FCPA Enforcement as a Security Issue and Implications for the Compliance Practitioner

One of the things that has long puzzled me is what led to the significant rise in the enforcement of the Foreign Corrupt Practices Act (FCPA) beginning in the 2003-2004 time frame? One of the more consistent theories that I have heard proffered, by Dan Chapman, Dick Cassin, Alexandra Wrage and others is that after 9/11, the Bush administration viewed corruption as a security issue. I admit that I was not totally sold on this theory until last week when, the FCPA Blog, in an article entitled “NSA spying also linked to FCPA enforcement”, reported that the National Security Agency (NSA) has engaged in economic espionage for the benefit of the United States and perhaps others. The FCPA Blog quoted a story from the American Spectator, entitled “Rise of the Surveillance State”, by James Bovard. One of the items which Bovard discussed is the program monikered ‘Echelon’, which he described as “a spy satellite system run by the National Security Agency along with the United Kingdom, Australia, New Zealand, and Canada. Echelon reportedly scans millions of phone calls, e-mail messages, and faxes each hour, searching for key words.”

Apparently this program is also used for FCPA enforcement. Bovard wrote that “A February report by the European Union alleged that Echelon has been used for economic espionage. Former CIA Director James Woolsey told a German newspaper in early March that Echelon collects “economic intelligence.” One example Woolsey gave was espionage aimed at discovering when foreign companies are paying bribes to obtain contracts that might otherwise go to American companies. Woolsey elaborated on his views in a condescending March 17 Wall Street Journal oped, justifying Echelon spying on foreign companies because some foreigners do not obey the U.S. Foreign Corrupt Practices Act. To add insult to injury, Woolsey noted there’s no reason for U.S. companies to steal backward Europe’s secrets.” Isn’t that a comforting thought when the US claims the Chinese are stealing secrets through computer hacking.

But what are the implications for the compliance professional? For a more Orwellian prediction, John Batchelor, in an article entitled “ NSA Scandals: FCPA Compliance Game Changer?”, has this chilling predeiction, “Currently it takes months or years to develop a solid FCPA case and most of those end up with fines and some type of penalty. Could that change to a new way of enforcement where the government targets a company, identifies corruption, gathers evidence, and instead of going through the motions, simply calls them to schedule a meeting, slapping a fine and a series of actionable tasks for the company in question? It’s not happening now, but that is a question.” It would seem to do away completely with the concept of due process so I would discount this scenario as unlikely.

However, Batchelor does point out that such government oversight might well occur in countries which are known or perceived to be high risk for corruption. He says, “Under the FCPA we focus on anti-bribery, however, with our current emphasis on national security, I think there is a serious question to ask for any company that operates in high CPI areas where terrorist cells or money laundering outfits to terrorist cells operate.” From this premise, Batchelor poses several topical inquiries which you should consider now. They include: “How well do you know your agents? How well do you know their relationships? How well do you know the companies they are affiliated with? Are there red-flags that low-level DPL type screenings might not uncover?”

I believe that the revelations which came out last week will make the compliance professional’s job more difficult but that difficulty may well be due to the backlash against not only the massive collections of data that the US government is obtaining through its surveillance programs but also the arrogance shown in statements like former CIA Director Woolsey, in the statement quoted in the American Spectator article. I believe that there three general areas which will negatively affect US compliance professionals.

First, is in the area of data access. Edward Luce, in a Financial Times (FT) article entitled “Obama has hurt himself and business over privacy”, said that the “US is losing credibility in its goal of trying to stop the internet from balkanizing into separate national frameworks.” While Luce discussed this in terms of the US criticism of “the great firewall of China”; a US investor might think about the Securities and Exchange Commission’s (SEC’s) struggle to get China to agree to allow auditors to provide data to the US consistent with US securities laws, or laws which the SEC enforces, such as the books and records component of the FCPA.

