What a Long Strange Trip It’s Been – The First 1000 Blog Posts

Yes, indeed the Grateful Dead can and does inform your compliance regime as today is my 1000^th blog posting on the FCPA Compliance and Ethics Blog. To say that I ever thought I would see this day or this many blog posts, would portend a level of clairvoyance that even Carnac the Great could not conceive of pontificating upon. I had struggled with a theme for this momentous accomplishment but my sublimely-grounded English wife brought me down from the ethereal clouds with the following suggestion, “Even an old dog can learn new tricks.” Nothing like being married to a younger woman.

So today, I want to write about some of the things I have learned on this 4+ year journey, which began in late 2009/early 2010 after a serious automobile/bicycle event (Box Score: Hummer-1 Tom-0) where about the only thing I had on my hands was time while I was at home convalescing. I started to explore the world of social media, engaging on Twitter, webinaring from my home office and blogging. I was so un-savvy in this arena that about the only positive thing my teenaged daughter could say about me was “Dad, you are so unhip, you are retro. But that is cool too.” The first thing I learned was that even a complete computer misfit and social media idiot could set up a blog on WordPress. It is not only easy but free. I cannot say with any pride that some of my early blogs were very good but I can say that for a lawyer, whose only skill was to be able to perform word processing in Microsoft Word, I could type and then upload a blog post into WordPress. At that point in my blogging career, that was a major accomplishment.

Although it did take some time, I learned how to stop writing like a lawyer, with full citations in each blog, coupled with as much lawyerese as I could manage, by finally adjusting to a blogging format. I also relearned an old lesson, which says that if you really want to learn about a subject, write on it. I remember one of the first things I learned when researching the Travel Act was that this Kennedy era law, passed largely through the efforts of Bobby Kennedy, was designed to help in the fight against organized crime. So who would say a 60 year old law cannot be used for a 21^st century purpose? Or maybe even a Watergate-era like the Foreign Corrupt Practices Act (FCPA) could not have an expansive use, beyond that for which it was passed in 1977? I also learned that if you put out solid content people will read and listen to what you have to say.

I learned there are some great people out there blogging in the ethics and compliance space. I have met some fabulous colleagues through my blogging who have not only been incredibly supportive but whom I now cherish as good friends. Some of them include Mike Koehler, the FCPA Professor, for his scholarly rigor and continued intellectual challenges. Dick Cassin, the Dean of FCPA bloggers, for his unflinching support to myself and so many others. Mike Volkov, former prosecutor and DC-insider, who is always around to bounce a tough question off. Howard Sklar, who was my This Week in FCPA podcast partner, until we lost him to the corporate world. Francine McKenna, a great and generous mentor for myself and many others and the go-to person all issues in and around the accounting world. Jim McGrath, the internal investigations guy, who brings a former state prosecutor’s perspective to how investigations should be handled and critiqued. Matt Ellis, whose focus on and insights into South America (as in – it’s not a country) continue to shine a light on anti-corruption issues south of the border. Matt Kelly, Editor of Compliance Week, who saves some great witticisms for his weekly blog posts. These are but a very few of the folks I am now privileged to call friends because of my blogging.

I learned that there is way too much white noise in the FCPA space. The FCPA Professor calls them FCPA Inc. and Mike Volkov derides them as the FCPA paparazzi. Whatever you might call them, they put out reams and reams of information, sometimes useful but many times not. What I have tried to do is synthesize some of the most useful for the Chief Compliance Officer (CCO), compliance practitioner or anyone else who does the day-to-day work of anti-bribery/anti-corruption compliance. There are many, many things you can know but a far smaller subset of what you need to know. I try to bring to the compliance practitioner what they need to know. That is why the subtitle of my blog is ‘The Nuts and Bolts of FCPA Compliance’. I have tried to write about things which the compliance professional can use in the everyday practice of compliance.

I have learned that blog posts, which I thought were the most important, may turn out to be the least viewed blogs. Conversely, posts I did not think would be of great interest turned out to have the largest number of one-day hits. For instance, the largest single number of one-day hits I had was an article from two years ago about the SNC-Lavalin corruption investigation in Canada. [For a blog about FCPA compliance-go figure.] The second largest number was a recent blog post using the GM internal investigation as an exploration in the differences between a corporate legal function and its compliance function.

