FCPA Compliance and Ethics Blog

August 14, 2012

Pfizer DPA Part III – What Does It All Mean?

Last week I began an exploration of the Pfizer Deferred Prosecution Agreement (DPA) which was announced last week by the Department of Justice (DOJ) in connection with its settlement of Foreign Corrupt Practices Act (FCPA) violations. In Part I, I reviewed the Corporate Compliance Obligations, Attachment C.1. In Part II, I reviewed the Enhanced Compliance Obligations, Attachment C.2 and Corporate Reporting Obligation, Attachment C.3, which Pfizer agreed to implement and operate under. In Part III, I will discuss some of the implications raised by the Pfizer DPA for the compliance practitioner.

Below is a comparison chart of the minimum best practices compliance program as set out in the Panalpina DPA and all DPAs coming forward with the minimum best practices compliance program as set out in the Pfizer DPA. While the number of compliance obligations is somewhat different, when read in conjunction with the Enhanced Compliance Obligations of Attachment C.2, there is not significant difference. Therefore, and initially, the compliance practitioner must read both the Corporate Compliance Obligations and Enhanced Compliance Obligations in conjunction with each other.

CORPORATE COMPLIANCE COMPARISON CHART

Panalpina Minimum Best Practices

Pfizer 9 Point Corporate Compliance Program

1. Code of Conduct. To ensure against FCPA violations. 1. Clearly articulated corporate policy against FCPA violations.
2. Tone at the Top. A company will ensure that its senior management provides visible support and commitment to its corporate anti-corruption policy. 2.  Promulgation of compliance standards and procedures designed to reduce the prospect of violations of the anti-corruption laws and Pfizer’s compliance code.
3. Written policies and procedures.  Should be created in the following areas (a) gifts; (b) hospitality, entertainment, and expenses; (c) customer travel; (d) political contributions; (e) charitable donations and sponsorships; (f) facilitation payments; and (g) solicitation and extortion. 3. Assignment of one or more senior corporate execs for implementation and oversight of compliance program. They shall report to the Board.
4. Risk Assessment. Perform risk assessment and use it to inform your compliance program. 9(b)-internal and confidential reporting system. 4. Effective communication of the compliance policies including training and certification of training.
5. Annual Reviews. No less than annually, a company should review and update as appropriate to ensure continued compliance program effectiveness. 5. An effective system for reporting illegal conduct or violations of the company anti-corruption program.
6. Senior Management Oversight and Reporting. Assignment of one or more senior corporate executives for implementation & oversight of compliance program and they shall report to Board of Directors 6. Appropriate disciplinary procedures.
7. Internal controls.  These should include financial and accounting procedures which should ensure that the company has accurate and fair books and records, which cannot be used for or conceal bribery. 7. Appropriate due diligence for retention and oversight of agents and business partners.
8. Training. A company shall effectively communicate compliance program through training and annual certifications 8. Standard compliance terms and conditions in contracts including (1) reps and undertakings re: anti-corruption compliance; (2) right to audit; and (3) right to terminate for breach thereof.
9. Advice and Guidance.  The Company should establish or maintain an effective system for: (a) Providing guidance; (b) Internal and confidential reporting; and (c) Responding to such requests and undertaking appropriate action in response to such reports. 9. Periodic testing of Pfizer compliance code and anti-corruption procedures.
10. Discipline. A company shall institute appropriate disciplinary procedures to address violations compliance policy or ant-corruption laws.
11. Third Party Reps. (a) Properly documented risk-based due diligence and regular oversight of agents and business partners;  (b) Informing agents and business partners of the compliance standards; and (c) Seeking a reciprocal commitment from agents and business partners.
12. Compliance terms and conditions. Should be included in every agent agreement.
13. Ongoing Assessment. Period review and testing of compliance program to evaluate it and improve the program’s effectiveness.

 

In addition to a Chief Compliance Officer (CCO) and Risk Officer (RO) who will have report directly to the Chief Executive Officer (CEO), there was further specified requirements for compliance leads to be appointed with responsibility for each of its business units who would in turn report to the CCO and RO or General Counsel (GC). Finally, similar to the situation we observed in the Halliburton settlement of its shareholder derivative action, Pfizer will have an Executive Compliance Committee, which will sit below the Board of Directors to oversee Pfizer’s compliance program.

The Enhanced Compliance Obligations require that Pfizer maintain policies and procedures regarding gifts, hospitality, and travel in each jurisdiction that are appropriately designed to prevent violations of the anti-corruption laws and regulations, presumably tailored to each jurisdiction. This statement would seem to focus on reasonableness not only in terms of monetary value but also in factoring in the jurisdiction where the gift or hospitality is to be provided. Finally, and as always, travel and training must have a business purpose.

There was a very detailed plan laid out for a risk-based program of annual proactive anti-corruption reviews of high-risk markets. It consists of five markets which are at high risk for corruption because of the business and location. The specifics for each visit will be a useful guide for the compliance practitioner to compare with similar work done by his compliance group. It includes (a) On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training; (b) Review of a representative sample, appropriately adjusted for the risks of the market, of contracts with, and payments, to individual foreign government officials or health care providers, as well as other high-risk transactions in the market; (c) Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations; and (d) a review of the books and records of a sample of distributors which, in the view of the FCPA proactive review team, may present corruption risk.

Interesting, the DPA specifies that Pfizer will maintain “significant” resources for the compliance function. These significant resources will be dedicated to several different types of compliance tools, including (a) an international investigations group charged with responding to and investigating anti-corruption compliance issues and ensuring that appropriate remedial measures are undertaken after the completion of an investigation; (b) an anti-corruption program office providing centralized assistance and guidance regarding the implementation, updating and revising of the FCPA Procedure, the establishment of systems to enhance compliance with the FCPA Procedure, and the administration of corporate-level training and annual anti-corruption certifications; and (c) a mergers and acquisitions (M&A) compliance team designed to support early identification of compliance risks associated with complex business transactions and to ensure the integration of Pfizer’s compliance procedures into newly acquired entities. There was a slightly different time schedule listed for Pfizer to complete post-acquisition auditing, training and implementation of the Pfizer compliance program into the acquired company. I have added to my recent FCPA M&A Box Score Summary.

Time Frames

Halliburton 08-02

J&J

DS&S

Pfizer

FCPA Audit
  1. High Risk Agents – 90 days
  2. Medium Risk Agents – 120 Days
  3. Low Risk Agents – 180 days
18 months to conduct full FCPA audit As soon “as practicable One year
Implement FCPA Compliance Program Immediately upon closing 12 months As soon “as practicable One year
Training on FCPA Compliance Program 60 days to complete training for high risk employees, 90 days for all others 12 months to complete training As soon “as practicable One Year

While there was no new language regarding risk evaluation, due diligence on, or other management of third party business parties, the DPA did specify that when it is appropriate on the basis of a FCPA risk assessment, the company will provide FCPA and anti-corruption training to relevant agents and business partners, at least once every three years.

The company is also to use annual certifications from senior managers in each of Pfizer’s Business Units, Divisions, and operational functions confirming that their standard operating procedures adequately implement Pfizer’s anti-corruption policies, procedures and controls, including training requirements; that they have reviewed and followed up on any issues identified in FCPA trend analyses; and that they are not aware of any FCFA or other corruption issues that have not already been reported to the Compliance Division or the Legal Division.

There is a wealth of information in the Pfizer DPA and other documents relating to its resolution of these FCPA issues. I would commend all the documents to you to read and see what areas your company may need to look at more closely and how these Compliance and Enhanced Compliance Obligation Attachments may provide insight into areas where you might be lacking or need to enhance your compliance program and coverage.  These enhanced obligations could well become the new minimum best practices in the FCPA compliance arena.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

June 28, 2012

2012 First Half FCPA Enforcement Round-Up: Part II

In yesterday’s post we reviewed three of the most significant enforcement actions so far for 2012. In today’s post we conclude with the final three enforcement actions that I believe provide the best or most recent insights for the compliance practitioner.