Second, what about data privacy? I think that the acknowledgement of the US surveillance programs will lead other countries to toughen up their data privacy requirements. This means that the compliance professional will be faced with an even more bewildering set of data privacy requirements to deal with to accurately access a company’s compliance program. For the intelligence angle, Luce quoted Ira Hunt, the CIA’s chief technology officer for the following, “Since you can’t connect the dots you don’t have…we fundamentally try and collect everything and hang on to it forever.” However, we now know that this surveillance also was used for other law enforcement issues such as enforcement of the FCPA. While foreign governments cannot legislate privacy as to the data collected by the US government, they certainly can do so vis-à-vis US companies doing business in their jurisdictions or home-domiciled foreign companies which are subject to the FCPA through a US subsidiary.

Indeed this very issue is now in the forefront of EU-US trade negotiations. In another article in the FT, entitled “Data scandal clouds trade talks”, Hannes Swoboda, leader of the socialist members of the European Parliament was quoted as saying, “With all the information that we’ve found out in the recent days about how easily the US spies on people’s private data I think it will be difficult for the Americans to oppose a strong data protection agreement.” The article notes that many of the rules proposed for EU data protection are opposed by US companies because “their business models would be damaged.”

Lastly, what about jurisdiction and the FCPA? Currently if a banking transfer goes thought the US banking system, FCPA jurisdiction attaches. While it has not yet been tested, several commentators have spoken about information which might be saved on servers based in the US. So what if information appears on Google or through a Google-search or on Facebook? Now take the next step and ask, if there is data mining, which strikes pay dirt, could that create or even portend jurisdiction?

As an American, I understand the need for enhancing security protocols after 9/11. It is an irritation, but only that, similar to taking off my shoes to go through security, all courtesy of Richard Reid, ‘the Shoe Bomber’. Further, these US government surveillance programs, which have been ongoing though both a GOP and Democratic administration, were authorized by an overwhelming majority of both houses of the US Congress and has judicial oversight. But many outside the US may not see the same needs and protections that I see in place. Luce said in his article, “Washington’s reassurances are irrelevant to the 3.4bn non-Americans who are online…But foreigners might not be comforted to learn that their privacy is protected by a secret US court, which is overseen by a select group of US lawmakers who are themselves sworn to secrecy.”

I think that the job of the compliance practitioner just got a lot tougher.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Grand Central Station, Mary Jo White and the End of No-Admission Settlements in SEC Cases?

Last week we celebrated one of the world’s great urban architectural marvels, the London Underground. This week we celebrate one a little closer to home. This week is the 100^th anniversary of Grand Central Station. In an article this week in the New York Times, (NYT), entitled “Looking Out on the Grand Central, and Looking Back on Saving It”, reporter Clyde Haberman interviewed Kent L. Barwick, former Executive Director of the Municipal Art Society, who was instrumental in the fight to save the Station in the 1970s. I knew about the legal fight that the City of New York had put up after its designation of the venerable landmark had been overturned by a state judge. This landmark case went all the way to the US Supreme Court and ended with a victory for the City of New York and the establishment of the right of a municipality to protect the public environment and its history by historic designation. What I did not know about this process was that one of its most active supporters was Jacqueline Kennedy Onassis, who supported the cause with time, money and effort. It was a classic effort of several processes moving forward on several fronts at once which led to this important legal decision and one of the most compelling journeys in landmark preservation.

This article came to mind when I read another article in the NYT, entitled “Make Them Pay (and Confess)” by reporter Gretchen Morgenson, about President Obama’s nomination of Mary Jo White to head the Securities and Exchange Commission (SEC). Morgenson used the nomination of White to argue that the SEC has not been aggressive enough in its prosecution of financial wrongdoing during the first four years of the Obama Administration. She believes that the no-admission settlement is merely a “slap on the wrist” for companies who are guilty of securities violations involving fraud. I believe that this would include Foreign Corrupt Practices Act (FCPA) violations.