I have learned that by committing to something, you become much better at it. My first year of blogging, I tried to put out 2-3 blogs per week but beginning in 2011, I committed to a daily blog post. Once I made that commitment, blogging became a part of my workday. Once it became a part of my workday, it was like any other project or assignment. I had to set aside the time to work on it. It has made me a much more efficient and better writer to know that I need write something, during my workday. Yes there have been times I was up at 5 AM to write a post or stayed up way past my school-night bedtime trying to crank something out but those situations have become few and far between as I became more disciplined about my blogging.

But most of all I have learned that blogging is fun. It is fun because it is a challenge to write about something in an informative and engaging manner. It is fun to tie a Shakespeare play to a compliance and ethics theme. It is fun to read a week’s worth of Sherlock Holmes’ stories and tie a compliance topic to a story each day for one week. It is fun to find out what happened this day in history and use it as a hook to grab your readers’ attention. It is fun to engage in a debate with the FCPA Professor on a topic of mutual interest, where we look at the same thing, yet see it from different perspectives. And it is fun when you meet someone for the first time and after you introduce yourself, they say to you “When is a rose, not a rose? When it’s a FCPA violation”.

Where will the next 1000 blogs posts take me? I have no clue but if they are as much fun as the first 1000 posts have been I hope that you will continue to join my on This Long Strange Trip.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

The Weatherford FCPA Settlement, Part III

Yesterday, I reviewed the conduct which Weatherford International Limited (Weatherford) engaged in over a period from 2002-2011 in connection with its Foreign Corrupt Practices Act (FCPA) investigation, noted the deficiencies in its compliance program and its internal controls and even how the company intentionally impeded the investigations of both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC). Today, I want to look at how the company changed course in mid-stream during the investigation, brought in a top-notch and well respected lawyer as its Chief Compliance Officer (CCO), created a best-in-class compliance program; all of which saved the company millions of dollars in potential fines and penalties.

1. I.                    DOJ Fine Calculation

To resolve the criminal aspects of this case, Weatherford agreed to pay an $87.2 million criminal penalty as part of a Deferred Prosecution Agreement (DPA) with the DOJ. There was also another $65.6 million paid to the SEC. However the figure paid to the DOJ was at the very bottom range of a potential criminal penalty. The range listed in the DPA was from $87.2 to $174.3 million. In coming up with this range under the Federal Sentencing Guidelines, it is significant for the actions that Weatherford did not receive credit for during the pendency of the investigation. The company did not receive a credit for self-reporting. The company only received a -2 for its cooperation because prior to 2008 the company engaged in activities to impede the regulators’ investigation.

So the fine range could have been more favorable to the company. But the key is that Weatherford received the low end of the range. How did they do this?

A.     New Sheriff in Town

One of the key things Weatherford did was bring in Billy Jacobson as its CCO and give him a seat at the table of the company’s Executive Board. He was a Federal Prosecutor in the Fraud Section, Criminal Division, US Department of Justice. He also served as an Assistant Chief for FCPA Enforcement Department so we can assume he understood the FCPA and how prosecutors think through issues. (Jacobson also worked as a State Prosecutor in New York City, with my former This Week in FCPA co-host Howard Sklar, so shout out to Howard.) Jacobson was not hired directly from the DOJ but after he had left the DOJ and had gone into private practice. There is nothing that shows credibility like bringing in a respected subject matter expert and giving that person the tools and resources to turn things around.

But more than simply bringing in a new sheriff, Weatherford turned this talk into action by substantially increasing its cooperation with the government, thoroughly investigating all issues, turning over the results to the DOJ and SEC and providing literally millions of pages of documents to the regulators. The company also cleaned house by terminating officers and employees who were responsible for the illegal conduct.

B.     Increase in Compliance Function

In addition to establishing Jacobson in the high level CCO position, the company significantly increased the size of its compliance department by hiring 38 compliance professionals and conducted 30 anti-corruption compliance reviews in the countries in which Weatherford operates. This included the hiring of outside consultants to assess and review the company’s compliance program and beefing up due diligence on all third parties, including those in the sales and supply chain, joint venture (JV) partners and merger or acquisition (M&A) candidates. The company also agreed to continue to enhance its internal controls and books and records to prevent and/or detect future suspect conduct.