IV.       Biomet

On March 26, 2012, both the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ) announced the resolution of enforcement actions against Biomet Inc. a US entity which manufactures and sells global medical devices around the world. It is headquartered in Fort Wayne, Indiana. The Company admitted to a lengthy run of bribery and corruption of doctors to purchase its products and paid a criminal fine of $17.3MM to resolve charges brought by the DOJ. It also agreed with the SEC to settle civil charges by paying $5.5MM in disgorgement of profits and pre-judgment interest.

A.     Bribery and Corruption Facts

The Company engaged in an eight (8) year scheme to bribe and corrupt doctors in the countries of Argentina, Brazil and China to induce the physicians to purchase Biomet products. The SEC Complaint reported that “2000 to August 2008, Biomet Argentina employees paid bribes to doctors employed by publicly owned and operated hospitals in Argentina in exchange for sales of  Biomet’s medical device products. The doctors were paid approximately 15-20 percent of each sale.” In Brazil, the SEC Compliant reported that from 2001 until 2008, Biomet’s “Brazilian Distributor, paid bribes to doctors employed by publicly owned and operated hospitals to purchase Biomet’s implants. Brazilian Distributor paid the doctors bribes in the form of “commissions” of 10-20 percent of the value of the medical devices purchased.” In China, Biomet subsidiaries and its Chinese distributor paid from 5% up to 25% commissions to doctors for the sale of its products which were used during surgeries and also paid for Chinese surgeons to travel for training “including a substantial portion of the trip being devoted to sightseeing and other entertainment at Biomet’s expense.”

B.     Internal Audit Failures

The SEC Compliant reported that the Company’s Internal Audit was not only aware of the bribery program but discussed it in Memorandum to the Company’s home office, including the head of the Company’s Internal Audit Department. For instance in Argentina, the Company’s head of Internal Audit noted, as early as 2003, they “circulated an internal audit report on Argentina to Senior Vice President and others in Biomet in Indiana in which he stated, “[R]oyalties are paid to surgeons if requested. These are disclosed in the accounting records as commissions.” The Internal Audit report described the payments to surgeons, but only in the context of confirming that the amount paid to the surgeon was the amount recorded on the books.” However, the Company’s Internal Audit Department, took no steps to determine why royalties were paid to doctors or why the payments to the doctors were 15-20% of sales. Internal Audit did not obtain any evidence of services which the doctors might have performed entitling them to the payments. The SEC Complaint noted that Internal Audit “concluded that there were adequate controls in place to properly account for royalties paid to surgeons without any supporting documentation” and Internal Audit’s only recommendation was to change the journal entry from “commission expenses” to “royalties.”

The SEC Complaint also noted that “Biomet’s books and records did not reflect the true nature of those payments. The Company’s payments were improperly recorded as “commissions,” “royalties”, “consulting fees”, “other sales and marketing”, “scientific incentives”, “travel” and “entertainment.” The SEC Compliant concluded with the following “False documents were routinely created or accepted that concealed the improper payments.”

C.     Lessons Learned for Internal Audit

The SEC Complaint had some very clear guidance for the role of Internal Audit in detecting bribery and corruption in a best practices Foreign Corrupt Practices Act (FCPA) compliance program. First, if there are any types of commission payments being made, Internal Audit needs to review the documentation supporting why such payments are being made. A review of contracts or other legal requirements which may obligate a company to make such payments should be a basic undertaking in any internal audit. After an internal auditor has determined if commission payments are legally authorized, the internal auditor should review the evidence that such commission payments have been earned. Another role delineated in the SEC Complaint for Internal Audit is to correctly classify payments so that the books and records of the company accurately reflect them as expenses. As noted, the Director of Internal Audit instructed that bribes paid during clinical trials of the Company’s products should be reclassified as ‘expenses’.

Key Takeaway: This enforcement action lists the specific role of Internal Audit in a FCPA compliance program.

V. Morgan Stanley and Garth Peterson

This is the first instance of the public release of a Declination to Prosecute a company under the FCPA, where an employee agreed to an underlying FCPA violation. Morgan Stanley Managing Director Garth Peterson conspired with others to circumvent Morgan Stanley’s internal controls in order to transfer a multi-million dollar ownership interest in a Shanghai building to himself and a Chinese public official. Peterson encouraged Morgan Stanley to sell an interest in a Chinese real-estate deal to Shanghai Yongye Enterprise (Yongye) a state-owned and state-controlled entity through which Shanghai’s Luwan District managed its own property and facilitated outside investment. However, the DOJ declined to prosecute Morgan Stanley and noted in its Press Release, “After considering all the available facts and circumstances, including that Morgan Stanley constructed and maintained a system of internal controls, which provided reasonable assurances that its employees were not bribing government officials, the Department of Justice declined to bring any enforcement action against Morgan Stanley related to Peterson’s conduct. The company voluntarily disclosed this matter and has cooperated throughout the department’s investigation.”

A.     Declination to Prosecute

Both the DOJ and SEC went out of their way to praise the Morgan Stanley compliance program. This written praise demonstrated that not only do company’s receive credit from the DOJ for having a compliance program in place but also gave solid information as to why the DOJ declined to prosecute Morgan Stanley. In other words, it was a very public pronouncement of a declination to prosecute.

The SEC Complaint detailed the compliance program it had in place and how it directly related to Peterson.

(1) Morgan Stanley trained Peterson on anti-corruption policies and the FCPA at least seven times between 2002 and 2008.

(2) Morgan Stanley distributed to Peterson written training materials specifically addressing the FCPA.

(3) A Morgan Stanley compliance officer specifically informed Peterson in 2004 that employees of Yongye, a Chinese state-owned entity, were government officials for purposes of the FCPA.

(4) Peterson received from Morgan Stanley at least thirty five FCPA-compliance reminders.

(5) Morgan Stanley required Peterson on multiple occasions to certify his compliance with the FCPA.

(6) Morgan Stanley required each of its employees, including Peterson, annually to certify adherence to Morgan Stanley’s Code of Conduct.

(7) Morgan Stanley required its employees, including Peterson, annually to disclose their outside business interests.

(8) Morgan Stanley had policies to conduct due diligence on its foreign business partners, conducted due diligence on the Chinese Official and Yongye before initially conducting business with them, and generally imposed an approval process for payments made in the course of its real estate investments.

B.        Compliance Program as Compliance Defense

If it was not clear that a company receives credit for having a best practices compliance program it is now. Recognizing that a compliance program is not available as a formal affirmative defense, it is clear that Morgan Stanley was able to use not only their written compliance program, but its ongoing maintenance, communication and due diligence aspects to shield the employer from liability. The bottom line is what the DOJ and SEC representatives have been saying all along and that is that companies with best practices compliance programs receive credit in negotiating with the government.

Key Takeaway: The compliance defense is alive and well.

Key Takeaway II (for the DOJ): Publicize Declinations to Prosecute. It is solid information for the compliance practitioner to use and it will help companies do business in compliance with the FCPA.

VI. DS&S

Last, but certainly not least, we end our Top 6 of 2012, to date, with the Data Systems & Solutions LLC (DS&S) case.

A.     The Bribery Scheme

The bribery scheme involved payments made to officials at a state-owned nuclear power facility in Lithuania, named Ignalina Nuclear Power Plant (INPP). The payments were made to allow DS&S to obtain and retain business with INPP. The Information listed contracts awarded to DS&S in the amount of over $30MM from 1999 to 2004. Significantly, DS&S did not self-disclose this matter to the DOJ but only began an investigation after receiving a DOJ Subpoena for records.

