dynamic was changed and IT was integrated into the company’s regular compliance and ethics training. Thereafter, the hotline received several calls from IT department employees where there were two major areas of complaints. The first general area was that there were conflicts of interests between IT department managers, family members who were hired and perceptions of favoritism. The second generally revolved around allegations that certain company managers were manipulating data to maximize their bonuses.

The Favoritism Problem

The Human Resources (HR) department led an investigation that included questioning all IT managers about their direct reports and employees of their unit. The company determined that there was only one instance of a manger hiring a family member (a brother-in-law), but that person did not report to the manager and was in a different section of the IT organization. This finding made clear that there were misperceptions in the IT department, which affected the department morale. To remedy this all IT managers received training on appropriate employment practices, communications were also delivered to all IT employees explaining policies and practices regarding the hiring of family members. Most satisfyingly, Tabuena noted that during follow-up with callers to the helpline, the callers stated that the work environment in the IT department had noticeably improved. They also expressed gratitude that their questions were answered and that their issues were addressed. The callers felt their concerns were taken seriously when they saw the communications on hiring practices and upon having discussions with managers during staff meetings. Staff retention started improving in the department.

Manipulation of Data for Bonuses

The company used the hotline to obtain more information from the callers on “isolating the metrics and the managers in question. It was determined that the bonuses of a select few IT managers were indeed influenced by a questionable data source, which was controlled by a non-manager with minimal oversight and controls. Following interviews with the key individual and review of the data file (including forensic analysis), it was determined that one IT manager had misrepresented information provided to the staff person maintaining the data. Notably, this staff person also reported to this manager. As a result, the IT manager’s bonus compensation was inflated. He was subsequently terminated.

Basic Tenets of an Effective Hotline

Tabuena provided three lessons which he felt were demonstrated in his article.

• First, a helpline is of no value if the workforce is not aware of it. Although a helpline was in place, it became apparent that a segment of the company had not been informed. It was hotline data that revealed this gap. By reviewing data segmented by region, department, incident classification, and other criteria, it became obvious in comparison to the rest of the organization that the IT department had not used the helpline.
• Second, the ethics and compliance office obtained support from the Chief Information Officer (CIO) for making IT part of the helpline community and for designating a  liaison within the IT function. The support of department leadership likely influenced the success of the training and communications delivered by the ethics and compliance staff.
• Third, the awareness of the helpline is not sufficient to ensure success. The company made sure that issues and allegations were addressed and investigated, as needed. Employees who choose not to report wrongdoing indicate a belief that nothing will be done anyway, so why take the risk? Employees also cite fear of retaliation as a reason for not reporting.

Tabuena’s article showed the power of a hotline. The company’s Compliance Department “established the credibility of the helpline as a resource to raise issues and report misconduct. The concerns regarding nepotism and conflicts of interest were taken seriously, and although the   violations were not as widespread as the calls indicated, the review went a long way to clear the air.” Equally important, the helpline proved to be a successful management tool as well. The company was able to manage potential compliance issues and improve employee morale.

============================================================================================

Interested in learning more about continuous monitoring in compliance. Join myself and Jeff Herfenest, Director of the Berkeley Research Group for a free webinar today at 1 PM CDT entitled, “Continuous Analysis:A Real-Time Solution to Managing Fraud and Corruption Risk” . Information and registration can be found by clicking here. 

============================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Factors for a NPA for an Individual in a SEC Enforcement Action

I have previously written about what conduct can help your company if it is under an investigation by the Department of Justice (DOJ) for Foreign Corrupt Practices Act (FCPA) violations. The key seems to be “extra-ordinary cooperation.” Today we will take a look at a recent Securities and Exchange Commission (SEC) matter where an individual received a Non-Prosecution Agreement (NPA). In an article in the June issue of the Compliance Week Magazine, entitled “How Individuals Win Non-Prosecution Agreements”, author Jaclyn Jaeger wrote about the recent NPA reached with an individual, as opposed to a corporate defendant. Jaeger called this a “first-of-a-kind case” due to the fact that it is the first time an individual has been given a NPA by the SEC. The case referenced by Jaeger involved an “un-named former senior executive of the institutional money management firm AXA Rosenberg.” Although the matter did not involve any alleged violations of the FCPA, the NPA is certainly instructive for considering how to resolve a SEC action under the FCPA if you are caught up in an individual enforcement action.