If you have ever heard any of the current Weatherford compliance professionals speak at FCPA conferences, you can appreciate that they are first rate; that they know their stuff and the company supports their efforts on an ongoing basis.

C.     Best in Class Compliance Program

During the pendency of the investigation, Weatherford moved to create a best practices compliance program. They appear to have done so and agreed in the DPA to continue to maintain such a compliance program. Under Schedule C to the DPA, it set out the compliance program which the company had implemented and continued to keep in place, at least during the length of the DPA. It included the following components.

1. High level commitment from company officials and senior management to do business in compliance with the FCPA.
2. A substantive written anti-corruption compliance code of conduct.
3. Written policies and procedures to implement this code of conduct.
4. A robust system of internal controls, including accounting and financial controls.
5. Risk assessments and risk reviews of its ongoing business.
6. No less than annual assessments of its overall compliance program.
7. Appropriate oversight and responsibility of a Chief Compliance Officer.
8. Effective training for all employees and relevant third parties.
9. An effective compliance function which can provide guidance to company employees.
10. A robust internal reporting system.
11. Effective investigations of any reported compliance issue.
12. Appropriate incentives for employees to do business ethically and in compliance.
13. Enforced discipline for any employee who violates the company’s compliance program.
14. Suitable due diligence and management of third parties and business partners.
15. A correct level of pre-acquisition due diligence for any merger or acquisition candidate, including a risk assessment and reporting to the DOJ if the company uncovers and FCPA-violative conduct during this pre-acquisition phase.
16. As soon as practicable, Weatherford will integrate any newly acquired entity into its compliance regime, including training of all relevant new employees, a FCPA forensic audit and reporting of any ongoing violations.
17. Ongoing monitoring, testing and auditing of the company’s compliance function, taking into account any “relevant developments in the field and the evolving international and industry standards.”

D.    Monitor

Weatherford also agreed to an external monitor. However, the term of the monitor is not the entire length of the three-year DPA; the term of the monitor is only 18 months. The monitor’s primary function is to assess the company’s compliance with the terms of the DPA and report the results to the DOJ at least twice during the terms of the monitorship. After this 18 month term the DOJ will allow the company to self-report to the regulators. It should be noted that the term of the external monitor can be extended by the DOJ.

II.                Conclusion

It certainly has been a long, strange journey for Weatherford. I should note that I have not discussed at all the Oil-For-Food aspect of this settlement, which was an additional $100MM penalty to the company. However, with regard to the FCPA aspects of the matter, there are some very solid and telling lessons to be drawn from this case. First and foremost is that cooperation is always the key. But more than simply cooperating in the investigation is that a company should take a pro-active approach to putting a best-in-class compliance program in place during, rather than after the investigation concludes. Also, a company cannot simply ‘talk-the-talk’ but must come through and do the work to gain the credit. The bribery schemes that the company had engaged in and the systemic failures of its compliance program and internal controls, should serve as a good set of examples for the compliance practitioner to use in assessing a compliance program.

The settlement also sends a clear message from both the DOJ and SEC on not only what type of conduct will be rewarded under the US Sentencing Guidelines, but what they expect as a compliance program. One does not have read tea leaves or attempt to divine what might be an appropriate commitment to compliance to see what the regulators expect these day.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

A Cornucopia of Great FCPA Articles for Your Friday Consideration

It has been a great couple of weeks for article regarding the Foreign Corrupt Practices Act (FCPA). While I have resisted having a Friday Round Up of all things FCPA compliance related because both the FCPA Professor, on his site and Dawn Lomer on iSight.com have two of the best, some of the articles that I have read over the past are well worth a post about. So with a tip of the hat to both of these blogging colleagues, I submit for your Friday consideration the three following authors with their superior articles.

The FCPA Professor

The FCPA Professor has published two excellent articles over the past two weeks on the FCPA. The first was his 80 page tome, “The Story Of The Foreign Corrupt Practices Act”. In this article, published in the Ohio State Law Journal, the Professor explored the more than two years of investigation, deliberation, and consideration, which led to the passage of the FCPA in 1977. Noting that it was  “a pioneering statute and the first law in the world governing domestic business conduct with foreign government officials in foreign markets” the Professor wove together “information and events scattered in the FCPA’s voluminous legislative record to tell the FCPA’s story through original voices of actual participants who shaped the law.” In his article I learned who supported legislation aimed at stopped the bribing of foreign government official and how the final legislation came into being after a long and arduous process.