The bribery scheme used by DS&S recycled about every known technique there is to pay bribes. The Information listed 51 instances of bribes paid or communications via email about the need to continue to pay bribes. The bribery scheme laid out in the Information reflected the following techniques used:

  • Payment of bribes by Subcontractors to Officials on behalf of DS&S;
  • Direct payment of bribes by DS&S into US bank accounts controlled by INPP Officials;
  • Creation of fictional invoices from the Subcontractors to fund the bribes;
  • Payment of above-market rates for services allegedly delivered by the Subcontractors so the excess monies could be used to fund bribes;
  • Payment of salaries to INPP Officials while they were ‘employed’ by Subcontractor B;
  • Providing travel and entertainment to Officials to Florida, where DS&S has no facilities and which travel and entertainment had no reasonable business purpose;

and last but not least…

  • Purchase of a Cartier watch as a gift.

B.     The Discounted Fine

DS&S received a discount of 30% off the low end of the penalty range as calculated under the US Sentencing Guidelines, which specified a fine between $25MM down to $12.6MM. The ultimate fine paid by DS&S was only $8.82MM, which the Deferred Prosecution Agreement (DPA) states is “an approximately thirty-percent reduction off the bottom of the fine range…” In addition to its real-time internal investigation and extraordinary cooperation, the DPA reports that DS&S took the following extensive remediation steps:

  • Termination of company officials and employees who were engaged in the bribery scheme;
  • Dissolving the joint venture and then reorganizing and integrating the dissolved entity as a subsidiary of DS&S;
  • Instituting a rigorous compliance program in this newly constituted subsidiary;
  • Enhancing the company’s due diligence protocols for third-party agents and subcontractors;
  • Chief Executive Officer (CEO) review and approval of the selection and retention of any third-party agent or subcontractor;
  • Strengthening of company ethics and compliance policies;
  • Appointment of a company Ethics Representative who reports directly to the CEO;
  • The Ethics Representative provides regular reports to the Members Committee (the equivalent of a Board of Directors in a LLC); and
  • A heightened review of most foreign transactions.
  1. C.     Mergers & Acquisitions

There were two new additions are found on items 13 & 14 on Schedule C of the DPA that dealt with mergers and acquisitions (M&A). They draw from and build upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance during an attempted acquisition and the Johnson and Johnson (J&J) Enhanced Compliance Obligations which were incorporated into its DPA. The five keys under these new items are: (1) develop policies and procedures for M&A work prior to engaging in such transactions; (2) full FCPA audit of any acquired entities “as quickly as practicable”; (3) report any corrupt payments or inadequate internal controls it discovers in this process to the DOJ; (4) apply DS&S anti-corruption policies and procedures to the newly acquired entities; and (5) train any persons who might “present a corruption risk to DS&S” on the company’s policies and procedures and the law.

Key Takeaway: Minimum best practices evolve so you should stay abreast of them. IN the M&A arena, the DOJ continues to listen to comments on ‘buying a FCPA violation’ and provide guidance to manage the risk.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012


June 11, 2012

Running the Big Con in DC: Lessons for the FCPA Compliance Practitioner

Most people have seen the movie “The Sting”, starring Robert Redford and Paul Newman, which tells the story of an older con man, Newman, who shows a younger man, Redford, how to run ‘the big con’ on a gangster played by Robert Shaw. It was fiction. However, on the front page of the Sunday Washington Post, on 10th June, was an article about Kevin Richard Halligen which showed that in the case of fraud and fraudsters, truth is often stranger than fiction.

In the article, entitled “A player, but what was his game?”, reporter Kevin Sullivan detailed the eventful life of Halligen in the fraud and swindler world, where, after leaving a trail of broken deals and broken hearts in England, he moved to Washington DC and set up shop all over again. In spite of numerous Red Flags from his prior life in the UK and his conduct in Washington, Halligen was able to persuade many people and companies to invest in his business ventures, where the contracted services to be delivered were negligible at best and outright fraud at the worst.

Halligen’s business was that of a somewhat murky ‘security consultant’ and having wormed his way into high powered Washington business circles, he proceeded to extract large sums of monies for services which were apparently never delivered and for investments where the money seems to have gone ‘poof’. During his run in Washington, he was successfully sued by several former clients and investors but this seemingly put no dent into his activities going forward. He even managed to woo and wed Maria Dybczak even though he claimed only days before the wedding that he could not sign the Marriage Certificate because “he was involved in undercover intelligence operations, he could not sign any public documents”. However, the real reason later turned out to be that he was already married at the time of his purported second marriage to Dybczak.

I thought about this cautionary tale in the context of third party due diligence under both the Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act. Although the Bribery Act, Six Principles of an Adequate Procedures compliance program, specifically states that your company should only do business with other ethical companies, particularly those with similar best practices compliance programs, the FCPA does not have any such specific requirements. Nevertheless, both laws make it clear that a company should know with whom it is doing business.

The Halligen article reminded me that a company must understand that it can experience FCPA and Bribery Act risk through a wide variety of third party relationships, more than those simply in the sales end of the business. Such risks can come equally through the vendor side in the Supply Chain when a company might hire a business similar to those run by Kevin Richard Halligen.

An article in the June issue of the Harvard Business Review, entitled “Pricing to Create Shared Value”, authors Marco Bertini and John Gourville discussed a five point analysis for the questions they raised. Admittedly their article focused on a context outside of anti-corruption but I found these points very good touchstones when thinking about some of the assumptions which should underlie your third party compliance program.

Focus on Relationships. This should be a part of your initial analysis and risk assessment. What is the relationship between the third party and your company? In other words, what are they going to do for you? If they are in the sales channel and will provide commercial services and that is generally viewed as information which would put them into a higher risk category than vendors in the Supply Chain. However, that analysis may be too facile. What if the services are in the murky areas inhabited by persons such as Halligen? Clearly he offered to provide services of some type but is it self-evident that these services would or would not involve interactions with foreign governmental officials? You may need to take a more in-depth look at the entities that you are doing business with that are not traditionally thought of as impacting the FCPA or Bribery Act.

Be Proactive. Flowing from your more robust review of the third parties you do business with, you should engage the business unit which desires to sustain or retain the relationship to lead the relationship, not the Compliance Department. I say this because it is the business unit which needs to own not only the process but the relationship. While the Compliance Department can certainly provide guidance, if the business unit is invested with ownership, they will also take the responsibility. Here the business unit can also be the leader in talking to the third party about what information the company will ask for and why such information is critical in any FCPA or Bribery Act compliance program.

Put a Premium on Flexibility. While procedures and processes are, by their definition, fixed and thereby limiting, your program should have flexibility to address differences in compliance risk as they arise. Consider the services offered by Halligen’s company Red Defence. In one instance, Halligen was going to offer general market intelligence on security issues, in another instance it was going to provide tracking and hopefully retrieval services for a child’s kidnapping. Further, Halligen even had an investment vehicle company named Oakley International. All of these services present different risks so that your program needs to be ready to respond with different qualities of due diligence in different situations. Or as my This Week in FCPA colleague, Howard Sklar would term it, situational due diligence.

Promote Transparency. Transparency is the bane of fraudsters and corrupt entities of all types. They all seek the shelter of the shadows to plow their wares and Halligen was no different. It all starts with the initial request for information that you make via an application. If a potential third party refuses to answer any questions you need to have a serious discussion as to the reason why. If a proposed third party refuses to provide a banking reference then that certainly needs to be explored. And for anyone out there thinking about getting married; if the bride or bride-groom tells you they cannot sign the marriage certificate, a serious reappraisal is in order.