One of the techniques that she argues should be used more often and would have greater impact is requiring companies to admit to facts in settlement agreements. As most compliance practitioners know, the SEC has, in the past, allowed companies to settle without admitting or denying the findings which are the basis for the enforcement actions. Generally the SEC has supported this position arguing that by doing so this helps it “avoid costly, time-consuming litigation that would tax already-stretched resources.” In addition to time-consuming trials, there is always the possibility that the SEC could lose at trial. Further, by having quicker settlements, more victims would be getting restitution faster.

But Morgenson argues that a no-admission settlement does not really qualify as a punishment. In addition to having no precedential value going forward, because there are no facts admitted, she maintains that even the financial penalties are meaningless. This is because ultimately the fines and penalties are paid by the shareholders or the company’s insurance carrier. Such situations are “not much of a deterrent.”

Morgenson points out that Preet Bharara, the United States Attorney for the Southern District of New York, who was hired by Mrs. White when she ran the office, “has made it a priority to require admissions from defendants in civil fraud cases” brought by his office. Bharara has stated that “Such admissions are a way to hold defendants accountable, as well as being an important part of the public record.” By public record, Bharara means that plaintiffs can then use those admissions in shareholder derivative actions against corporations in tag along law suits. Do you think that the plaintiffs’ bar will be salivating over that prospect?

Morgenson discussed several reasons for the reluctance of the SEC to require such admissions of fact. The first and foremost is that you have to be ready, willing and able to go to trial. Bharara handles this in the Southern District with the following comment, “We’re not in the business of bluffing. When people know you’re not bluffing, they come to the table.” However, the SEC itself may not have this same attitude. Morgenson notes that “It won’t be easy to change the mind-set at the S.E.C. from one that regularly allows defendants to avoid culpability.” Other federal agencies such as the Federal Trade Commission also allow corporations to settle civil enforcement actions while not admitting to any facts.

Morgenson acknowledges that it will not be easy for the SEC to change its philosophy. Further, defendants will probably fight this change tooth and nail because they know that the cost of any settlement will increase exponentially if they make such admissions. The aforementioned plaintiffs’ bar will be waiting to jump on any corporations which make such settlements. Morgenson quotes William F. Gavin, Secretary of the commonwealth of Massachusetts and its securities regulator, who admitted that negotiating admissions of liability is challenging due to the fact that the cost of settlements will go up. His response, “Well, that’s kind of the idea – you did something wrong, you should be liable. You’re not going to change practices or behavior if there’s no penalty associated with it.”

Federal judges have also begun to question the use of SEC no-admission settlements. There is the quite well known example of Judge Rakoff and his initial rejection of the Citigroup settlement. A couple of other federal judges also initially rejected no-admission settlements but did so on the grounds that there was not enough evidence to enforce an injunction if there was a breach of the settlement by the defendant. Their concerns were addressed and they all eventually signed off on the SEC settlements. Now, however, Judge Richard Leon has rejected a SEC settlement with IBM, for FCPA books and records violations, as Judge Leon wanted IBM to report to the SEC if it sustained a FCPA violation going forward. IBM, with the SEC standing at its side on this point, said that to do so would be “too burdensome.” Judge Leon has set a hearing date of February 4, 2013 for IBM to present evidence of how they plan to collect the data to show that it is too burdensome. If IBM cannot do so, Judge Leon may well not approve the no-admission settlement.

Morgenson clearly wants Mary Jo White to engage in more and greater enforcement of financial fraud cases. She does not speak to FCPA cases specifically so it is not clear on whether her desire would also include FCPA books and records enforcement actions brought by the SEC when there is no criminal case brought by the Department of Justice (DOJ). However, if no-admission enforcement actions are no longer the norm in SEC financial fraud or other securities actions, this will probably also bleed over into FCPA actions. Judge Leon’s challenge to IBM and to the SEC may also portend an increasingly active judiciary which may delve into the substance of any FCPA settlement agreement with the SEC.