This week, the Professor published his review of the Department of Justice FCPA Guidance, which came out last month, entitled “Grading the Foreign Corrupt Practices Act Guidance“. It was published in Bloomberg / BNA’s White Collar Crime Report. As you have come to expect from the Professor, his review is proactive. His abstract details some of the items he discusses, such as “(i) the enforcement agencies’ motivations in issuing the Guidance and the fact that it should have been issued years ago; (ii) the utility of the Guidance from an access-of-information perspective and how the Guidance can be used as a measuring stick for future enforcement agency activity; (iii) how the Guidance is an advocacy piece and not a well-balanced portrayal of the FCPA as it is replete with selective information, half-truths, and, worse information that is demonstratively false; (iv) how, despite the Guidance, much about FCPA enforcement remains opaque; and (v) how, despite the Guidance, FCPA reform remains a viable issue.”

As I once said about Dick Cassin and his FCPA Blog, “If the FCPA Blog didn’t exist, someone would have to create it and fortunately for us Dick has done so.” To this list I now must add the FCPA Professor, so to paraphrase Paul Samuelson, when asked to comment about Milton Friedman winning the Nobel Prize in Economics, “if the FCPA Professor didn’t exist, we would have to invent him.” You can agree or disagree with the Professor but he stirs debate and puts out topics for dialogue, which as the son of Professor, is what I think that academicians should do.

 Alexandra Wrage

For the longest time, my This Week In FCPA colleague Howard Sklar crowed to me about Alexandra and how he was such a big fan. Of course I knew of her and her work as President of Trace. Like many of us, I bemoaned the fact she no longer blogs on a regular basis. She does speak on a regular basis and early this year I heard her speak at the Beacon Events Corruption and Compliance South and Southeast Asia Summit. Fortunately she spoke after I did because she is a very dynamic speaker. In addition to her numerous speaking engagements, she does publish articles from time-to-time and yesterday we were treated to a most timely article on gift giving and gift receiving. It was published on the Corporate Insider blog site of Corporate Counsel and was entitled, “‘Tis the Season When Gifts Become Bribes”. In her article, Wrage explored the receipt of gifts by employees in the context of corruption. The article is certainly worth your time to read but she listed the points that any company or compliance professional needs to consider in a gift giving or gift receiving policy:

• Gifts should be modest, tokens of esteem.
• Ideally, they should bear the corporate logo or reflect the company’s products and they should be provided openly and transparently.
• Delivering to an office is preferable to sending to a home address.
• One gift-giving holiday or event should be observed. It doesn’t matter if it’s Diwali, Eid, the Lunar New Year, July 4th, or Christmas, but pick (only) one.
• Perishable gifts of flowers or food are generally thought to be less risky, in part because they can’t be resold.
• Give consistently and without regard to pending or recent procurement or other official decisions.
• Follow corporate policy.
• Document everything.
• Give in good faith and without expectation of any quid pro quo.
• A moderate annual affirmation of both new and longstanding relationships is not a bribe.

Good ideas to follow any time of the year.

Jim McGrath

Jim is a former prosecutor and chief legal officer of a federally funded drug task force so he comes with a different perspective than my civil law background. Jim blogs on his own site, the Internal Investigations Blog and as you may discern from the name of his blog, he tends to look at the investigative side of things. He did so again in a post entitled, “Little Things Mean A Lot: The FCPA Guide on Internal Investigations”. McGrath looked at the DOJ FCPA Guidance from his investigative perspective and came up with the following nugget: “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation. Companies may employ, for example, anony­mous hotlines or ombudsmen. Moreover, once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” From this he wrote that the “text mandates that companies not only have “in place an efficient [and] reliable . . . process for investigating [an] allegation”, but that it be “properly funded” as well.  [italics in original]

McGrath believes that this language should raise concerns for Chief Compliance Officer “across the land, since “properly funded internal investigation” has now been added to the pile of ill-defined terms such as “foreign official”, “instrumentality”, and “anything of value”. Further he raised the following questions:

• What happens if the unforeseeable occurs and the wheels come off in far greater severity than anticipated when the CCO stocked the internal probe war chest?
• Will that shortcoming be considered a hallmark of a less-than-effective compliance program and militate against a non-prosecution or deferred prosecution agreement or will it factor into a higher culpability score and greater penalties?
• And who – as if practitioners didn’t know – will decide these issues?

