FCPA Compliance and Ethics Blog

May 1, 2015

King Arthur Week – The Quest for the Holy Grail and Compliance Defense – Part V

Holy GrailWe conclude our Arthurian themed week with the Holy Grail, which has fired the imagination of artists for millennia. What was the Holy Grail? According to Professor Dorsey Armstrong in her Teaching Company lecture series, entitled “King Arthur: History and Legend”, the Holy Grail has taken various forms over the years. For Chrétien de Troyes, it was a fancy serving dish; for Wolfram von Eschenbach, it is a magical stone; for Robert de Boron, it is the cup that Christ drank from at the Last Supper; for the comedy troupe Monty Python, it is a cartoon sketch that no one ever finds; and for the modern day author Dan Brown, it is both a person, who is a descendant of Mary Magdalene, and a bloodline which leads to the Merovingian kings of France. In other words, it means many things to many people.

One of the articulated reasons for the creation of King Arthur’s Round Table was tied to the Holy Grail, since it was allegedly used at the Last Supper, it seems only natural that Arthur would seek it from his table as well. Indeed in Robert de Boron’s account of Arthur, the wizard Merlin tells Arthur the Round Table was established to identify the one Knight, who was pure of heart, who could find the Holy Grail. Only after the great quest for and locating of the Holy Grail was achieved could Arthur’s other ambitions come to pass.

Another interesting twist on the Grail legend is that it was in Britain. Curiously it was first ‘discovered’ by some enterprising Monks in Glastonbury, England in the late 12th century. They just happened to come across a well that ‘bled’ water around the time of an annual pilgrimage. Going viral in the Middle Ages was tough but the Monks built upon their initial find by claiming that both King Arthur and his Queen Guinevere were also buried at their abbey. Do you believe any of the above? Are you on your own Grail Quest, however dreamy that quest might be?

I thought about the quest for the Holy Grail in the context of the renewed call for a compliance defense addition to the Foreign Corrupt Practices Act (FCPA), which would give companies a pass if they had sustained a FCPA violation. In a recent blog post, entitled “Wal-Mart’s Recent Disclosures, the FCPA Professor renewed his clarion call for a compliance defense for FCPA violators, using Wal-Mart’s last three-year spend on compliance resources as a starting point. He wrote, “Wal-Mart disclosed spending approximately $220 million over the past three years in global compliance program and organizational enhancements.” He went on to note, “The key policy issue is this. Wal-Mart has engaged in FCPA compliance enhancements in reaction to its high-profile FCPA scrutiny. Perhaps if there was a compliance defense more companies would be incentivized to engage in compliance enhancements pro-actively. A compliance defense is thus not a “race to the bottom” it is a “race to the top” (see here for the prior post) and it is surprising how compliance defense detractors are unable or incapable of grasping this point.”

Leaving aside the issue of whether I am “unable or incapable” to grasp these issues I raised, I see this quest for (or ‘race’ as the FCPA Professor calls it) for a compliance defense for companies that violate the FCPA to be as quixotic as the quest for the Holy Grail. As there were two requirements for the Knight who was destined to find the Grail, we will begin pureness of heart. Recognizing that it might be difficult to find a corporation that is ‘pure of heart’, the appropriate analogy might be more than simply spending what may appear to be a large dollar amount on a compliance program. This is because it is not the amount of money you spend that informs the effectiveness of your compliance program. In three years Wal-Mart has reported it spent $220MM. The FCPA was enacted into existence in 1977. What do you get if you divide $220MM total spend into 38 years? My (recovering) trial lawyer math shows that to be approximately $5.78MM per year. How many billions of dollars per year was the annual revenue of Wal-Mart during that time? (Hint – a lot)

Moving our quest time frame to the modern era of FCPA enforcement, to say 2005. That would give an annual compliance spend of $20MM per year. If one looks at the company’s revenue from the middle of the last 10 years, for the fiscal year ending January 31, 2011, Wal-Mart reported net income of $15.4 billion on $422 billion in gross sales. Now what do you think about Wal-Mart’s quest for an effective compliance program based upon three year’s spending of $220 being significant? Indeed what is the percent of its revenues over the past three years that Wal-Mart spent creating its compliance program? Alas my trial lawyer math skills do not allow me to calculate a number so small.

How about the second part of the Grail quest that requires a ‘chaste’ Knight? Once again it is somewhat difficult to understand how a corporation could be chaste but I think the appropriate analogy is the doing of compliance. Put another way, it is not having a compliance program in place but having an effective compliance program. So not only does the amount of money a company spends become immaterial to our quest but also the same can be said to the claim that having a written program should entitle you some type of defense to any FCPA violations. Just as questing for the Holy Grail is seeking something that does not exist, affording companies a defense from their own FCPA violations by having a written program in place is not a temporal reality.

Under the FCPA Ten Hallmarks of an Effective Compliance Program, that it is an interplay of the right compliance message, tools in place to communicate and enforce the compliance message and then oversight to ensure compliance with the entire compliance regime. Such things as monitoring are recognized as a key element so your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with the finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally, the global compliance committee should meet or communicate as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.

In addition to monitoring, structural controls are recognized as an important element. It has been said that large companies “must use structural means to maintain control.” One of the best explanations of the use of internal controls as a structural component of any best practices compliance program comes from Aaron Murphy, a partner at Foley and Lardner in San Francisco, in his book entitled “Foreign Corrupt Practices Act”, where he said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.” These two parts are but a sampling but it is in the doing of compliance that any anti-corruption compliance program becomes effective; it is not simply having one in place.

Finally, as with all quests, what will it bring you if you actually achieve it? As with the Holy Grail, it is a good story but that is about it. I find this view best articulated by Matthew Stephenson, in a blog post entitled “The Irrelevance of an FCPA Compliance Defense”, where he gave three reasons why a compliance defense is not warranted. First (and perhaps almost too obvious to state) is that if your company is invoking a compliance defense, there has been a FCPA violation. The second is “The U.S. Department of Justice (DOJ) already takes into account a corporation’s good-faith efforts to implement a meaningful compliance program when the DOJ decides whether to pursue an FCPA action against the corporation, and what penalties or other remedies to impose. Indeed, the adequacy of the corporation’s compliance program is a standard subject of negotiation between the DOJ and corporate defendants.” Third is that “An FCPA compliance defense would only alter the DOJ’s bargaining position if a corporation unhappy with the DOJ’s position could either (1) convince the DOJ lawyers that the DOJ’s position is unreasonable in light of the corporation’s compliance program, or (2) credibly threaten to go to court and defeat the DOJ’s enforcement action altogether by successfully invoking the compliance defense before a federal judge.” Stephenson discounts subpart 1 because DOJ lawyers already take a company’s compliance program into account. But his second subpart is even more important because no company will go to trial against the government using a compliance defense to a demonstrable FCPA violation. Leaving aside the Arthur Anderson effect, no company is going to risk losing at trial when they can control their own fate through settlement. The modern day Knights seeking the Holy Grail of a compliance defense will never find it because of this last fact. Moreover, just as there were no real Knights who could meet the requirements to actually find the Holy Grail after their quest, there are no companies which can meet the same criteria; that being that a compliance defense could or even should trump a FCPA violation.