In January 2010, the SEC released its Enforcement Cooperation Initiative. Under this Initiative, the SEC established a series of incentives for individuals and companies to assist the SEC in ongoing investigations and during the pendency of enforcement actions. As a part of this Initiative, the SEC released a Cooperation Policy Statement which described four factors that the SEC would consider to “determine whether, how much, and in what manner to credit cooperation.” The four factors were: (1) how much assistance the individual provides; (2) the importance of the underlying matter; (3) the SEC’s interest in holding the individual accountable; and (4) the prior background of the cooperating individual.” The SEC provided the following commentary on each of the four factors.

Assistance provided. Under this factor, Jaeger noted that the individual in question had offered his voluntary cooperation to the SEC at the outset of the investigation. She noted that his “intimate knowledge” of certain quantitative measures the firm used was important to the SEC’s investigation. This voluntary cooperation was provided by the individual to the SEC “without conditions” which the SEC believed enhanced his credibility.

Importance of the underlying matter. The SEC viewed the investigation and enforcement matter as significant because “it was the first ever arising from errors in a computer-based, quantitative investment model”. His cooperation led to the recovery of “big dollars for victims” due to two separate enforcement actions the SEC brought.

Interest in holding the individual accountable. The SEC believed that the individual played a limited role in the events surrounding the violation but also noted that while still an employee, he had advocated that the error which led to the enforcement action be disclosed to the company President. The SEC noted that the individual’s cooperation “maximized the SEC’s law enforcement interests by facilitating the quick and successful resolution of its enforcement action”.

The Executive’s profile. The individual was not “an associated person of a regulated entity, a fiduciary for other individuals or entities regarding financial matters, or an officer or director of any company.” Further, he did not have any black marks in the way of prior disciplinary actions on his record. Lastly, after the investigation was concluded, he resigned from AXA Rosenberg.

In her article, Jaeger spoke to some industry experts regarding the effect of this NPA. All people interviewed emphasized the fact specific nature of the resolution. The two key factors which may differentiate this resolution from others, the first being the role this person had in the violation. Jaeger quoted Tom Gorman who said that “Whether you get no prosecution or just diminished sanctions will really be a function of the individual’s role in the underlying conduct”. The second factor, I believe, is that the individual in question is no longer working in the industry and therefore he is no longer in a position to commit future violations of federal securities laws.

Jaeger contracted the AXA Rosenberg matter with another case involving John Cinderey, which showed “a good look at each end of the spectrum” of enforcement. In the Cinderery matter, he received credit for his “substantial assistance” in a SEC investigation but, at the end of the day, Cinderery was named as a defendant in the SEC’s enforcement action against United Commercial Bank. Although the SEC extracted no fine against Cinderey for his role in misleading the bank’s auditors regarding the risks the bank faced in certain outstanding loans, it was noted that he did pay a fine related to action brought by the Federal Deposit Insurance Corporation (FDIC). Cinderery did agree to a permanent injunction proffered by the SEC.

Jaeger quoted Keith Miller for the proposition that the key takeaway for companies and individuals in SEC enforcement actions should be “setting the tone with the staff at the onset of any investigation is very important, because the foundation for how the SEC is going to view and treat you later. However, Tom Gorman emphasized that it is the individual’s involvement in the underlying wrongful conduct which will be very important. While credit and a diminished penalty are possible, he does not believe that the SEC will “give them a pass if they’re one of the major players” in the fraud or violation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

10 Global Compliance Trends for 2012

Many commentators looked back at the events of 2011 in the compliance arena and have looked forward into 2012. However, most of the commentators in the United States focused on the US Foreign Corrupt Practices Act for both their retrospective and Great Carnac tea leaf readings. This lack of international focus is rectified in the January, 2012 issue of the Compliance Week Magazine, in an article entitled, “Ten Global Compliance Trends to Watch in 2012” by Neil Baker. The issues presented on the list are matters which any compliance professional from a US company, which has international operations should review and be prepared to face.