So for you New Yorkers out there, or any of you travelling through New York, I would suggest that the next time that you go through Grand Central Station look up with some wonder and awe at one of the true architectural marvels of the city. You may not do so as I did the first time I went through it but still take a few minutes to think that it was headed for the wrecking ball back in the 1970s, scheduled to be replaced by a skyscraper. Morgenson argues that the SEC should become more aggressive in its prosecution of financial fraud and with her prosecutorial background the agency may well be headed that way.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

How the DOJ Looks at Compliance Programs in an Enforcement Action – Part II

Today’s post is Part II in our two-part series of how the Department of Justice (DOJ) looks at compliance programs during the pendency of an enforcement action. Today we will review how a prosecutor may review the existence and effectiveness of a Foreign Corrupt Practices Act (FCPA) compliance program based upon the Principles of Federal Prosecution of Business Organizations (“the Principles) and an analysis of what is an effective compliance program under the US Sentencing Guidelines (“the Guidelines). Both yesterday and today’s post are based upon the tract “Complying with the Foreign Corrupt Practices Act: A Practical Primer” (herein “the Primer”), published by the ABA Criminal Justice Section, Global Anti-Corruption Task Force.

Independent Evaluation of Compliance Programs

The Primer reports that under this analysis, prosecutors look into three broad categories to make a determination if a compliance program was in existence and effective “at the time of the FCPA violation.” These categories and their specific inquiries are as follows:

1. The Existence and Design of the Compliance Program

(a)    Whether a compliance program is adequately designed for maximum effectiveness in preventing and detecting wrong doing by employees;

(b)   Whether the compliance program is designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business;

(c)    The comprehensiveness of a compliance program; and

(d)   Whether the compliance program has established corporate governance mechanisms that can effectively detect and prevent misconduct.

2.   The Administration of the Program

(a)    Whether the company’s management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives;

(b)   Whether a compliance program is being applied earnestly and in good faith;

(c)    Whether a compliance program ‘works’;

(d)   Whether a compliance program is merely a ‘paper program’ or whether it was designed, implemented, reviewed and revised, as appropriate, in an effective manner;

(e)    Whether the company has provided for a staff sufficient to audit, document, analyze, and utilize the results of the company’s compliance efforts; and

(f)    Whether the company’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it.

3.   The Misconduct in Question

(a)    The extent and pervasiveness of the misconduct in question;

(b)   The nature and level of the corporate employees involved in the misconduct;

(c)    The seriousness, duration and frequency of the misconduct;

(d)   Whether a corporation has taken remedial actions including discipline against past violators and revisions to the company’s compliance program in light of lessons learned; and

(e)    The promptness of any disclosure of wrongdoing to the government.

As the Primer points out, these factors are “not exhaustive and are often overlapping but they do provide insight into how DOJ prosecutors conduct investigations and determine whether to bring charges under the FCPA.”

I find this final section on how the DOJ analyzes compliance programs the most helpful for the compliance practitioner, particularly when they must explain to management what is required and why the resources need to be expended. Remember, this analysis is performed based upon your company’s compliance program at the time the FCPA violation arose, not after program remediation. So just think about some of the questions posed above:

• Have we trained the appropriate employees?
• If so, how do we prove it?
• Has anyone ever been disciplined for a Code of Conduct violation or more appropriately a compliance program violation?
• If so, is it documented?
• Prior to our FCPA violation, had the company ever audited or even reviewed the state of its compliance policy?
• If so, were any changes made to the compliance program? What changes were made and why?
• Our Chief Executive Officer (CEO) signed a cover letter, written by the Legal/Compliance Department, which introduced our compliance program when we rolled it out (fill in the blank) years ago. What evidence is there of the CEO’s continued commitment to the company’s compliance program since roll-out that can be documented?
• Have we opened any new business lines or gone into any new geographic areas since the compliance program roll-out? Did we assess these new business initiatives?
• When was the last time we did a comprehensive compliance risk assessment?
• Do we have effective internal controls?
• If we believe so, how do we know?
• When was the last time a compliance audit was conducted?
• What were the results or lessons learned?
• Did the company incorporate any of these lessons learned into an enhanced or modified compliance program?
• What criteria is the sales team evaluated upon?
• Is there a compliance component to their annual review/evaluation?
• What is the budget for the Compliance Department?
• Is a senior person assigned to lead the company’s compliance efforts or is it everyone’s responsibility? (i.e.: if everyone is in charge then no one is in charge.)