I recommend all of these articles and authors to you. Each brings a different perspective and each can help you build, create or enhance your compliance program to meet best standards. A good Friday to all and let us hope that the Texans can recover from their debacle in Boston.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Internally Funding Your Compliance Program

Big banks are not doing too well these days in the compliance arena. From Barclay’s and the burgeoning LIBOR manipulation scandal; to HSBC and its money-laundering operations for drug cartels over the past several years; to the ongoing reckoning of JP Morgan and its $5 bn+ trading loss that it is still trying to extricate itself from several months after publicly announcing the loss, big banks seem to be more in the news these days for compliance failures rather than successes.

I saw an article in The Rector Factor section of the July 27 Houston Business Journal, entitled “Prepared company perspective for lenders, investors”, by columnist Bruce Rector that discussed some ideas that companies might draw upon when looking for financing. I thought it would be helpful for the compliance practitioner to use as a guide when putting together a budget, or other, request for funding a compliance initiative.

Rector wrote about the materials a company should put together and have ready when they are seeking financing from banks, investors or other financial institutions. He set out a list of information that a company should have prepared and be ready to present to such institutions because any entity or person who may provide funding is going to want to know some specific details about your company. He believes that management needs to anticipate such requirements and prepare in advance for it. He cautions not to wait until the last minute to put the information together or when you seek funding as “waiting until you need money is never the best time to go out and get it.” While you can be so mundane as to call this a “loan application” Rector believes that if you lay out the information in a coherent manner, it would allow an outsider to get some “perspective on the company”. Further, he believes that such information is actually “multipurpose and can be used to inspire and sell stakeholders – you, your bankers and investors, and your employees – on the business and its prospects” for your company. I have modified Rector’s recommendations for a ‘good application’ to steer them towards a Compliance Department.

• Executive Summary. This should be no more than three (3) pages and it should convey excitement and impact. It must spell out your compliance mission and clearly state the opportunities that are presented for your compliance group to not only further the goals of compliance with the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act but how these opportunities will result in increased earnings and profits.
• The Industry. Here is an opportunity for bench-marking within your industry. You should use credible research from recognized authorities or collect the information from your colleagues in other companies directly, if such information is available to you. You should focus on the size, growth and significance of compliance within your industry and the opportunities for growth within your company.
• The Company. Here you should walk the reader through how your compliance program has grown; this could include organic growth, detailing areas that you may have engaged in as best practices have evolved, and growth of your compliance regime through acquisitions. You should also share major victories and tie all of these into your company values as set out in your published Code of Conduct.
• Management and Ownership. Here is an opportunity for you to recognize the persons in your compliance organization. You should have an organizational chart, biographies of key personnel and anticipated hiring needs.
• Financial Information/Projections. Here you should create a three-year forecast using best, probable and worst-case scenarios for each year on a cash basis. In this section you should include historical return on investment (ROI) figures from prior initiatives, to the extent that you have any and end with a current balance sheet that will indicate and extend top and bottom-line growth for your compliance department.
• Purpose of the Investment. Here you need to be short, compelling and to the point. You should spell out precisely what you are asking for and reiterate what you will do with the funding.

My This Week in FCPA partner, Howard Sklar, often talks about the “internal marketing” of compliance. I believe that Rector’s suggestions in putting together information for financial investment would be a good way for a compliance practitioner to think about internally marketing compliance and internally seeking funding for compliance initiatives.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Houston – The Epicenter of FCPA Conferences in June

Next month the 7^th Annual Compliance Week Conference will be held in Washington DC. In my opinion, it is the very best all-around compliance conference in the country and I would urge you to attend if you can do so. However, in the month of June, the city of Houston is playing host to three of the best conferences focusing on the Foreign Corrupt Practices Act (FCPA) compliance that I have recently seen. If you are a compliance practitioner and want to hear about the most cutting edge best practices regarding FCPA compliance and meet some of the top compliance practitioners in the US, you should plan to attend one or all of these upcoming events. So for one month Houston will be the epicenter of FCPA conferences, rather than its prior moniker as the epicenter of FCPA enforcement actions.