Manage the Requisite Standards. The UK Ministry of Justice (MOJ) has provided written guidance as to what may constitute sufficient due diligence in its Six Principles of an Adequate Procedures compliance program. The US Department of Justice (DOJ) has also promised written guidance, but I do not think that companies need to wait for governmental guidance. You can take the steps outlined in this article and use them as a basis to begin your third party relationship process. The key is to put a process in place and then follow it. And of course, document, document and document.

While the movie The Sting remains great entertainment, the tale of Kevin Richard Halligen is certainly one which should give you pause to think about your company’s own compliance program. Not all fraud begins or ends with the extravagant lifestyle of Kevin Richard Halligen as reported by Sullivan in the Post. However, his story does point up the need for a robust compliance program, the process of which should be specified in your procedures. Certainly, if the people who lost money to Kevin Richard Halligen had done their risk assessments they might not be mentioned on the front page of the Sunday Washington Post right about now.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

May 2, 2012

Morgan Stanley Goes One for One with a Best Practices Compliance Program

On Monday night, Houston Astros manager Brad Mills went to the mound five times to change pitchers against five straight New York Mets batters. This set the Astros twitter community literally ‘a-twitter’ as it was noted that, according to the Elias Sports Bureau, the  “Astros became the 1st team in MLB history to use 5 different pitchers against 5 consecutive hitters.” Why did he do so? Mills has not made public his reasons yet it seemed to work out as only one of the five hitters was able to get a hit against the normally abysmal Astro relief corp. And the Astros actually won the game, which is an increasing rare occurrence this season since having a winning record of 2-1 after three games.

I thought about the Mills treks to the mound last night when reading the recent Foreign Corrupt Practices Act (FCPA) enforcement action against former Morgan Stanley Managing Director Garth Peterson. According to the US Department of Justice (DOJ) Press Release, Peterson pled guilty to one count of criminal information charging him with “conspiring to evade internal accounting controls that Morgan Stanley was required to maintain under the FCPA.” Assistant Attorney General Lanny Breuer was quoted as saying, “Mr. Peterson admitted today that he actively sought to evade Morgan Stanley’s internal controls in an effort to enrich himself and a Chinese government official. As a Managing Director for Morgan Stanley, he had an obligation to adhere to the company’s internal controls; instead, he lied and cheated his way to personal profit.  Because of his corrupt conduct, he now faces the prospect of prison time.” Peterson will be sentenced in June.

The Allegations

According to the DOJ Press Release, Peterson conspired with others to circumvent Morgan Stanley’s internal controls in order to transfer a multi-million dollar ownership interest in a Shanghai building to himself and a Chinese public official with whom he had a personal friendship. Peterson encouraged Morgan Stanley to sell an interest in a Chinese real-estate deal to Shanghai Yongye Enterprise (Yongye) a state-owned and state-controlled entity through which Shanghai’s Luwan District managed its own property and facilitated outside investment.  Peterson falsely represented to others within Morgan Stanley that Yongye was purchasing the real-estate interest, when in fact Peterson knew the interest would be conveyed to a shell company controlled by him, a Chinese public official associated with Yongye and an un-named Canadian attorney. After Peterson and his co-conspirators falsely represented to Morgan Stanley that Yongye owned the shell company, Morgan Stanley sold the real-estate interest in 2006 to the shell company at a discount to the interest’s actual 2006 market value. As a result, the conspirators realized an immediate paper profit of more than $2.5 million. Even after the sale, Peterson and his co-conspirators continued to claim falsely that Yongye owned the shell company. In the years since Peterson and his co-conspirators gained control of the real-estate interest, they have periodically accepted equity distributions and the real-estate interest has appreciated in value.

Declination to Prosecute

However, the greater import of this enforcement action for my money was what did NOT happen to Morgan Stanley. They were not indicted. In fact both the DOJ, in its Press Release, and Securities and Exchange Commission (SEC), in its civil Compliant, went out of their way to praise the Morgan Stanley compliance program. This written praise demonstrated that not only do company’s receive credit from the DOJ for having a compliance program in place but also gave solid information as to why the DOJ declined to prosecute Morgan Stanley. In other words, it was a very public pronouncement of a declination to prosecute.

The SEC Complaint detailed the compliance program it had in place and how it directly related to Peterson. The Compliant specified:

(1) Morgan Stanley trained Peterson on anti-corruption policies and the FCPA at least seven times between 2002 and 2008. In addition to other live and web based training, Peterson participated in a teleconference training conducted by Morgan Stanley’s Global Head of Litigation and Global Head of Morgan Stanley’s Anti-Corruption Group in June 2006.

(2) Morgan Stanley distributed to Peterson written training materials specifically addressing the FCPA, which Peterson maintained in his office.

(3) A Morgan Stanley compliance officer specifically informed Peterson in 2004 that employees of Yongye, a Chinese state-owned entity, were government officials for purposes of the FCPA.

(4) Peterson received from Morgan Stanley at least thirty five FCPA-compliance reminders. These reminders included FCPA-specific distributions; circulations and reminders of Morgan Stanley’s Code of Conduct, which included policies that directly addressed the FCPA; various reminders concerning Morgan Stanley’s policies on gift-giving and entertainment; the circulation of Morgan Stanley’s Global Anti-Bribery Policy; guidance on the engagement of consultants; and policies addressing specific high-risk events, including the Beijing Olympics.

(5) Morgan Stanley required Peterson on multiple occasions to certify his compliance with the FCPA. These written certifications were maintained in Peterson’s permanent employment record.

(6) Morgan Stanley required each of its employees, including Peterson, annually to certify adherence to Morgan Stanley’s Code of Conduct, which included a portion specifically addressing corruption risks and activities that would violate the FCPA.

(7) Morgan Stanley required its employees, including Peterson, annually to disclose their outside business interests.

(8) Morgan Stanley had policies to conduct due diligence on its foreign business partners, conducted due diligence on the Chinese Official and Yongye before initially conducting business with them, and generally imposed an approval process for payments made in the course of its real estate investments. Both were meant to ensure, among other things, that transactions were conducted in accordance with management’s authorization and to prevent improper payments, including the transfer of things of value to officials of foreign governments.

Based on the foregoing, the DOJ declined to prosecute Morgan Stanley and noted in its Press Release, “After considering all the available facts and circumstances, including that Morgan Stanley constructed and maintained a system of internal controls, which provided reasonable assurances that its employees were not bribing government officials, the Department of Justice declined to bring any enforcement action against Morgan Stanley related to Peterson’s conduct.  The company voluntarily disclosed this matter and has cooperated throughout the department’s investigation.”

Compliance Program as Compliance Defense

The second point of note in this enforcement action is that if it was not clear that a company receives credit for having a best practices compliance program it is now. Recognizing that a compliance program is not available as a formal affirmative defense, it is clear that Morgan Stanley was able to use not only their written compliance program, but its ongoing maintenance, communication and due diligence aspects to shield the employer from liability. Remember that Peterson was a Managing Director for Morgan Stanley. This is not a low level functionary but a person far up the food chain. Neither the DOJ nor the SEC invoked the doctrine of Respondeat Superior in any enforcement action against Morgan Stanley. The bottom line is what the DOJ and SEC representatives have been saying all along and that is that companies with best practices compliance programs receive credit in negotiating with the government. Here the DOJ spelled it out in their Press Release so kudos to the DOJ and SEC for doing so in such a public manner.

What Can You Do?