These are just some of the questions that come to my mind in looking at how a prosecutor might review a compliance program. There are obviously many, many others. I highly recommend that you consider some of these questions plus any that you can develop. I would also urge you to download, read and then keep handy the Primer. It is free and one of the best FCPA compliance resources around.

US Sentencing Guidelines

The Primer notes that the Principles are not the only source of authority which a prosecutor might refer to in evaluating a company’s compliance program during an enforcement action. The US Sentencing Guidelines note that one of the two factors which can mitigate downwards in determing the amount of a fine and penalty is “the existence of an effective compliance and ethics program”. Further under the Amended November 2010 Guidelines, the Primer says that the “government may now significantly reduce fines and other sanctions if an organization takes reasonable steps to achieve compliance with its standards, e.g., by utilizing monitoring and auditing systems reasonably designed to detect criminal conduct by its employees and other agents.”

The Guidelines provide in broad parameters how a prosecutor will evaluate compliance programs during the pendency of a FCPA enforcement action. As such they also provide guidance to the compliance practitioner on DOJ thinking. While there is not a specific program listed, the Guidelines place “an emphasis on the results of a program—that is, whether it is reasonably designed, implemented and enforced so that [it] is generally effective in preventing and deterring criminal conduct.” The Primer goes on to note that an effective compliance program consists of documentation that an organization “exercise[s] due diligence to prevent and detect criminal conduct; and otherwise promote[s] an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”

One of the key factors is that the Guidelines do rely on the existence of a written compliance program. This means that a prosecutor’s primary focus is on the effectiveness of a company’s compliance program. The Primer lists out the following parameters, which the Guidelines suggest that a compliance program should minimally include and I cite from the Primer in its entirety:

• The organization to “establish standards and procedures to prevent and detect criminal conduct.
• The “organization’s governing authority . . . be knowledgeable about the content and operation of the compliance and ethics program and . . . exercise reasonable oversight . . .
• High-level personnel of the organization . . . ensure that the organization has an effective . . . program . . . .
• Specific individual(s) within the organization . . . be delegated day-to-day operational responsibility for the . . . program . . . [and] shall report periodically . . . on the effectiveness of the . . . program.
• To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority.
• The “organization . . . use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known . . . has engaged in illegal activities or other conduct inconsistent with an effective . . . program.
• The “organization . . . take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the . . .program . . . by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities, to “members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.
• The organization . . . take reasonable steps . . . to ensure that the organization’s . . . program is followed, including monitoring and auditing to detect criminal conduct.
• The organization . . . take reasonable steps . . . to evaluate periodically the effectiveness of the organization’s . . . program.
• The organization shall take reasonable steps . . . to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
• The organization’s . . . program . . . be promoted and enforced consistently throughout the organization through appropriate incentives to perform in accordance with the . . . program; and appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct
• After criminal conduct has been detected, the organization . . . take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s . . . program
• And in doing all of the above, “the organization . . . periodically assess the risk of criminal conduct and . . . take appropriate steps to design, implement, or modify each [above] requirement . . . to reduce the risk of criminal conduct identified through this process.

I believe that the DOJ has presented significant information to the compliance practitioner about not only it’s most current thinking on what may constitute a minimum best practices compliance program in recent Deferred Prosecution Agreements (DPAs) and Non Prosecution Agreements (NPAs) but with through the Principles and the Guidelines, the DOJ provides guidance of how a prosecutor will look at and analyze a company’s compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012