So we leave our King Arthur themed week with our quest intact, bringing message I hope that you have ascertained in these five posts about some of the things you need to do around the ‘nuts and bolts’ of anti-corruption compliance. I also hope that you might be able to look at the tales surrounding the King Arthur myth for your own inspiration.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 28, 2015

King Arthur Week – the Pentecostal Oath and Code of Conduct – Part II

Mort D'ArthurOne thing for which King Arthur is remembered are his chivalric knights. He helped create this legend, in large part, by establishing a Code of Conduct for the Knights of the Round Table. The King required each one of them to swear an oath, called the Pentecostal Oath, which was Arthur’s ideal for a chivalric knight. The Oath stated, “The king established all his knights, and gave them that were of lands not rich, he gave them lands, and charged them never to do outrageousity nor murder, and always to flee treason; also, by no mean to be cruel, but to give mercy unto him that asketh mercy, upon pain of forfeiture of their worship and lordship of King Arthur for evermore; and always to do ladies, damosels, and gentlewomen succor upon pain of death. Also, that no man take no battles in a wrongful quarrel for no law, ne for no world’s goods. Unto this were all the knights sworn of the Table Round, both old and young. And every year were they sworn at the high feast of Pentecost.” (Le Morte d’Arthur, pp 115-116)

Interestingly, the Oath first appeared in Sir Thomas Malory’s Le Morte d’Arthur and in none of the prior incarnations of the legend. In Malory’s telling, after the Knights swore the Oath, they were provided titles and lands by the King. The Oath specifies both positive and negative conduct; that is, what a Knight might do but also what conduct he should not engage in. The Pentecostal Oath formed the basis for the Knight’s conduct at Camelot and beyond. It was clearly a forerunner of today’s corporate Code of Conduct.

The foundational document of any Foreign Corrupt Practices Act (FCPA) compliance program is its Code of Conduct. This requirement has long been memorialized in the US Sentencing Guidelines, which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). These requirements were incorporated into the 2012 FCPA Guidance. The US Sentencing Guidelines assume that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct”.

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)

An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws.

In the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) state, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program the DOJ and SEC will review whether the company chapter has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.

In each DPA and NPA over the past 36 months the DOJ has stated the following as item No. 1 for a minimum best practices compliance program.

  1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors that should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed their Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Just as the Pentecostal Oath was required to be sworn out each year, you should have your employees recertify their adherence to your Code of Conduct. Moreover, just as King Arthur set his expectations for behavior your company should do so as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 13, 2015

Brazilian Corruption Scandal Expands Past Petrobras – Is a FCPA Country Sweep Next?

BroomThe Brazilian corruption scandal took a new turn last week, when the Brazilian government announced that it was investigating the country’s health ministry and the state-owned bank Caixa Econômica Federal (Caixa). As reported by Rogerio Jelmayer and Luciana Magalhaes in the Wall Street Journal (WSJ), in an article entitled “Corruption Scandal in Brazil Gets Bigger”, the schemes were similar to those used in the Petrobras scandal, where inflated contracts were awarded to contractors who kick backed the overcharges to those in position to award the business.

This expansion of Brazilian government investigation is also the first reported instance of companies outside the energy sector or those doing business with the Brazilian state-owed enterprise Petrobras being investigated by the Brazilian government. Over the years there have been several Foreign Corrupt Practices Act (FCPA) enforcement actions regarding US companies doing business in Brazil. With this expansion of the Petrobras corruption scandal to other government departments and state-owned entities, a new chapter may be opening. This new chapter may bring not only Brazilian domestic bribery and corruption scrutiny but also draw the attention of US or UK regulators, such as the Department of Justice (DOJ), Securities and Exchange Commission (SEC) or the UK Serious Fraud Office (SFO).

In the health ministry the area of contracts under investigation were those for advertising. The WSJ article said, “the cost of advertising contracts was inflated by as much as 10%, prosecutors said, with the surplus also passed along to politicians. The health ministry said all its advertising contracts meet the legal requirements, and it will investigate the allegations and cooperate with police and prosecutors.” It certainly is comforting when the government says it will cooperate with investigators.

But perhaps more interesting was the timing of the allegations against the country’s third largest state-owned bank Caixa. While the allegations around the scope and extent of the bribery were similar to those made against the Brazilian health ministry, the declarations of these new investigations coincided with the announcement last week by the government Finance Minister Joaquim Levy and Caixa Chief Executive Officer (CEO) Miriam Belchior for “an initial public offering [IPO] in the insurance joint venture it has with French insurer CNP Assurances.”

What do you think the comfort level will be for institutional investors about now in this IPO? I wonder if under IPO rules and regulations in Brazil, whether the CEO must certify either the financial statement as accurate or that there is no evidence of corruption in the organization? Even those in Brazil recognize the gravity of these allegations against Caixa. Luis Santacreu, a banking analyst at the Brazilian rating agency Austin Ratings, said that he thought this announcement would make the IPO more difficult and “the allegations against Caixa show it needs to improve its governance.”

These two developments demonstrate the difficulties that international companies may have in doing business in Brazil going forward. It is not difficult to believe that a country sweep on those doing business in Brazil, with the Brazilian government or with Brazilian state-owned enterprises, may well be coming. Given the recent 2014 World Cup and the upcoming 2016 Olympics, it would not seem too great a stretch for the DOJ or SEC to begin to look at US companies with significant amounts of commerce with and in Brazil.

While we have not seen evidence of country sweeps to-date, there has been evidence of industry sweeps in FCPA enforcement. The FCPA Professor, in a blog post entitled “Industry Sweeps”, posted an article from FCPA Dean Homer Moyer, entitled “The Big Broom of FCPA Industry Sweeps”. In his article, Moyer said that an industry sweep is the situation where the DOJ and/or SEC will focus “on particular industries – pharmaceuticals and medical devices come to mind — industry sweeps are investigations that grow out of perceived FCPA violations by one company that enforcement agencies believe may reflect an industry-wide pattern of wrongdoing.” Moyer further wrote, “Industry sweeps are often led by the Securities and Exchange Commission (“SEC”), which has broad subpoena power as a regulatory agency, arguably broader oversight authority than prosecutors. They are different from internal investigations or traditional government investigations, and present different challenges to companies. Because the catalyst may be wrongdoing in a single company, agencies may have no evidence or suspicion of specific violations in the companies subject to an industry sweep. A sweep may thus begin with possible cause, not probable cause. In sweeps, agencies broadly solicit information from companies about their past FCPA issues or present practices. And they may explicitly encourage companies to volunteer incriminating information about competitors.”