So what can you as a compliance officer do with the lessons learned from this enforcement action? Borrowing from my This Week in FCPA Colleague Howard Sklar’s recent blog post, entitled “The Most Marketable Compliance Officer In The World” I suggest the following:

(1) Regularly update your policies and procedures. The DOJ has said over and over, and has included in Schedule C – its description of an effective anti-corruption compliance program – that companies must update programs, and have several areas of compliance mentioned. Morgan Stanley took that lesson and did exactly what the DOJ expected.

(2) Increase the frequency of your training. Peterson was trained on the FCPA seven times and over a 7-year period Morgan Stanley trained its Asia-based employees 54 times on anti-corruption. This clearly shows that training is important and the documentation of training is critical. How else was Morgan Stanley able to demonstrate the DOJ just how many training sessions Peterson had sat through?

(3) Send out compliance reminders. Peterson received reminders about FCPA compliance 35 times. This is an easy and quick action that you can take often. You can send them out by email, use your internal messaging system or a myriad of other media. Better yet, you could write an email for your company President pointing out that Morgan Stanley was NOT indicted because it had such a robust compliance program.

(4) Engage in ongoing Due Diligence, including transaction monitoring. As Howard noted, “Morgan Stanley had a robust due diligence program. The program included transaction monitoring – a sure sign that a company really cares about diligence is the extent it realizes diligence is ongoing – and included random audits of people and partners.” Ongoing due diligence and monitoring is becoming the new normal so I suggest that you get ahead of the curve, as in now.

I believe that the Peterson enforcement action is one of the most significant in 2012 to date. It provides solid guidance to the compliance practitioner on what the DOJ and SEC think is important and gives you actions that you can engage in now to increase the visibility of your compliance program within your company. Kudos to Morgan Stanley for their compliance victory. You do not have to parade in five pitchers to pitch to five different batters as Brad Mills did, but I think the import should be to take action now.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

April 24, 2012

Henry IV and Adequate Procedures

As a father, I have come to appreciate Shakespeare’s Henry IV more and more; particularly more than I did when I was only a son. Part of the play deals with how Henry IV got his crown, by deposing Richard II and the battles he had to fight to keep it. But a large part of the play deals with his riotous son, Hal, drinking and philandering with Falstaff before he grew into the great monarch Henry V. With that in mind, we continue our exploration of the Six Principles of an Adequate Procedures compliance defense with a look at Principle IV – Due Diligence.

I.                   Commentary

Principle IV of the Six Principles of an Adequate Procedures compliance program states, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of Principle IV is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company, whether on the sales and distribution side or in the supply chain, from bribing on their behalf. The Guidance recognizes that Due Diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique. The Guidance believes that Due Diligence is so important that “the role of due diligence in bribery risk mitigation justifies its inclusion here as a Principle in its own right.”

II.                Who is an Associated Person?

Who is an Associated Person? The Guidance intones that a company is liable if a person ‘associated’ with it bribes another person intending to obtain, retain or a gain an advantage for the business. The definition is quite broad and is applicable to basically anyone who ‘performs services’ for or on behalf of the business. This can be an individual, an incorporated entity or unincorporated body. The capacity in which the services are provided is not dispositive, so employees, agents and subsidiaries are included. This also means that a supplier can properly be said to be performing services for a company rather than simply acting as the seller of goods, it may also be an ‘associated’ person. Taken further, if a supply chain involves several entities, or a project is to be performed by a prime contractor with a series of sub-contractors, a business is likely to only exercise control over its relationship with its contractual counterpart and this means a company could have responsibility for those acting on its behalf in a wide range of arenas, with a wide range of titles. This could include all of the following: agent, sales agent, reseller, distributor, partner, joint ventures, consortium partner, contractor, subcontractor, vendor, supplier, affiliate, subsidiary or any other similar moniker.

III.             Joint Ventures

As for joint ventures (JV), these come in many different forms, sometimes operating through a separate legal entity, but at other times through contractual arrangements. In the case of a JV operating through a separate legal entity, a bribe paid by the JV may lead to liability for a member of the JV if the JV is performing services for the member and the bribe is paid with the intention of benefiting that member. However, the existence of a JV entity will not of itself mean that it is ‘associated’ with any of its members. A bribe paid on behalf of the JV entity by one of its employees or agents will therefore not trigger liability for members of the JV simply by virtue of them benefiting indirectly from the bribe through their investment in or ownership of the JV.

The situation will be different where the JV is conducted through a contractual arrangement. The degree of control that a participant has over that arrangement is likely to be one of the ‘relevant circumstances’ that would be taken into account in deciding whether a person who paid a bribe in the conduct of the JV business was ‘performing services for or on behalf of’ a participant in that arrangement. It may be, for example, that an employee of such a participant who has paid a bribe in order to benefit his employer is not to be regarded as a person ‘associated’ with all the other participants in the JV. Ordinarily, the employee of a participant will be presumed to be a person performing services for and on behalf of his employer. Likewise, an agent engaged by a participant in a contractual JV is likely to be regarded as a person associated with that participant in the absence of evidence that the agent is acting on behalf of the contractual JV as a whole.

IV.              Procedures

Maintaining a consistent theme throughout this Guidance on the Six Principles of an Adequate Procedures anti-bribery program, it is incumbent that a company’s Due Diligence procedures should be proportionate to the identified risk. Due diligence should be conducted using a risk-based approach. For example, in lower risk situations, companies may decide that there is no need to conduct much in the way of due diligence. In higher risk situations, due diligence may include conducting direct interrogative enquiries, indirect investigations, or general research on proposed associated persons.

However, the appropriate level of Due Diligence to prevent bribery will vary enormously depending on the risks arising from the particular relationship. So, for example, the appropriate level of due diligence required by a company when contracting for the performance of Information Technology (IT) services may be low, to reflect low risks of bribery on its behalf. Conversely, a business entering into the international energy market and selecting an intermediary to assist in establishing a business in such markets will typically require a much higher level of due diligence to mitigate the risks of bribery on its behalf.

One company I know, The Risk Advisory Group, has put together a handy chart of its Level One, Two and Three approaches to integrity and due diligence. I have found it useful in explaining the different scopes and focuses of the various levels of due diligence.

Level Issues Addressed Scope of Investigation
One
  • That the company exists
  • Identities of directors and shareholders
  • Whether such persons are on regulators’ watch lists
  • Signs that such persons are government officials
  • Obvious signs of financial difficulty
  • Signs of involvement in litigation
  • Media reports linking the company to corruption
  •  Company Registration and Status
  • Registration Address
  • Regulators’ watch lists
  • Credit Checks
  • Bankruptcy/liquidation proceedings
  • Review Accounts and Auditors comments
  • Litigation Search
  • Negative Media Search
Two As above with the following additions:

  • Public Profile integrity checks
  • Signs of official investigations and/or sanctions from regulatory authorities
  • Other anti-corruption Red Flags
As above with the following additions:

  • Review and summary of all media and internet references
  • Review and summary of relevant corporate records and litigation filings, including local archives
  • Analysis and cross-referencing of all findings
Three As above with the following additions:

  • But seeking fuller answers to any questions raised by drawing on a wider range of intelligence sources and/or addressing specific issues of potential concern already identified
As above with the following additions:

  • Enquiries via local sources
  • Enquiries via industry experts
  • Enquiries via western agencies such as embassies or trade promotion bodies
  • Enquires via sources close to local regulatory agencies

The Guidance suggests that more information is likely to be required from companies than from individuals because on a basic level more individuals are likely to be involved in the performance of services by a company and the exact nature of the roles of such individuals or other connected bodies may not be immediately obvious. Therefore a business seeking to retain another company as a business partner should engage in greater Due Diligence such as through direct requests for details on the background, expertise and business experience, of relevant individuals. Continued monitoring is also suggested, rather than simply annually or bi-annually.