1. Britain loses its voice in Europe. The author believes that Britain’s veto of France and Germany’s plans to bring closer governance of EU members will reduce the UK influence in compliance matters. He believes that this may lead to more Euro-centric regulatory zeal against US-style capitalism.
2. Tougher corporate governance rules. The author believes that the European Commission will adopt more detailed regulations on how companies should constitute their Boards of Directors, make decisions and manage risk generally.
3. Big 4 challenged? Baker believes that 2012 may be the end of the Big Four accounting firms domination of the international audit market. He believes that some firms may be split up and all firms will no longer be able to offer audit and consulting services.
4. Stricter data protection. Companies will face new rules on how they “capture, store and use personal information.” Levels of encryption may well need to be increased but most ominously, companies will be required to “notify regulators and member of the public if they discover a data breach.”
5. Bribery Act gets tested. Baker quotes my This Week in FCPA colleague Howard Sklar for the following, “Compliance Officers now have to ensure that rules are adhered to” [regarding the Bribery Act]. Or as Howard might also say, “At 12 months, take the over.”
6. Fair competition enforcement up. Baker believes that businesses’ anti-competitive behaviors became more pronounced due to the global recession. Now regulators are catching up to these behaviors and he anticipates greater enforcement.
7. Executive pay scrutiny continues. Baker believes that the UK government will “introduce new regulations on [executive] remuneration in 2012.” This legislation could include requiring shareholder vote and approval of executive compensation.
8. Japan gets governance. Independent Directors come to Japan Inc. Baker believes so but I have to disagree with him on this prediction. (See Olympus)
9. IT security more complex. The increase in the use of personal computing devices and persons working from home, will lead to significant data security headaches. Baker quotes Andy Fisher that “unless it is managed it will create a compliance time bomb.”
10. Cloud computing becomes the norm. The increase in cloud computing can lead to questions regarding which countries laws control data security; the home country of the company or the country where the data is stored.

This list that Baker has put together clearly portends greater compliance convergence. A Compliance Officer well versed in anti-corruption legislation across the world will have a myriad of laws to navigate to keep his company on the right side of anti-corruption laws. However, the Compliance Officer may well have a broader remit in 2012. Baker ends his piece with this cheery note, “There’s never a good time for a company to suffer a compliance failure, but 2012 would be a particularly bad time.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Telling the Board what it needs to know Regarding Compliance – The Pfizer Experience

An article in the July Issue of Compliance Week Magazine, entitled “Telling Your Board What it Needs to Hear”, author Arielle Bikard discusses the views of Pfizer Inc’s Chief Compliance Officer (CCO), Douglas Lankler, on how he keeps the Pfizer Board of Directors up to date on compliance issues. There are many articles which focus on the information that a Board of Directors may want to receive and this is one of the few articles which focuses on the issues from the perspective of the CCO.

Reporting Structure

Due to a recent compliance enforcement action, Pfizer was forced to separate its compliance function from its legal function and Lankler began to report directly to the Board. This has led to a tripartite level of reporting at the Board level. There is a monthly meeting of the Audit Committee, to which he reports to, by telephone and bi-monthly in person meetings, to which Lankler also reports. There is also a special Board level committee dedicated to regulatory and compliance issues, to which Lankler began reporting to in June. Lankler also submits an annual report to the full Board.

What is Measured and How is it Presented

Lankler noted that the Pfizer Board is “very concerned about how the company is measuring improvements in the compliance function.” To provide this information, Lankler measures the results of inspections during internal monitoring and auditing. He provided the example of whether a country assessed received a “generally satisfactory” rating as opposed to the lessor rating of ‘satisfactory”. He is also measured on “how much bad stuff I prevent from happening.” To determine this metric, Lankler brings in “external environmental considerations” which look at what is happening in the industry and what his and Pfizer’s peers may be facing from the compliance perspective.

Lankler believes that the key to reporting is to provide sufficient information presented in a manner which puts the emphasis on what is important. To achieve the latter, he prepares a tracking chart and uses a red, yellow and green dot next to each line of information. He believes that this allows the conversation with the Board to be directed “in a way that makes sense.” If he adds to or subtracts from the tracking chart, “the change and its cause are highlighted in a memo to the Board.”

The annual report which is submitted to the Board comes in at 30 pages or so. In it, Lankler sets out four different areas which he believes that a Board needs to review on an annual basis. They include: (1) his views on what he believes to be the most significant compliance risks to the company, (2) his opinion on whether the program has sufficient resources to achieve what is necessary in managing these risks, (3) his belief on the “health of the organization from a compliance perspective”, and, finally, (4) his perception of management’s commitment to compliance.

Lankler’s Lessons Learned

Lankler also gave some lessons learned about what he believed that the CCO should tell the Board. It is important that the CCO share information with rest of management, in advance of the Board meeting, creating transparency. As the CCO works with the General Counsel, outside legal counsel and outside external audit quite closely throughout the year, he must work with them closely during the preparation of the annual compliance report. Lastly, and, from my experience always the one which is most important in any relationship with senior management or the Board, make sure there are NO SURPRISES.

=======================================================

I have been honored to be nominated as one of the Top 25 Business Blogs of 2011 by LexisNexis. If you would like to support my nomination, please comment on the announcement post on our Corporate & Securities Community

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

How do You Evaluate a Risk Assessment?