As a compliance professional, one of the key takeaways from the Brazilian corruption scandal is that you should take a very hard and detailed look at your company. With the spread of Brazilian investigations around corruption, we can see that these scandals are not be limited to only the energy or energy-related service industry. One of the first things you can begin to do is to review the list of third parties who might work with the Brazilian government or with Brazilian state-owned enterprises. You should begin by asking such questions as:

  • What is the ownership of the third party? Is there a business justification for the relationship?
  • Is there anyone in the company who is responsible for maintaining the relationship? Is there ongoing accountability?
  • How is the relationship being managed?
  • Are you engaging in any transaction monitoring?
  • Are you engaging in any relationship monitoring?
  • What is the estimated or budgeted size of the spend with the third party?

While the GlaxoSmithKline PLC (GSK) investigation has reverberated throughout the China, I think that the Brazilian corruption scandals will be with us for some time. As bad as it seems about now, and it certainly appears bad, there are many lessons that the compliance practitioner can not only draw from but use for teaching moments within your company. For if you are doing business with the Brazilian government or with Brazilian state-owned enterprises it may not be “if you are subject to a FCPA sweep” but only “when”.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 30, 2015

Compensation Incentives in a Best Practices Compliance Program

Compensation IncentivesOne of the areas that many companies have not paid as much attention to in their Foreign Corrupt Practices Act (FCPA) anti-corruption compliance programs is compensation. However the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have long made clear that they view incentives, rewarding those employees who do business in compliance with their employer’s compliance program, as one of the ways to reinforce the compliance program and the message of compliance. As far back as 2004, the then SEC Director of Enforcement, Stephen M. Cutler, said “[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it.” The FCPA Guidance states the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance pro­gram, and rewards for ethics and compliance leadership.”

In a Harvard Business Review (HBR) article, entitled “The Right Way to Use Compensation, Mark Roberge, Chief Revenue Officer of HubSpot, wrote about his company’s design and redesign of its employee’s compensation system to help drive certain behaviors. The piece’s subtitle indicated how the company fared in this technique as it read, “To shift strategy, change how you pay your team.” Several interesting ideas were presented, which I thought could be applicable for the Chief Compliance Officer (CCO) or compliance practitioner when thinking about compensation as a mechanism in a best practices compliance program.

Obviously Roberge and HubSpot were focused on creating and retaining a customer base for a start-up company. However because the company was a start-up, I found many of their lessons to be applicable for the compliance practitioner. As your compliance program matures and your strategy shifts, “it’s critical that the employees who bring in the revenue-the sales force-understand and behave in ways that support the new strategy. The sales compensation system can help ventures achieve that compliance.” The prescription for you as the compliance practitioner is to revise the incentive system to focus your employees on the goals of your compliance program. This may mean that you need to change the incentives as the compliance programs matures; from installing the building blocks of compliance to burning anti-corruption compliance into the DNA of your company.

Roberge wrote that there were three key questions you should ask yourself in modifying your compensation incentive structure. First, is the change simple? Second, is the changed aligned with your company values? Third, is the effective on behavior immediate due to the change?

Simplicity

Your employees should not need “a spreadsheet to calculate their earnings.” This is because if “too many variables are included, they may become confused about which behaviors” you are rewarding. Keep the plan simple and even employee KISS, Keep it simple sir, when designing your program. If you do not do so, your employees might fall back on old behaviors that worked in the past. Roberge notes, “It should be extraordinarily clear which outcomes you are rewarding.”

The simplest way to incentive employees is to create metrics that they readily understand and are achievable in the context of the compliance program that you are trying to implement or enhance. This can start with attending Code of Conduct and compliance program training. Next might be a test to determine how much of that training was retained. It could be follow up, online training. It could mean instances of being a compliance champion in certain areas, whether with your employee base or third party sales force.

Alignment

As the CCO or compliance practitioner, you need to posit the most important compliance goal your entity needs to achieve. From there you should determine how your compensation program can be aligned with that goal. Roberge cautions what the DOJ and SEC both seem to understand, that you should not “underestimate the power of your compensation plan.” You can tweak your compliance communication, be it training, compliance videos, compliance reminders or other forms of compliance messaging but it is incumbent to remember that “if the majority of your company’s revenue is generated by salespeople, properly aligning their compensation plan will have greater impact than anything else.”

The beauty of this alignment prong is that it works with your sales force throughout the entire sales channel. So if your sales channel is employee based then their direct compensation can be used for alignment. However such alignment also works with a third party sales force such as agents, representatives, channel ops partners and even distributors. Here Roberge had another suggestion regarding compensation that I thought had interesting concepts for third parties, the holdback or even clawback. This would come into place at some point in the future for these third parties who might meet certain compliance metrics that you design into your third party management program.

Immediacy

Finally, under immediacy, it is important that such structures be put in place “immediately” but in a way that incentives employees. Roberge believes that “any delay in the good (or bad) behavior and the related financial outcome will decrease the impact of the plan.” As a part of immediacy, I would add there must be sufficient communication with your employee or other third party sales base. Roberge suggested a town hall meeting or other similar event where you can communicate to a large number of people.

Even in the world of employee compensation incentives, there should be transparency. He cautioned that transparency does not mean the design of the incentive system is a “democratic process. It was critical that the salespeople did not confuse transparency and involvement with an invitation to selfishly design the plan around their own needs.” However, he did believe that the employee base “appreciated the openness, even when the changes were not favorable to their individual situations.” Finally, he concluded, “Because of this involvement, when a new plan was rolled out, the sales team would understand why the final structure was chosen.”

So just as Roberge, working with HubSpot as a start-up, learned through this experience “the power of a compensation plan to motivate salespeople not only to sell more but to act in ways that support a start-up’s evolving business model and overall strategy”; you can also use your compensation program as such an incentive. For the compliance practitioner one of the biggest reasons is to first change a company’s culture to make compliance more important but to then burn it into the fabric of your organization. But you must be able to evolve in your thinking and professionalism as a compliance practitioner to recognize the opportunities to change and then adapt your incentive program to make the doing of compliance part of your company’s everyday business process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 18, 2015

The Blue Geranium – SEC Enforcement of the FCPA – Part III

Blue GeraniumIn Christie’s The Blue Geranium a difficult and cantankerous semi-invalid wife is looked after by a succession of nurses. They changed regularly, unable to cope with their patient, with one exception Nurse Copling who somehow managed the tantrums and complaints better than others of her calling. The wife had a predilection for fortunetellers and one announced that the wallpaper in the wife’s room was evil; pronouncing she should “Beware of the Full Moon. The Blue Primrose means warning; the Blue Hollyhock means danger; the Blue Geranium means death.” Four days later, one of the primroses in the pattern of the wallpaper in the wife’s room changed color to blue in the middle of the night, when there had been a full moon.