So what’s the message from Henry IV? It is to soldier on, keep the faith that your son will eventually grow up and the keep your head about you. Principle IV of Adequate Procedures would seem to call for the same patient work. You should identify those parties that you need to investigate from an anti-bribery perspective, risk rank them and then perform the appropriate level of due diligence. If you need help determining what the appropriate level of due diligence is, you can always give the folks at The Risk Advisory Group a call.

———————————————————————————————————————————————————————

Ed. Note-an earlier version of this post incorrectly identified its source of the chart as The Control Risk Group. The chart was provided to the author by The Risk Advisory, who consented to its inclusion in the is blog post.

——————————————————————————————————————————————————————–

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

April 5, 2012

OCEG on Third Party Anti-Corruption Due Diligence

My grandfather was a comic book collector. He collected all kinds and types of comics, from super-heroes to the Archie series. One of the series that he collected that I still think about from time-to-time was Classics Illustrated. Classics Illustrated was a comic book series featuring adaptations of literary classics which began publication in 1941 and finished its first run in 1971, producing 169 issues. I won’t divulge how many classic novels that I read in such fashion as a youngster but I will say that that group is the only set of magazines and comics that I collected in the 60s of which I still have a complete set.

There is another illustrated series which may be of more use to the modern day compliance practitioner which can be found in Compliance Week Magazine. In the February 2012 edition OCEG President Carole Switzer continues her series on an illustrated six-part anti-corruption program. In this issue she focuses on third party due diligence. She begins by noting that one of the surest ways to develop and strengthen your anti-corruption compliance program, whether based upon the US Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act is to discover “what you do not understand about the third-parties who help you to do business abroad.” She explains that if your company does not “expand its knowledge of activities of your business partners,” the Department of Justice (DOJ) or UK Serious Fraud Office (SFO) may well do so for you in an enforcement action. Switzer provides a six-step process with a nifty diagram attached to the article.

1.  Define

To begin you should define your objectives and then design your process. This should include all forms that you will use including questionnaires, background checks, references and certifications. You should also delineate your process to review and clear any Red Flags which may arise in the process.

2.      Collect Initial Data

This step should begin with a country review to make an initial determination of risk of corruption. You can use the Transparency International (TI) Corruption Perceptions Index (CPI) or similar resource. Determine how you can make real-time checks, whether through a third-party software provider such as World Compliance or other mechanism for initial due diligence. You will also need to collect data directly from the proposed third party business partner in the form of a questionnaire or other document. There should also be an initial discussion of the “nature, scope and intended relationship” with the third party.

3.  Assess

Under this step, Switzer believes that you should initially set up categories for your third parties of high, moderate and low. Based upon which risk category the third party falls into, you can design specific due diligence. She defined low risk screening as “trusted data source search and risk screening such as the aforementioned World Compliance”; moderate risk screening as “enhanced evaluation to include in-country public records…and research into corporate relationships”; high risk screening is basically a “deep dive assessment” where there is an audit/review of third party controls and financial records, in-country interviews and investigations “leveraging local data sources.”

4.      Approve/Deny/Approve with Condition

Under this step you should establish business rules and process triggers to “facilitate control and monitoring throughout the life of each contract.” As the risk level increases you should apply more stringent controls on the third party. This would also include more intense monitoring of the relationship on an ongoing basis.

5.      Train/Control

Your company should establish anti-corruption training for each risk level of third party with which you do business. You should administer the training, whether live, computer based or webinar, for different third party audiences “taking cultural issues into consideration and addressing role-specific needs.” You should assess and certify the results of your training or certify third party awareness through its own training program. Lastly the “control” portion of this step relates to compliance terms and conditions, which should be included in any written agreement with your third party.

6.      Monitor/Review

Switzer ends her six-point program by noting that you should “establish monitoring and re-approval requirements for each risk level.” There should be continued contact and monitoring by a combination of business unit sponsor and trusted outside professionals. There should be mandatory re-approval at fixed points as well as an action plan to address any red flags which might arise during the relationship.

I find the OCEG Anti-Corruption Illustrated series to be a very useful tool to help visualize the compliance process. While not in the same league as Classics Illustrated they certainly are a useful tool for the compliance practitioner. I would urge you to visit the OCEG website for their series and many other useful tools.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

March 7, 2012

How FATF Recommendations on Anti-Money Laundering Inform Your Compliance Program

The Financial Action Task Force (FATF) is an inter-governmental body established in 1989 by the Ministers of its Member jurisdictions. Its mandate is to set standards and to promote effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and the financing of proliferation, and other related threats to the integrity of the international financial system. In collaboration with other international stakeholders, it also works to identify national-level vulnerabilities with the aim of protecting the international financial system from misuse. FATF recently released a new document, entitled “International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation”.

While most of the recommendations in the document were directed at financial institutions, I found several of them to converge over and into the area of anti-corruption. Further, several of the recommendations will be of high value to companies in evaluating or enhancing their own compliance programs. They include some of the following recommendations which I have adapted for anti-corruption and anti-bribery compliance programs.

Risk Assessments

Companies should identify, assess, and understand the money laundering and terrorist financing risks for the country in which they seek to do business, and should take action, including designating an authority or mechanism to coordinate actions to assess risks, and apply resources, aimed at ensuring the risks are mitigated effectively. Based on that assessment, companies should apply a risk-based approach to ensure that measures to prevent or mitigate compliance risks are commensurate with the risks identified. This approach should be an essential foundation to efficient allocation of resources across the anti-money laundering and countering the financing of terrorism (AML/CFT) regime and the implementation of risk based measures throughout the FATF recommendations. Where companies identify higher risks, they should ensure that their AML/CFT regime adequately addresses such risks and here lower risks are identified, they may decide to allow simplified measures for some of the FATF recommendations under certain conditions.

Customer Due Diligence

Companies should be prohibited from keeping anonymous accounts or accounts in obviously fictitious names. Companies should be required to undertake customer due diligence measures when:

(i) establishing business relations;

(ii) carrying out occasional transactions, above the applicable designated threshold (USD/EUR 15,000);

(iii) there is a suspicion of money laundering or terrorist financing; or

(iv) the company has doubts about the veracity or adequacy of previously obtained customer identification data.

FAFT recommends the following due diligence is performed by companies:

(a) Identifying the customer and verifying that customer’s identity using reliable, independent source documents, data or information.

(b) Identifying the beneficial owner, and taking reasonable measures to verify the identity of the beneficial owner, such that the financial institution is satisfied that it knows who the beneficial owner is. For legal persons and arrangements this should include an understanding of the ownership and control structure of the customer.

(c) Understanding and, as appropriate, obtaining information on the purpose and intended nature of the business relationship.

(d) Conducting ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution’s knowledge of the customer, their business and risk profile, including, where necessary, the source of funds.

FAFT recommends the following additional due diligence for politically exposed persons (PEPs), including family members and close associates, whether as customer or beneficial owner, in addition to performing normal customer due diligence measures, including:

(a) have appropriate risk-management systems to determine whether the customer or the beneficial owner is a politically exposed person;

(b) obtain senior management approval for establishing, or continuing for existing customers, such business relationships;

(c) take reasonable measures to establish the source of wealth and source of funds; and

(d) conduct enhanced ongoing monitoring of the business relationship.

Record Keeping

Companies should be required to maintain, for at least five years, all necessary records on transactions, both domestic and international, to enable them to comply swiftly with information requests from the applicable authorities. Such records must be sufficient to permit reconstruction of individual transactions (including the amounts and types of currency involved, if any, so as to provide, if necessary, evidence for prosecution of criminal activity.