What is the amount of risk that your company is willing to accept? Before you even get to this question how does your company assess risk and subsequently evaluate that risk? In the July issue of the Compliance Week magazine, these questions were explored in an article entitled “Improving Risk Assessments and Audit Operations” in which author Tammy Whitehouse discussed the audit process and how the audit results can form the basis for the evaluation of a risk assessment. In her article Whitehouse focused on the presentation of Michele Abraham, from Timken Co., and how Timken assesses and then monitors risks it determines through its annual compliance audit.

According to Abraham, once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit monitoring plan, she said. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks. Abraham provided two examples of ratings guides which Whitehouse included in her article. We quote both in their entirety.

LIKELIHOOD

Likelihood Rating	Assessment	Evaluation Criteria
1	Almost Certain	High likely, this event is expected to occur
2	Likely	Strong possibility that an event will occur and there is sufficient historical incidence to support it
3	Possible	Event may occur at some point, typically there is a history to support it
4	Unlikely	Not expected but there’s a slight possibility that it may occur
5	Rare	Highly unlikely, but may occur in unique circumstances

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

PRIORITY

Priority Rating	Assessment	Evaluation Criteria
1-2	Severe	Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans
3-4	High	Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans
5-7	Significant
8-14	Moderate
15-1920-25	LowTrivial	Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used, such as continuous controls monitoring with tools like those provided by Visual RiskIQ, a relationship-analysis based software such as Catelas or other analytical based tools. But you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the method set forth by the US Department of Justice (DOJ) in its Compliance Program best practices and in the UK Bribery Act Adequate Procedures. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Michele Abraham of Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Using HR to Change your Company’s Compliance DNA

In his Editor’s View column, in the August issue of Compliance Week, entitled, “Compliance, Collaboration and HR”, Matt Kelly wrote about the interaction of Compliance Departments and Human Resources (HR). He noted that while Compliance Departments may look to HR to support internal investigations, HR can also be used to assist in “molding company culture.” However, it is rarely used for this function. I heartily agree with Matt’s sentiments. In addition to supporting internal investigations, I believe that HR can be used in some of the following ways to assist the Compliance Department. It can be a key component in changing or maintaining your company’s compliance DNA.

Training

 A key role for HR in any company is training. This has traditionally been in areas such as discrimination, harassment and safety, to name just a few, and, based on this traditional role of HR in training, this commentator would submit that it is a natural extension for HR’s function to expand to the area of Foreign Corrupt Practices Act (FCPA) compliance and ethics training. There is a training requirement set forth in the US Sentencing Guidelines and companies are mandated to “take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.”

What type of training should HR utilize in the FCPA compliance and ethics arena? The consensus seems to be that there are three general approaches which have been used successfully. The first is the most traditional and that is in-person classroom training. This gives employees an opportunity to see, meet and interact directly with the trainer, not an insignificant dynamic in the corporate environment. It can also lead to confidential discussions after such in-person training. All FCPA compliance and ethics training should be coordinated and both the attendance and result recorded. Results can be tabulated through short questionnaires immediately following the training and bench-marked through more comprehensive interviewing of selected training participants to determine overall effectiveness.

Employee Evaluation and Succession Planning

What policy does a company take to punish those employees who may engage in unethical and non-compliant behavior in order to meet company revenue targets? Conversely what rewards are handed out to those employees who integrate such ethical and compliant behavior into their individual work practices going forward? One of the very important functions of HR is assisting management in setting the criteria for employee bonuses and in the evaluation of employees for those bonuses. This is an equally important role in conveying the company message of adherence to a FCPA compliance and ethics policy. This requirement is codified in the US Sentencing Guidelines with the following language: “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.”

Does a company have, as a component of its bonus compensation plan, a part dedicated to FCPA compliance and ethics? If so, how is this component measured and then administered? There is very little in the corporate world that an employee notices more than what goes into the calculation of their bonuses. HR can, and should, facilitate this process by setting expectations early in the year and then following through when bonuses are released. With the assistance of HR, such a bonus can send a powerful message to employees regarding the seriousness with which compliance is taken at the company. There is nothing like putting your money where your mouth is for people to stand up and take notice.