On the morning after the next full moon, the wife was found dead in her bed with only her smelling salts beside her. Once again Miss Marple has the solution remembering that potassium cyanide resembled smelling salts in odor. The wife took what she thought were smelling salts but was in reality potassium cyanide. The flowers on the wallpaper had been treated with litmus paper which the turned the geranium in question blue, which unmasked the killer.

I found this story to be an interesting way to introduce the topic of the Securities and Exchange Commission’s (SEC’s) damage remedies. While some are obvious, such as the fines and penalties which are listed in the text of the Foreign Corrupt Practices Act (FCPA), another one, that being profit disgorgement must be seen through the lens of multiple legislations.

Monetary Fines

The damages that are available to the SEC differ in some significant aspects from those available to the Department of Justice (DOJ) in its enforcement of the criminal side of the FCPA. According to the FCPA Guidance, “For violations of the anti-bribery provisions, cor­porations and other business entities are subject to a civil penalty of up to $16,000 per violation. Individuals, including officers, directors, stockholders, and agents of companies, are similarly subject to a civil penalty of up to $16,000 per violation, which may not be paid by their employer or principal. For violations of the accounting provisions, SEC may obtain a civil penalty not to exceed the greater of (a) the gross amount of the pecuniary gain to the defendant as a result of the violations or (b) a specified dollar limitation. The specified dollar limitations are based on the egregious­ness of the violation, ranging from $7,500 to $150,000 for an individual and $75,000 to $725,000 for a company.”

As straightforward as these monetary amounts may seem, the totals can become very large very quickly. As noted by Russ Ryan in a guest post on the FCPA Professor’s blog, entitled “Former SEC Enforcement Official Throws The Red Challenge Flag, the SEC significantly multiplied those amounts in a default judgment context against former Siemens executives by claiming that “four alleged bribes should be triple-counted as three separate securities law violations – once as a bribe, again as a books-and-records violation, and yet again as an internal-controls violation – thus artificially multiplying four violations to create twelve.” Further, under the specific books-and-records and internal-controls allegations “the SEC was super aggressive, taking the position that these classically non-fraud violations involved “reckless disregard” of a regulatory requirement, thus allowing the SEC to demand the maximum $60,000 per violation in “second-tier” penalties rather than the $6,000 per violation in the “first-tier” penalties ordinarily associated with non-fraud violations.”

Profit Disgorgement

In addition to the above statutory fines and penalties, “SEC can obtain the equitable relief of disgorgement of ill-gotten gains and pre-judgment interest and can also obtain civil money penalties pursuant to Sections 21(d)(3) and 32(c) of the Exchange Act. SEC may also seek ancillary relief (such as an accounting from a defendant). Pursuant to Section 21(d)(5), SEC also may seek, and any federal court may grant, any other equitable relief that may be appropriate or necessary for the benefit of investors, such as enhanced remedial measures or the retention of an independent compliance consultant or monitor.” These remedies can be sought in a federal district court of through the SEC administrative process.

As explained by Marc Alain Bohn, in a blog post on the FCPA Blog entitled “What Exactly is Disgorgement?” profit “Disgorgement is an equitable remedy authorized by the Securities Exchange Act of 1934 that is used to deprive wrong-doers of their ill-gotten gains and deter violations of federal securities law. The Act gives the SEC the authority to enter an order “requiring accounting and disgorgement,” including reasonable interest, as part of administrative or cease and desist proceedings”. In another article Bohn co-authored with Sasha Kalb, entitled “Disgorgement – the Devil You Don’t Know” published in Corporate Compliance Insights (CCI), they set out how such damages are calculated. They said, “In calculating disgorgement, the SEC is required to distinguish between legally and illegally obtained profits. The first step in such calculations is to identify the causal link between the unlawful activity and the profit to be disgorged. Once this causal link is established, the SEC may assert its right to disgorge illicit profits that stem from this wrong-doing. Because calculations like these often prove difficult, courts tend to give the SEC considerable discretion in determining what constitutes an ill-gotten gain by requiring only a reasonable approximation of the profits which are causally connected to the violation.”

However if you read the FCPA quite closely you will not find any language regarding profit disgorgement as a remedy. Nevertheless a simple reading of the statute does not limit our inquiry as to this remedy. In a Note, published in the University of Michigan Journal of International Law, entitled “The Foreign Corrupt Practices Act, SEC Disgorgement of Profits and the Evolving International Bribery Regime: Weighing Proportionality, Retribution and Deterrence”, author David C. Weiss explained the development of the remedy of profit disgorgement. As noted by Bohn, profit disgorgement was always available to the SEC from the very beginning of its existence, through the enabling legislation of 1934. But as explained by Weiss, in the completely unrelated legislation entitled The Penny Stock Reform Act of 1990, profit disgorgement was “authorized by statute [as a remedy to the SEC] without a limitation to the FCPA.”

Finally, and what many compliance practitioners do not focus on for SEC enforcement of the FCPA, was the enactment of Sarbanes-Oxley Act of 2002 (SOX). Weiss said, “The most recent change to the way in which the SEC enforces the FCPA—and a critical development to consider—is SOX, which affects virtually all of the SEC’s prosecutions, including those under the FCPA. When assessing penalties, the SEC draws on SOX to provide great latitude in determining the types of penalties it enforces. While SOX did not amend the FCPA itself, it did amend both civil and criminal securities laws relating to compliance, internal controls, and penalties for violations of the Exchange Act. Since the enactment of SOX, the SEC has possessed the power to designate how a particular penalty that it assesses will be classified.” [citations omitted]

There has been criticism of the SEC using profit disgorgement as a remedy. As far back as 2010, the FCPA Professor criticized this development in his article “The Façade of FCPA Enforcement” where he found fault with the remedy of profit disgorgement for books and records violations or internal controls violations only, where there is no corresponding “enforcement action charging violations of the anti-bribery provisions.” He wrote “It is difficult to see how a disgorgement remedy premised solely on an FCPA books and records and internal controls case is not punitive. It is further difficult to see how the mis-recording of a payment (a payment that the SEC does not allege violated the FCPA’s anti-bribery provisions) can properly give rise to a disgorgement remedy.”

Bohn and Kalb said, “Over the last six years, disgorgement has served to significantly increase the financial loss that companies are exposed to in FCPA enforcement matters. In addition to the considerable civil penalties often imposed by the SEC as part of FCPA settlements, the SEC has made clear that it will not hesitate to seek recovery of large sums through disgorgement provided they are reasonably related to the alleged misconduct. Yet the methodology used by the SEC to support the amounts it seeks to disgorge has not been much discussed.  In the absence of adequate guidance as to how these sums are calculated, disgorgement poses an even greater risk in the current aggressive FCPA enforcement climate.” I would only add to their conclusion that profit disgorgement is here to stay.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 12, 2015

Protections for CCOs from Wrongful Termination

Wrongful TerminationThis week the Houston Texans unceremoniously cut the franchise’s greatest player in its short history, receiver Andre Johnson. This was after his being hauled into the office of the head coach and being told that he would only need to work half as hard next year. As reported by Jerome Solomon in the Houston Chronicle article entitled “Move inevitable, but team bungles its handling”, Head Coach Bill O’Brien told Johnson that his catch total would drop from the 84 he has averaged in his 12 year career with the Texans down to “around 40 passes next season.” But O’Brien went on to add the team’s certain Hall of Fame receiver “wasn’t likely to be a starter next season, definitely not for all of the games.” So much for playing your best player at his position on a full-time basis, but hey, at least the information was made public.