Companies should be required to keep all records obtained through customer due diligence (e.g. copies or records of official identification documents like passports, identity cards, driving licenses or similar documents), account files and business correspondence, including the results of any analysis undertaken (e.g. inquiries to establish the background and purpose of complex, unusual large transactions), for at least five years after the business relationship is ended, or after the date of the  original transaction.

Companies should be required by law to maintain records on transactions and information obtained through the customer due diligence measures. The customer due diligence information and the transaction records should be available to applicable domestic authorities upon appropriate authority.

New Technologies

One of the areas which many companies do not consider is that of new and cutting edge technologies to combat corruption. FAFT clearly makes use of new technologies as a part of its overall efforts. It states that companies should identify and assess the money laundering or terrorist financing risks that may arise in relation to (a) the development of new products and new business practices, including new delivery mechanisms, and (b) the use of new or developing technologies for both new and pre-existing products. In the case of financial institutions, such a risk assessment should take place prior to the launch of new products, business practices or the use of new or developing technologies and they should take appropriate measures to manage and mitigate those risks.

Wire Transfers

On wire transfers and related messages which a company may send out to a third party, it should include originator information, and required beneficiary information and that the information remains with the wire transfer or related message throughout the payment chain. Companies should also monitor wire transfers for the purpose of detecting those which lack required originator and/or beneficiary information and take appropriate measures.

Many of the above areas are currently covered in more traditional anti-corruption/anti-bribery compliance programs, such as those covered by the US Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. However, these FAFT recommendations, with their focus on anti-money laundering, can be of useful guidance to companies to make their compliance programs more robust. I recommend that you read the entire report and adapt some of their suggestions into your compliance regime.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

February 27, 2012

How Lin-sanity Informs Your Compliance Program: Lesson II

Lin-sanity still reigns. How can you make this determination? I will give you two signs to consider. First Spring Training is in full force and here I am not only thinking about the NBA but also writing about the NBA. Second, I ordered the NBA League Pass package so that I can watch Jeremy Lin play each night the Knicks are on television. (Sam Rubenfeld is smiling somewhere.) But Lin-sanity still continues to inform the compliance practitioner and compliance programs.

How does Lin-sanity continue to inform your compliance program? That question came to mind as I was reading the Saturday edition of the New York Times (NYT) in an article, entitled “The Evolution of a Point Guard, by reporter Howard Beck. In his article Beck destroyed the myth that Jeremy Lin emerged literally “overnight” as a star in the NBA. Beck wrote that this part of the Lin Legend is “altogether flawed, or at least woefully incomplete.” In my last piece on Lin-sanity and compliance I wrote about the analyst who saw the seeds of Lin’s play in his years at Harvard. Beck goes further to point out that the Lin who graduated from Harvard, got cut from both the Warriors and the Rockets is very different from the Lin who is now starting for the Knicks. How is Jeremy Lin different? Through hard work in his profession, the craft of basketball.

What work did Lin do that led to Lin-sanity? Beck went into extensive detail to report on the shooting drills he put in with an old coach to improve his jump shot; the personal fitness coach he worked out with to increase muscle size and speed; the tape of elite NBA guards he studied to learn how to set up and execute a pick and roll; the Developmental League time he put in to learn how to better read defensive double teams; and finally the lonely gym work to develop a 3-point shot. All of this hard work led to, as Beck quoted, a former coach of Lin’s saying that “He’s in a miracle moment, where everything has come together.”

Our last lesson learned from Lin-sanity was to look and think outside the box for compliance resources within your company. Lin-sanity Lesson Learned II is that the initial implementation or enhancement of a compliance program is only the beginning. It is after that time, the hard work really begins. So Jeremy Lin obviously, at least to one analyst, had some amount of talent coming out of college, but Lin-sanity did not begin until he put in all the hard work that Beck detailed in his article, you as a Chief Compliance Officer (CCO) or other person tasked within your company to implement or enhance a compliance program, must work equally hard to make the program truly best practices.

What are some of the things that you should do after implementation or enhancement? You should begin by reviewing your risk assessment to determine the nature and quality of the compliance risks that were defined. Use that list as a starting point to put in the hard work of remedying or better yet managing those risks. Some of the areas that you may need to remediate, while you are going through the initial implementation or enhancement phase of the compliance program, may be one or more of the following.

Foreign Business Representatives

A usual high risk is found by the use of agents, resellers, or other non-employee sales representatives in your company’s sales chain. You need to design a database where you collect information on all such foreign business representatives, such as contract term, underlying due diligence performed, commissions or other payments made to them over the past five years, nature of product sold or service provided and geographic territory. From this database you should risk rank these foreign business representatives and begin the process of remedial due diligence. If your sales model is distributors, you may need to review and assess your contractual rights and requirements for sales to certain end users for your products.

Supply Chain

There may be many persons or entities that represent your company that are located in the Supply Chain, rather than the sales chain. This could include freight forwarders, visa processors, customs clearance companies, law firms, licensing representatives or any other service provider who might interact with a foreign governmental official on behalf of your company. In addition to the information that you should collect in a database, similar to the one described for Foreign Business Representatives above, you should also go back and audit invoices from such government service providers, to determine if there are any issues existing from before the go-live date of your compliance implementation or enhancement.

Internal Controls

Your compliance program should consist of policies and procedures. However, it should also have the appropriate internal controls in place to effectively implement these policies and procedures across the organization. This means that policies from every department of the company may be impacted. Groups disparate as Human Resources, Finance, Accounting, IT, Treasury and others, will all have corporate policies that need to be reviewed and assessed through a Gap Analysis of your internal controls. Any discovered deficiencies will need to be remedied so that writing policies may well be a large part of your compliance effort going forward.

Human Resources

HR is key in any compliance program implementation, enhancement or ongoing evolution. One of the reasons that HR is so critical is that it is the group within your company which will be charged with identifying, evaluating and developing persons with strong ethical values who could become the leaders of your company tomorrow. As a compliance officer you will need to spend significant time with HR representatives to detect, train and promote such persons within your company to leadership and senior management positions in the years ahead.

There will certainly be other areas of your company which will need attention during your initial compliance program implementation or enhancement. It most certainly will seem like an overwhelming task. But here is where the Jeremy Lin example really kicks in. You do not have to create and perfect everything at once. Each step in the compliance journey builds on the prior step. The point is to keep moving. Your best practices compliance program will not emerge overnight, but as with Jeremy Lin, if you keep doing the things you need to do to make your compliance program more robust, you may well bring everything together to create a world class compliance program for your organization.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

April 29, 2011

The Royal Wedding and the End of the ‘Halliburton’ Opinion Release

Today is a Royal wedding in England and in honor of the happy couple and the English House of Windsor we will take a look at the Foreign Corrupt Practices Act (FCPA) in the context of a merger and acquisition (M&A) of a British company.

Until recently, many FCPA practitioners had based decisions in the M&A context on Department of Justice’s (DOJ) Opinion Release, 08-02 (08-02), which related to Halliburton’s proposed acquisition of the UK entity, Expro. However, the recently released Deferred Prosecution Agreement (DPA) of Johnson & Johnson (J&J) may have changed the perception of practitioners regarding what is required of a company in the M&A arena related to FCPA due diligence, both pre and post-acquisition. In this post we will review the genesis of 08-02, the risk based approach that it advocated and the vigorous time frames, which it set forth, to accomplish the agreed to compliance investigations and opine on how these may have changed.

08-02 began as a request from Halliburton to the DOJ from issues that arose in the pre-acquisition due diligence of the target company Expro. Halliburton had submitted the following request to the DOJ specifically posing these three questions: (1) whether the proposed acquisition transaction itself would violate the FCPA; (2) whether through the proposed acquisition of Target, Halliburton would “inherit” any FCPA liabilities of Target for pre-acquisition unlawful conduct; and (3) whether Halliburton would be held criminally liable for any post-acquisition unlawful conduct by Target prior to Halliburton’s completion of its FCPA and anti-corruption due diligence, where such conduct is identified and disclosed to the Department within 180 days of closing.