In addition to employee evaluation, HR can play a key role in assisting a company to identify early on in an employee’s career the propensity for compliance and ethics by focusing on leadership behaviors in addition to simply business excellence. If a company has an employee who meets, or exceeds, all his sales targets, but does so in a manner which is opposite to the company’s stated FCPA compliance and ethics values, other employees will watch and see how that employee is treated. Is that employee rewarded with a large bonus? Is that employee promoted or are the employee’s violations of the company’s compliance and ethics policies swept under the carpet? If the employee is rewarded, both monetarily and through promotions, or in any way not sanctioned for unethical or non-compliant behavior, it will be noticed and other employees will act accordingly. One of the functions of HR is to help ensure consistent application of company values throughout the organization, including those identified as ‘rising stars’. An important role of HR in any organization is to help in building trust throughout the company and recognizing the benefits which result from that trust.

Background Screening

 A key role for HR in any company is the background screening of not only employees at the time of hire, but also of employees who may be promoted to senior leadership positions. HR is usually on the front lines of such activities, although it may in conjunction with the Legal or Compliance Departments. This requirement is discussed in the US Federal Sentencing Guidelines for Organizations (FSGO) as follows “The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.”

What type of background checks should HR utilize in the FCPA compliance and ethics arena? The consensus seems to be that HR should perform at least routine civil, criminal and credit background checks. Care should be noted in any such request made in countries outside theUnited Statesas such information may be protected by privacy laws or where the quality of such information is different in substance from that of theUnited States. For instance in the United Kingdom, the request of a credit check can negatively impact a prospective employee’s credit score so such a background check may not provide useful information to a prospective employer.

Additionally, although it may be difficult in theUnited Statesto do so, a thorough check of references should be made. I say that it may be difficult because many companies will only confirm that the employee worked at the company and only give out the additional information of dates of employment. In this situation, it may be that a prospective employer should utilize a current employee to contact former associates at other companies to get a sense of the prospective employee’s business ethics. However, it should be noted that such contacts should only be made after a thorough briefing by HR of the current employee who might be asked to perform such duty.

A company can also use HR to perform internal background checks on employees who may be targeted for promotions. These types of internal background checks can include a detailed review of employee performance; disciplinary actions, if any; internal and external achievements, while employed by the company and confirmation of both ethics and compliance training and that the employee has completed the required annual compliance certification. A key internal function where HR can be an important lead is to emphasize that an employee, who has been investigated but cleared of any alleged ethics and compliance violations, should not be penalized.

When the Government Comes Calling

While it is true that a company’s Legal and/or Compliance Department will lead the  response to a government investigation, HR can fulfill an important support role due to the fact that HR should maintain, as part of its routine function, a hard copy of many of the records which may need to be produced in such an investigation. This would include all pre-employment screening documents, including background investigations, all post-employment documents, including any additional screening documents, compliance training and testing thereon and annual compliance certifications. HR can be critical in identifying and tracking down former employees. HR will work with Legal and/or Compliance to establish protocols for the conduct of investigations and who should be involved.

Lastly, another role for HR can be in the establishment and management of (1) an Amnesty Program or (2) a Leniency Program for both current, and former, employees. Such programs were implemented by Siemens during its internal bribery and corruption investigation. The Amnesty Program allowed appropriate current or former employees, who fully cooperated and provided truthful information, to be relieved from the prospect of civil damage claims or termination. The Leniency Program allowed Siemens employees who had provided untrue information in the investigation to correct this information for certain specific discipline. Whichever of these programs, or any variations, that are implemented HR can perform a valuable support role to Legal and/or Compliance.

Doing More with Less

 While many practitioners do not immediately consider HR as a key component of a FCPA compliance solution, it can be one of the lynch-pins in spreading a company’s commitment to compliance throughout the employee base. HR can also be used to ‘connect the dots’ in many divergent elements in a company’s FCPA compliance and ethics program. The roles listed for HR in this series are functions that HR currently performs for almost anyUS company with international operations. By asking HR to expand their traditional function to include the FCPA compliance and ethics function, aUS company can move towards a goal of a more complete compliance program, while not significantly increasing costs. Additionally, by asking HR to include these functions, it will drive home the message of compliance to all levels within a company; from senior to middle management and to those on the shop floor. Just as safety is usually message Number 1, compliance can be message Number 1A. HR focuses on behaviors, and by asking this department to include a compliance and ethics message, such behavior will become a part of a company’s DNA.

————————————————————————————————–

I have previously written about Catelas software, see here. It does some very cool stuff. The Catelas guys are putting on a series of events to highlight their software and its uses in a FCPA compliance program. On Tuesday, August 23 and August 30, at 1 PM EDT, they are hosting a webinar entitled, “FCPA Investigations – Generate a Risk Assessment report, identify all key people & content before you fly!” Information and Registration can be found here. 

 This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011