Now imagine you are a Chief Compliance Officer (CCO) and have been one of your company’s senior management for the better part of the past 12 years. While you may not have been the most important member of the management team you certainly have helped navigate the company through rough compliance waters. Now imagine the company Chief Executive Officer (CEO) who tells you that although he has no one in mind to replace you (other than a less experienced and a smaller-salaried compliance specialist) your services will only be needed half the time in the coming year. What if this is in response to advice the head of the company did not like? What should the response be?

You can consider the departure from MF Global of its Chief Risk Officer, the financial services equivalent of a CCO. As reported in a New York Times (NYT) article entitled “MF Global’s Risk Officer Said to Lack Authority” Ben Protess and Azam Ahmed reported that the company replaced its Chief Risk Officer, Michael Roseman, after he “repeatedly clashed with Mr. Corzine [the CEO] over the firm’s purchase of European sovereign debt.” He was given a large severance package and left the company. When he left, there was no public reason given. His replacement was brought into the position with reduced authority.

If you are a public company, you may well need to heed the advice of fraud and compliance expert Jonathan Marks, a partner at Crowe Horwath LLP, who advocates that any time a CCO, a key executive, is dismissed it should be an 8K reporting event because the departure may be a signal of a change in the company’s attitude towards compliance or an alleged ethical breach had taken place. A similar view was expressed by Michael W. Peregrine in a NYT article entitled “Another View: MF Global’s Corporate Governance Lesson”, where he wrote that a “compliance officer is the equivalent of a “protected class” for governance purposes, and the sooner leadership gets that, the better.” Particularly in the post Sarbanes-Oxley world, a company’s CCO is a “linchpin in organizational efforts to comply with applicable law.” When a company fires (or asks him/her to resign), it is a significance decision for all involved in corporate governance and should not be solely done at the discretion of the CEO alone.

In its Code of Ethics for Compliance and Ethics Professionals, the Society for Corporate Compliance and Ethics (SCCE) has postulated Rule 1.4, which reads, “If, in the course of their work, CEPs become aware of any decision by their employing organization which, if implemented, would constitute misconduct, the professional shall: (a) refuse to consent to the decision; (b) escalate the matter, including to the highest governing body, as appropriate; (c) if serious issues remain unresolved after exercising “a” and “b”, consider resignation; and (d) report the decision to public officials when required by law.” As commentary to this rule, the SCCE said, “The duty of a compliance and ethics professional goes beyond a duty to the employing organization, inasmuch as his/her duty to the public and to the profession includes prevention of organizational misconduct. The CEP should exhaust all internal means available to deter his/her employing organization, its employees and agents from engaging in misconduct. The CEP should escalate matters to the highest governing body as appropriate, including whenever: a) directed to do so by that body, e.g., by a board resolution; b) escalation to management has proved ineffective; or c) the CEP believes escalation to management would be futile. CEPs should consider resignation only as a last resort, since CEPs may be the only remaining barrier to misconduct. A letter of resignation should set forth to senior management and the highest governing body of the employing organization in full detail and with complete candor all of the conditions that necessitate his/her action. In complex organizations, the highest governing body may be the highest governing body of a parent corporation.”

What about compensation? The Department of Justice (DOJ) has made clear that it expects a CCO to resign if the company refuses advice and violates the Foreign Corrupt Practices Act (FCPA). The former head of the DOJ-FCPA unit Chuck Duross went so far as to compare CCOs and compliance practitioners to the Texans at the Alamo. To be fair to Duross, I think he was focusing more on the line in the sand part of the story, while I took that to mean they were all slaughtered for what they believed in. But whichever interpretation you may choose to put on it, the DOJ clearly expects a CCO to stand up and if a CEO does not like what they say, he or she must resign. This puts CCOs and compliance practitioners in a very difficult position, particularly if there is no exit compensation for doing the right thing by standing up.

I think the next step should be for the DOJ and Securities and Exchange Commission (SEC) to begin to discuss the need for contractual protection of CCOs and other compliance practitioners against retaliation for standing up against corruption and bribery. The standard could simply be one that protects a CCO and other compliance practitioners against termination without cause. Just as the SEC is investigating whether companies are trying to muzzle whistleblowers through post-employment Confidentiality Agreements, I think they should consider whether CCOs and other compliance practitioners need more employment protection. I think the SEC should also consider the proposals of Marks regarding the required 8K or other public reporting of the dismissal or resignation of any CCO. Finally, I would expand on Peregrine’s suggestion and require that a company Board of Directors approve any dismissal of a CCO. With these protections in place, a CCO or compliance practitioner would have the ability to confront management who might take business decisions that violate the FCPA.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

 

 

March 10, 2015

Taking the Rolls Out for a Spin? Maybe You Should Avoid Brazil

Rolls RoyceJust as the GlaxoSmithKline PLC (GSK) case in China heralded a new day in international anti-corruption enforcement, the Petrobras case may be equally important going forward. The scope and breadth of the investigation is truly becoming worldwide. Last fall, one of the first questions raised was why was the US Securities and Exchange Commission (SEC) was investigating the company as it is headquartered in Brazil. While there is subsidiary Petrobras USA, which is a publicly listed company, it was not immediately apparent what role the US entity might have had in the bribery scandal, which was apparently centered in Brazil. However some recent revelations from across the pond may shed some light on the topic.

As with any corruption scandal there are both bribe payors and bribe receivers. The Petrobras corruption scandal initially focused on the bribe receivers in Petrobras. But last month one of the key bribe receivers, who is now cooperating with the Brazilian authorities, Pedro Barusco has identified the UK Company Rolls-Royce Group PLC as a bribe payor. As reported in the Financial Times (FT) by Samantha Pearson and Joe Leahy, in an article entitled “Rolls-Royce accused in Petrobras scandal”, Barusco has “told police he personally received at least $200,000 from Rolls-Royce — only part of the bribes he alleged were paid to a ring of politicians and other executives at the oil company.”