University of Houston

The University of Houston, Law Center – Center for Consumer Law, is hosting the “First Annual Ethics and Compliance Symposium” on Thursday June 7. The event is billed as one “to provide practical advice about real-world challenges that face ethics and compliance officers.  From training, to monitoring and auditing, to specific emerging risks like export controls, the Symposium is meant to be an interactive and useful event for the practicing E&C professional.”

The panelists include practitioners from the sponsoring law firm of Baker and McKenzie, notably Paul McNulty (he of the ‘McNulty’s maxims’) and White Collar specialist Ryan McConnell. There are also several Chief Compliance Officers (CCO’s) from well-known local energy companies such as Doug Walter from Phillips 66, Jay Martin from Baker Hughes and Dan Chapman from Parker Drilling. Rounding out the presenters are those from forensic and consulting firms such as Michael Schwartz from KPMG, Ramsey Pace from FTI and Mike McConnell from Grant Thorton LLP.

Bottom Line: Anytime you can hear Paul McNulty talk about “What Enforcement Authorities Expect in a Company’s Compliance Program” drop what you are doing and go listen.

World Check

World Check continues its program of top FCPA speakers with an event in Houston on June 26. The panel includes two of the best compliance practitioners I know; my “This Week in FCPA” cohort Howard Sklar and Jonathan Marks, he of the Marks’ “13 Step FCPA Action Plan”. I have heard them both speak and they are good.

Howard will examine ‘Schedule C’, which is the Department of Justice’s (DOJ) minimum 13-point best practices list of elements which should be included in your compliance program. It is found in recent Deferred Prosecution Agreements (DPA) entered into by the DOJ. Howard provides a color-by-number guide to compliance in his usually cool, calm and collected manner.

Jonathan Marks, a Partner & Leader in the Fraud, Ethics & Anti-corruption Practice at Crowe Horwath LLP, will give an overview of how organizations can deter problems before they arise and how to work toward building or enhancing a culture of compliance that addresses both the FCPA and the UK Bribery Act. I have used Jonathan’s 13 Step FCPA Action Plan in my practice. It is an excellent guide by which you can evaluate or assess your current compliance program and it is flexible enough to act as a guidepost for compliance program implementation or enhancement.

Bottom Line: Are you kidding – would you miss the opportunity to see Howard Sklar rant in person? But seriously, I know both of these guys and they both know their stuff as well as anyone in the field. This is the Tuesday event that I will attend. And the price is right – as in the event is complimentary.

Hanson Wade – Oil and Gas Supply Chain Compliance

Hanson Wade has put together one of the absolute best aggregations of FCPA compliance talent that has ever come to Houston for a conference; over three days, June 26-28. I realize the first day overlaps with the World Check event but that’s the way the cookie crumbles. The first day of the conference is Workshop Day with two great workshops. One on Supplier Due Diligence presented by Paul Liebman and the second on Managing the Risk of Third Parties by Rich Battaglia.

I have previously written about Dan Chapman and his interview presaging the event. In addition to Dan and several other top CCOs from the Houston area, the conference will be the only Texas appearance of the FCPA Professor, Mike Koehler, who will moderate a panel on “Does the Current FCPA Enforcement Environment Adequately Recognize Good Faith Compliance?” In addition to Dan Chapman, the FCPA Professor and other CCOs who will speak, there are some of the very top compliance practitioners, from both in-house and private practice, who will speak about doing the business of compliance on a day-to-day basis. It all starts with Jeff Spalding, Assistant General Counsel of Halliburton who is the event’s Chairman. Also included are such compliance industry leaders as Julia Symon from KBR; Julian Ranzato from DHL; Sam Tate from BP; Steven Gyeszly from Weatherford; Arvind Sharma from Flowserve and Ronald Sponberg from Baker Hughes.

The topics will be among the most relevant and most informative that you could ever ask for. They include FCPA prosecutions and enforcement actions, risk assessments and risk intelligence, dealing with facilitation payments, FPCA compliance training, and FCPA risk assessment in merger and acquisition work and in dealing with joint ventures, auditing and compliance convergence. Simply put the scope of the Hanson Wade event is as broad and far-ranging as you might ask for nevertheless the focus is on the compliance practitioner and the business of doing compliance inside a corporation.