I.                08-02 Conditions

 Halliburton committed to the following conditions, if it was the successful bidder in the acquisition:

1. Within ten business days of the closing. Halliburton would present to the DOJ a

comprehensive, risk-based FCPA and anti-corruption due diligence work plan which would address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. The Halliburton work plan committed to organizing the due diligence effort into high risk, medium risk, and lowest risk elements.

a. Within 90 days of Closing. Halliburton would report to the DOJ the results of its high risk due diligence.

b. Within 120 days of Closing. Halliburton would report to the DOJ the results to date of its medium risk due diligence.

c. Within 180 days of Closing. Halliburton would report to the DOJ the results to date of its lowest risk due diligence.

d.  Within One Year of Closing. Halliburton committed full remediation of any issues which it discovered within one year of the closing of the transaction.

Many lawyers were heard to exclaim, “What an order, we cannot go through with it.” However,  we advised our clients not to be discouraged because 08-02 laid out a clear road map for dealing with some of the difficulties inherent in conducting sufficient pre-acquisition due diligence in the FCPA context. Indeed the DOJ concluded 08-02 by noting, “Assuming that Halliburton, in the judgment of the Department, satisfactorily implements the post-closing plan and remediation detailed above… the Department does not presently intend to take any enforcement action against Halliburton.”

II.             Johnson & Johnson “Enhanced Compliance Obligations”

In the recently released J&J DPA, there is an Attachment D, which is entitled, “Enhanced Compliance Obligations.” This is a list of compliance obligations in which J&J agreed to undertake certain enhanced compliance obligations for at least the duration of its DPA. With regard to the acquisition context, Johnson and Johnson agreed to:

7. J&J will ensure that new business entities are only acquired after thorough FCPA and anticorruption due diligence by legal, accounting, and compliance personnel. Where such anticorruption due diligence is not practicable prior to acquisition of a new business for reasons beyond J&J’s control, or due to any applicable law, rule, or regulation, J&J will conduct FCPA and anticorruption due diligence subsequent to the acquisition and report to the Department any corrupt payments, falsified books and records, or inadequate internal controls as required by … the Deferred Prosecution Agreement.

 8. J&J will ensure that J&J’s policies and procedures regarding the anticorruption laws and regulations apply as quickly as is practicable, but in any event no less than one year post-closing, to newly-acquired businesses, and will promptly: For those operating companies that are determined not to pose corruption risk, J&J will conduct periodic FCPA Audits, or will incorporate FCPA components into financial audits.

a. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to J&J, on the anticorruption laws and regulations and J&J’s related policies and procedures; and

b. Conduct an FCPA-specific audit of all newly-acquired businesses within 18 months of acquisition.

These enhanced obligations agreed to by J&J in the M&A context would seem to be less time sensitive than those agreed to by Halliburton in 08-02. In the J&J DPA, the company agreed to following time frames:

a.    18 Month-conduct a full FCPA audit of the acquired company.

b.    12 Month-introduce full anti-corruption compliance policies and procedures into the acquired company and train those persons and business representatives which “present corruption risk to J&J.”

So there is no longer a risk based approach as set out in 08-02 and the tight time frames are also relaxed. Once again we applaud the DOJ for setting out specific information for the compliance practitioner through the release of the J&J DPA. As many have decried 08-02 is a standard too difficult to satisfy in the real world of time constraints and budget cuts, the “Acquisition” component of the J&J DPA should provide those who have made this claim with some relief.

For a copy of Opinion Release 08-02, click here.

For a copy of the Johnson & Johnson Deferred Prosecution Agreement, click here.

We would be remiss if we did not wish Prince William and his bride, Kate, best wishes in their new journey together. No one puts on pomp and circumstance like the Brits so sit back, relax and enjoy the nuptials with a nice cup of tea.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

March 16, 2011

The FCPA in Emerging Markets: Evaluating Risks of Bribery and Corruption

I am attending the 2011 Global Ethics Summit this week in New York City. It is presented by Ethisphere and Thomson Reuters. This post will be first of several based upon the comments of the panelists. In today’s posting we will discuss some of the issues faced in emerging markets, regarding anti-bribery and anti-corruption.

The panelist listed several characteristics that appear across the spectrum in emerging markets. These markets usually have a large and multi-leveled bureaucracy which can make many demands for permits, licenses and other types of governmental approvals. In opening any new business in an emerging market there are usually multi-governmental touch points where bribes can be demanded. Due to these factors there is a culture of small time, almost daily corruption in many emerging market which can often impact the attitude of employees.

Another issued touched upon was that many US companies may have a lack of a full understanding of just whom it is doing business with when it goes into an emerging market. This includes not only the catch-phrase of “Know Your Customer” but also “Know Your Agent” and “Know Your Supply-Chain Vendor”. As the FCPA applies to foreign government and their representatives, a key issue in transactions in emerging markets is just who your customer is or who they might be. In countries such as China, the reach of the government is so great that it extends to most commercial enterprises. This means that a US company may be dealing with an agency or instrumentality of a foreign government and not appreciate that fact.

Douglas Nairne, Global Head of World Check discussed some of the difficulties US companies face when attempting to perform due diligence on a foreign business representative or supply chain vendor in an emerging market. It is often difficult to obtain information similar to that available in the US or other western country. Many times public records are not available online so that a much more lengthy and detailed search protocol is required. This can significantly lengthen your due diligence process. The situation can also exist where certain records are simply not in the public realm. Lastly is the issue of the quality of the records. Many times, such records are not updated on any type of regular basis, such as annually. This is particularly true for corporate filings which may list officers and directors so this can also present problems.

Cheryl Hug, an Ethics and Compliance Officer for Hewlett-Packard discussed some of the cultural sensitivities that a US company must demonstrate in emerging markets. Initially, she stated that US companies must train their US employees who will relocate to or work with the emerging markets on such cultural sensitivities. She also indicated that it was important to understand how to deal with your company’s service providers in such an environment. Lastly she spoke to a theme of  “reverse colonialization”. She said that when discussing compliance and ethics with those in emerging markets, she attempt to stay away from citing to the FCPA but uses the broader terms of anti-corruption and anti-bribery. Otherwise it may sound like the rich, western nation is simply imposing its values on the former colony.

There was a lengthy discussion of when a US company should walk away from a transaction in an emerging market. Mark Mendelsohn, partner at Paul, Weiss stated that he viewed transactional due diligence as more “art than science”. He suggested that there is no perfect answer to this question but each deal should be evaluated by a variety of factors, which if they exist should cause your business to walk away from a proposed transaction. The first factor was that the business is not sustainable absence real or perceived corruption.  The second was if the cost to remediate any bribery situation is so great that it destroyed the business value of the transaction. The third factor was lack of full information which would allow a reasonable risk based analysis.

A related topic was that of joint ventures. Deirdre Stanley, General Counsel for Thomson Reuters, discussed the issue of knowing who you joint venture partners actually were. This is to ensure that you had no government officials who might be receiving anything improper under the FCPA. She also stressed key components were transparency in joint venture governance and strong contractual anti-bribery and anti-corruption terms and conditions.

The group emphasized however that the problems were manageable if you have time to navigate this bureaucratic system but if you need something done in a hurry or at the last minute you are subject to being squeezed for money. So good business planning is a definite key.  Your company should go into any venture in an emerging market with its eyes open and with a robust business management plan in place.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

 

« Previous PageNext Page »

Blog at WordPress.com.