However the allegations moved far beyond simply Rolls-Royce. The article also reported, “Brazil’s authorities are already investigating allegations that Petrobras officials accepted bribes from SBM Offshore, a Netherlands-based supplier of offshore oil vessels. SBM has said it is co-operating with the investigation. Units of two Singaporean companies, Keppel Corporation and Sembcorp Marine, along with three Brazilian shipbuilders with large Japanese shareholders, have also been accused of participating in the bribes-for-contracts scheme.” Finally, they reported that “Mr Barusco alleged that his friend Luiz Eduardo Barbosa, a former executive of Swiss engineering group ABB, was responsible for organising bribes from Rolls-Royce, SBM and Alusa, a Brazilian construction company.”

Rolls-Royce is currently under investigation by the UK Serious Fraud Office (SFO) and Department of Justice (DOJ) for allegations of corruption in several countries. Katherine Rushton, reporting in The Telegraph in an article entitled “Rolls-Royce investigated in US over bribery claims”, said “Rolls-Royce is being investigated by the US Department of Justice (DoJ), following allegations that its executives bribed officials in Indonesia, China and India in order to win lucrative contracts.” She cited to the company’s annual report for the following, ““The group is currently under investigation by law enforcement agencies, primarily the Serious Fraud Office in the UK and the US Department of Justice. Breaches of laws and regulations in this area can lead to fines, penalties, criminal prosecution, commercial litigation and restrictions on future business.””

But more than simply Rolls-Royce, readers will recognize several names from a rogue gallery of companies either implicated with corruption violations or under investigation. SBM Offshore was a poster child last year for the DOJ deferring to foreign authorities to prosecute claims of bribery and corruption. I wonder if SBM Offshore attested in its settlement documents with the relevant Netherlands authorities that it had not engaged in any other bribery and corruption beyond that which was the basis of its settlement? I wonder if the company made any such averments to the DOJ? I wonder if the DOJ will make any such deferments again given the SBM Offshore settlement with the Dutch authorities? What about ABB?

In addition to the above, SBM Offshore may be the most relevant example in the debate of an international double jeopardy standard. Jordan Moran, writing in the Global Anti-Corruption Blog, has consistently argued that international double jeopardy is a bad idea. Most recently, in an article entitled “Why International Double Jeopardy Is a Bad Idea”, he said, “when it comes to the global fight against transnational bribery, double jeopardy probably isn’t all it’s cracked up to be. To begin, most arguments calling for the U.S. and other OECD member countries to recognize international double jeopardy are nonstarters.”

Also interesting was the reference to ABB as the company went through its own Foreign Corrupt Practices Act (FCPA) enforcement action. As reported by Dick Cassin, in a 2010 FCPA Blog post entitled “ABB Reaches $58 Million Settlement (Updated)”, the company “reached a settlement Wednesday with the DOJ of criminal FCPA charges and will pay a fine $19 million. And in resolving civil charges with the SEC, the company will disgorge $22.8 million and pay a $16.5 million civil penalty. ABB Ltd’s U.S. subsidiary, ABB Inc., pleaded guilty to a criminal information charging it with one count of violating the anti-bribery provisions of the FCPA and one count of conspiracy to violate the FCPA. The court imposed a sentence that included a criminal fine of $17.1 million.” There was no information at that time as to whether the individual that Barusco named as the bribe payment facilitator, one Luiz Eduardo Barbosa, was involved in the prior ABB enforcement action in any way.

We have one or more companies, who are under current DOJ investigations, now being investigated in connection with the Petrobras bribery scandal. There are also companies that have gone through prior bribery and corruption enforcement actions now identified in the scandal. All of this now leads me to have some type of understanding of why the SEC might be investigating Petrobras USA. First, and most probably, it would be to see if the US entity was involved in the apparent decade long bribery scheme that the Brazilian parent now finds itself embroiled in. What if the US subsidiary was paying bribes to its parent to obtain or retain a benefit? Next would be any evidence of violations of the accounting provisions or internal controls requirements found in the FCPA. Finally, the SEC might be looking at Petrobras USA to see who its suppliers might be and if those companies merited investigation. Similar to looking that the Panalpina customer lists the SEC could review the Petrobras USA contractor list.

Just as GSK heralded the first time the Chinese government prosecuted a western company for violation of Chinese law, I believe the Petrobras bribery scandal will be a watershed. The outpouring of information and allegations at this time point to a multi-year, truly worldwide, bribery scheme. While it may in part have been Petrobras officials shaking down contractors for payments, it really does not matter under the FCPA or UK Bribery Act. If any company subject to either or both of those laws paid monies to Petrobras I expect they will be fully prosecuted. Further, given the arguments against an international double jeopardy standard made by Moran and others AND the apparent recidivism of prior bribery offenders, some companies may be in for a long and expensive ride.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 9, 2015

Who is Responsible for Complying with the FCPA?

7K0A0014-2The Department of Justice (DOJ) still faces criticism over its Foreign Corrupt Practices Act (FCPA) enforcement strategy. Some decry that it is too aggressive, that the DOJ has moved into waters Congress never intended the DOJ to navigate into regarding the FCPA. Others worry that the DOJ, through its use of settlement mechanisms such as Deferred Prosecution and Non-Prosecution Agreements (DPAs and NPAs), let corporations off to easily with fines and other monetary penalties being the equivalent of a slap on the wrist. Yet another school of thought says that it is up to the DOJ to tell companies how not to engage in bribery and corruption by specifying precisely what type of anti-corruption compliance program to put into effect.

One thing these commentariat all have in common is that they generally do not look to those responsible for obeying the law, i.e. companies and persons who are subject to the FCPA, for their responsibility of complying with the law. Such failure seems to me to be sadly misplaced. But it is not simply Mike Volkov’s FCPA Paparazzi who fail to assess a corporation’s role in their failure to comply with the law; unfortunately it is also company leaders themselves.

We recently were treated to another such display of ‘What Me Worry?’ mentality by HSBC Chief Executive Officer (CEO) Stuart Gulliver when he said, “Can I know what every one of 257,000 people is doing?” Leaving aside the issue of whether a corporate CEO who has signed one of the largest DPAs in the history of the world (for money-laundering, not FCPA violations); should admit he (1) he doesn’t care or (2) his company is too unwieldy for it to obey the laws that you and I follow everyday; Gulliver inadvertently hit upon one of the key concepts of a best practices compliance program. That concept is a well-rounded program that assures compliance, not some all knowing, all seeing narcissist at the top.

In a Financial Times (FT) article entitled “Too big to manage”, Andrew Hill blasted Gulliver’s statement as “disingenuous” but went on to state, “Knowing what every employee is doing is not the leader’s responsibility. But by using a combination of the right structure, the latest technology and, above all, by imbuing a company with the correct culture and reinforcing regular communication with visits to the shop floor, he or she should be able to limit the chance of a major scandal.” Hill quoted management thinker Henry Mintzberg for the following, ““You can’t excuse [scandals] by saying we have so many employees. You . . . have got to be on the ground to have a sense of what your organisation is all about.””

This means a CEO is not required to know everything but he does need to have an overall sense of whether his company is moving in a direction to do things such as follow the law. I would say this is even truer when you have promised (yet again) in a DPA that your company will follow the law. It also means that the leader sets the tone. If your leader takes the position that he or she cannot know what everyone is doing; that tone will be communicated down to the field troops but the message will be that said maximum leader does not care what the middle and lower levels are doing. Hence the DOJ would say that it all starts with Tone at the Top. Sadly Gulliver does not seem to acknowledge, let alone understand, that issue.

But more than simply having a leader that cares and is engaged; Gulliver’s statement belies other aspects of a best practices compliance program. Technology provides a mechanism for oversight of a compliance regime. Under the FCPA Ten Hallmarks of an Effective Compliance Program, monitor is recognized as a key element so your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with the finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally, the global compliance committee should meet or communicate as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.

In addition to monitoring, structural controls are recognized as an important element. Hill said that large companies “must use structural means to maintain control.” One of the best explanations of the use of internal controls as a structural component of any best practices compliance program comes from Aaron Murphy, a partner at Foley and Lardner in San Francisco, in his book entitled “Foreign Corrupt Practices Act”, where he said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

I would advocate that it is the interplay of the right message, tools in place to communicate and enforce the message and then oversight to ensure compliance with the message that allows a 250,000 plus employee base company to have a chance to operate in compliance with their legal obligations. Echoing this maxim, Hill quoted Rick Goings, Chairman and CEO of Tupperware Brands Corporation, for the following, “Wars are won not by generals, but by non-commissioned officers. If you have the right kind of structure…and behind that a value system, I think you can do it.”

HSBC continues to be the poster child for compliance lessons learned, whether intentional or not. Hill concluded his piece with the following, “The lesson may be that, irrespective of the size of the company, executives who lose touch with how their staff are using the culture they preach are courting embarrassment and scandal. The trend towards large companies operating through smaller units, with more autonomy and accountability for their actions, does not absolve leaders from meeting their traditional responsibilities to know what is happening on the frontline. As Prof Fischer suggests, they should manage according to the old Russian proverb that Ronald Reagan adopted when dealing with the Soviet Union in the 1980s: trust, but verify.”

There is a plethora of compliance regimes that companies can look to in order to create a best practices compliance program. Simply put, it is a relatively straightforward exercise; perhaps not easy but certainly there are well-articulated compliance programs that companies can follow. To continue to criticize the DOJ (and Securities and Exchange Commission) for failing to communicate what they wish to see in a best practices compliance program, simply fails to take into account the responsibility that corporations have in complying with US laws. The information is out there in abundance. Even a weekend article in the FT lays it out for you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 4, 2015

Minnie Minoso Broke Barriers; Goodyear Pushes Compliance Forward

Minnie MinosoYesterday we celebrated the hard-nosed playing style of Anthony Mason, who recently passed away. Today we honor a true pioneer in professional baseball, Minnie Minoso, or Mr. White Sox. Minoso was the first black Cuban to play in Major League Baseball (MLB) when he debuted for the Cleveland Indians in 1949. In 1951, he was traded to the Chicago White Sox and he became a southside fixture for the rest of the decade. While his numbers were less than 2000 hits and 200 home runs, he was a fearless and speedy base runner and a nine-time All Star. Similarly to Mr. Cub, Ernie Banks, the Chicago White Sox erected a statue in tribute to Mr. White Sox outside their ballpark. Even President Obama was moved to release a statement about Minoso saying in part, “Minnie may have been passed over by the Baseball Hall of Fame during his lifetime, but for me and for generations of black and Latino young people, Minnie’s quintessentially American story embodies far more than a plaque ever could.”

The contribution of Minoso in the exorable march of MLB towards integration informed part of my reading of the recent Goodyear Tire & Rubber Company (Goodyear) Foreign Corrupt Practices Act (FCPA) enforcement strategy of the Securities and Exchange Commission (SEC). This enforcement action was a solo effort by the SEC; there was no corresponding Department of Justice (DOJ) criminal enforcement action. So following this past fall’s triumvirate of SEC enforcement actions involving Smith & Wesson, Layne Christenen and Bio-Rad, the SEC continues to bring enforcement actions based upon the books and records and internal controls civil requirements of the FCPA. Therefore the Goodyear enforcement action is one which provides many lessons to be learned by the Chief Compliance Officer (CCO) or compliance practitioner going forward and should be studied quite carefully by anyone in the compliance field.

The Bribery Schemes

As set out in the SEC Cease and Desist Order (the Order), Goodyear used several different bribery schemes in different countries, all violating the FCPA. In Kenya, Goodyear became a minority owner in a locally owned business which apparently paid bribes the old-fashioned way, in cash to the tune of over $1.5MM, yet falsely recorded the cash bribe payments as “promotional expenses.” In Angola, a wholly-owned subsidiary of the company paid approximately $1.6MM in bribes by falsely marking up invoices with “phony freight and customs clearing costs.” The subsidiary made the payments in cash and through wire transfers to various government officials. Finally, the subsidiary apparently cross-referenced the bribes it paid as follows, “As bribes were paid, the amounts were debited from the balance sheet account, and falsely recorded as payments to vendors for freight and clearing costs.” In other words a complete, total and utter failure of internal controls to forestall any of the foregoing.

Internal Controls Violations

The Order set out the section of the FCPA that the company violated. Regarding the internal controls, the Order stated, “Under Section 13(b)(2)(B) of the Exchange Act issuers are required to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization; (ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets; (iii) access to assets is permitted only in accordance with management’s general or specific authorization; and (iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.”

The Comeback

Equally important for the CCO or compliance practitioner are the specific steps that Goodyear took to remediate the situation it found itself in through these illegal payments. When the company received the initial reports about “the bribes, Goodyear promptly halted the improper payments and reported the matter to Commission staff.” Moreover, the company also cooperated extensively with the SEC. As noted in the Order, “Goodyear also provided significant cooperation with the Commission’s investigation. This included voluntarily producing documents and reports and other information from the company’s internal investigation, and promptly responding to Commission staff’s requests for information and documents. These efforts assisted the Commission in efficiently collecting evidence including information that may not have been otherwise available to the staff.”

In the area of internal remediation, regarding the entity in Kenya, where Goodyear was a minority owner in a local business, the company got rid of its from its corrupt partners by divesting its interest and ceasing all business dealings with the company. Goodyear is also divesting itself of its Angolan subsidiary. The Order also noted that Goodyear had lost its largest customer in Angola when it halted its illegal payment scheme. The company also took decisive disciplinary action against company employees “including executives of its Europe, Middle East and Africa region who had oversight responsibility, for failing to ensure adequate FCPA compliance training and controls were in place at the company’s subsidiaries in sub-Saharan Africa.”

Finally, in a long paragraph, the SEC detailed some of the more specific steps Goodyear took in the area of remediation. These steps included:

  • Improvements to the company’s compliance function not only in sub-Saharan Africa but also world-wide;
  • In Africa, both online and in person training was beefed up for “subsidiary management, sales and finance personnel”;
  • Regular audits were instituted by the company’s internal audit function, which “specifically focused on corruption risks”;
  • Quarterly self-assessment questionnaires were required of each subsidiary regarding business with government-affiliated customers;
  • For each subsidiary, there were management certifications required on a quarterly basis that required, “among other things controls over financial reporting; and annual testing of internal controls”;
  • Goodyear put in a “new regional management structure, and added new compliance, accounting, and audit positions”;
  • The company made technological improvements to allow the company to “electronically link subsidiaries in sub-Saharan Africa to its global network”;

However these changes were not limited to improvement of Goodyear’s compliance function in Africa only. At the corporate headquarters, Goodyear created the new position of “Vice President of Compliance and Ethics, which further elevated the compliance function within the company”. There was expanded online and in-person training at the corporate headquarters and other company subsidiaries. Finally, the company instituted a new “Integrity Hotline Web Portal, which enhanced users’ ability to file anonymous online reports to its hotline system. With that system, Goodyear is also implementing a new case management system for legal, compliance and internal audit to document and track complaints, investigations and remediation.”

The specific listing of the compliance initiatives or enhancements that Goodyear pushed after its illegal conduct came to light is certainly a welcomed addition to SEC advice about what it might consider some of the best practices a company may engage in around its compliance function. Moreover, this specific information can provide audit and information to the compliance practitioner of strategies that he or she might use to measure a company’s compliance program going forward. The continued message of cooperation and remediation as a way to lessen your overall fine and penalty continues to resonate from the SEC. Finally, just as Minoso helped move forward the integration of baseball and civil rights in general, the Goodyear FCPA enforcement action demonstrates that the SEC will continue to prosecute cases around the failure of or lack of internal controls. The clear import is that a company must have an appropriate compliance internal control regime in place. We are moving towards a strict liability standard under the FCPA around internal controls, which I will have much more to say about later but for now – you have been warned.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 25, 2015

Doing Less with Less and the Unification of Germany

Sqeezed Piggy BankI am attending the SCCE Utilities and Energy Conference in Houston this week. As usual, the SCCE has put on a great event for the compliance practitioner. This year there is live blogging by Kortney Nordum so there should be much about the conference up on the SCCE blogsite, this week and into the future. Lizza Catalano has put together a first rate program for compliance practitioners of many stripes. As an added benefit, SCCE Chief Executive Officer (CEO) Roy Snell has brought some cold weather down to Houston for the event for our late February enjoyment. While it was 80 on Saturday, today is was a balmy 36 courtesy of our Minnesotan guests.

As you might guess the current economic downturn is on everyone’s mind and a subject of much conversation. Last week I wrote a post about the depression of oil and gas prices in the energy space and some of the increased Foreign Corrupt Practices Act (FCPA) or other anti-corruption risks that might well arise from this economic downturn. Over the next couple of days, I want to explore how a Chief Compliance Officer (CCO) or compliance practitioner might think through responses to this increased compliance risk. Today I will focus on doing less with less. Tomorrow I will suggest some technological solutions.

I have been around long enough to see more than one of these economic events in the energy space. While not suggesting that we Texans never learn not to repeat our mistakes, they do seem to have a pattern. Prices drop precipitously, companies who are overstocked, over-leverage or generally over-panic; over-react and cut head count and spending dramatically to some level that is not based on rational economic analysis. Then they get some handle on where the numbers might be heading and the cuts start to flatten out and some type of equilibrium is reached.

Right now, in the energy space, we are in the cutting phase. That means loss of personnel (head count) and loss of resources even if it was calculated last year based on a summer or fall 2014 economic projection in your annual budgeting process. This means one thing you will need get for a quarter or two will be financial resources to place the personnel your compliance function may have lost. This means that you will have to figure out a way to accomplish more with fewer resources. While I often advocate that the compliance function can and should draw on other disciplines such as Human Resources (HR), IT, Internal Audit and Marketing for support; those functions have most probably been ‘right-sized’ as well so they may not be able to assist the compliance function as much they could have previously.

Now would be a very good time to put into practice what Dresser-Rand CCO Jan Farley often says, “Don’t sweat the small (compliance) stuff.” Farley often speaks about the need not to waste your scarce compliance resources on areas or matters that are low compliance risks. But to do this, you need to understand what are your highest compliance risks. Since you will not have additional resources to perform such an analysis, I would suggest now would be a very good time for you to assess your compliance program and your business model to see what are your highest risks. If you believe there are several, you can fprioritize them. This exercise will give you the basis to deliver your ever-scarcer compliance resources to your highest risk areas.

While I do not believe the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) will be sympathetic to some unsubstantiated claim along the lines of ‘I did my best with what I had’; they also made clear in the FCPA Guidance that “An effective compliance program promotes “an orga­nizational culture that encourages ethical conduct and a commitment to compliance with the law.” Such a program protects a company’s reputation, ensures investor value and confidence, reduces uncertainty in business transactions, and secures a company’s assets. A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.” (emphasis supplied)

So while the DOJ and SEC will not accept you bald-faced claims that our company simply did not have the money to spend on compliance, they will most-probably consider a compliance program where you have looked at your risks, in the context of this economic downturn, and delivered the compliance resources you do have to those risks. But the key is Document, Document, and Document your decision-making calculus and your implementation. (Stephen Martin would probably add here that if your annual spend on Yellow Post-It Notes is a factor of 10X your compliance spend, this approach would not be deemed credible.)

In her On work column in the Financial Times (FT), Lucy Kellaway wrote about this the concept of doing less with less for the corporate executive personally, in an article entitled, “No need to ‘lean in’ when laziness can be just as effective”. She cited to the Prussian General Helmuth von Moltke for “devising one of the world’s fist management matrices” when he assessed his officers on two scales: “clever v. dim and lazy v. energetic.” From this he came up with four permutations:

  • Dim and lazy – Good at executing orders.
  • Dim and energetic – Very dangerous, as they take the wrong decisions.
  • Clever and energetic – Excellent staff officers.
  • Clever and lazy – Top field commanders as they get results.

The point of Kellaway’s article has direct implications for the CCO or compliance practitioner currently facing an economic downturn, “It is only by being lazy that we become truly efficient, and come to see what is important and what is not.” Kellaway cautioned “the sort of laziness to encourage is not the slobbish variety that means you do bad work. That is not laziness: it is stupidity. Instead, we need the clever version that comes from knowing there is an opportunity cost to every minute we spend working, so we must use our time wisely.”

From the compliance perspective, this translates directly into using your compliance resources wisely. So whether you want to cite the Prussian general who unified Germany, columnist Kellaway, Dresser-Rand CCO Farley or this article’s theme of doing less with less, I would suggest to you there is a manner to maintain “A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations” even in an economic downturn.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

 

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 5,204 other followers