Bottom Line: This is one of the very best FCPA conferences that has ever been staged in Houston. It will offer some of the most cutting edge best practices on a wide variety of issues that bedevil compliance practitioners on a day-to-day basis. This list of speaker is the most ‘A-List’ that has ever been seen at such an event in Houston. You owe it to yourself to attend.

For information on the Hanson Wade Conference, click here. For readers of this blog, a discount is offered by Hanson Wade. You can receive the discount by entering the online discount code: FOXLAW. You can also use this discount code if you register directly with Hanson Wade.

For information on the World Check event, click here. The event is free so no discount is needed.

For information on the University of Houston event, click here. Sorry but I haven’t been authorized to offer any discounts.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Morgan Stanley Goes One for One with a Best Practices Compliance Program

On Monday night, Houston Astros manager Brad Mills went to the mound five times to change pitchers against five straight New York Mets batters. This set the Astros twitter community literally ‘a-twitter’ as it was noted that, according to the Elias Sports Bureau, the  “Astros became the 1st team in MLB history to use 5 different pitchers against 5 consecutive hitters.” Why did he do so? Mills has not made public his reasons yet it seemed to work out as only one of the five hitters was able to get a hit against the normally abysmal Astro relief corp. And the Astros actually won the game, which is an increasing rare occurrence this season since having a winning record of 2-1 after three games.

I thought about the Mills treks to the mound last night when reading the recent Foreign Corrupt Practices Act (FCPA) enforcement action against former Morgan Stanley Managing Director Garth Peterson. According to the US Department of Justice (DOJ) Press Release, Peterson pled guilty to one count of criminal information charging him with “conspiring to evade internal accounting controls that Morgan Stanley was required to maintain under the FCPA.” Assistant Attorney General Lanny Breuer was quoted as saying, “Mr. Peterson admitted today that he actively sought to evade Morgan Stanley’s internal controls in an effort to enrich himself and a Chinese government official. As a Managing Director for Morgan Stanley, he had an obligation to adhere to the company’s internal controls; instead, he lied and cheated his way to personal profit.  Because of his corrupt conduct, he now faces the prospect of prison time.” Peterson will be sentenced in June.

The Allegations

According to the DOJ Press Release, Peterson conspired with others to circumvent Morgan Stanley’s internal controls in order to transfer a multi-million dollar ownership interest in a Shanghai building to himself and a Chinese public official with whom he had a personal friendship. Peterson encouraged Morgan Stanley to sell an interest in a Chinese real-estate deal to Shanghai Yongye Enterprise (Yongye) a state-owned and state-controlled entity through which Shanghai’s Luwan District managed its own property and facilitated outside investment.  Peterson falsely represented to others within Morgan Stanley that Yongye was purchasing the real-estate interest, when in fact Peterson knew the interest would be conveyed to a shell company controlled by him, a Chinese public official associated with Yongye and an un-named Canadian attorney. After Peterson and his co-conspirators falsely represented to Morgan Stanley that Yongye owned the shell company, Morgan Stanley sold the real-estate interest in 2006 to the shell company at a discount to the interest’s actual 2006 market value. As a result, the conspirators realized an immediate paper profit of more than $2.5 million. Even after the sale, Peterson and his co-conspirators continued to claim falsely that Yongye owned the shell company. In the years since Peterson and his co-conspirators gained control of the real-estate interest, they have periodically accepted equity distributions and the real-estate interest has appreciated in value.

Declination to Prosecute

However, the greater import of this enforcement action for my money was what did NOT happen to Morgan Stanley. They were not indicted. In fact both the DOJ, in its Press Release, and Securities and Exchange Commission (SEC), in its civil Compliant, went out of their way to praise the Morgan Stanley compliance program. This written praise demonstrated that not only do company’s receive credit from the DOJ for having a compliance program in place but also gave solid information as to why the DOJ declined to prosecute Morgan Stanley. In other words, it was a very public pronouncement of a declination to prosecute.

The SEC Complaint detailed the compliance program it had in place and how it directly related to Peterson. The Compliant specified:

(1) Morgan Stanley trained Peterson on anti-corruption policies and the FCPA at least seven times between 2002 and 2008. In addition to other live and web based training, Peterson participated in a teleconference training conducted by Morgan Stanley’s Global Head of Litigation and Global Head of Morgan Stanley’s Anti-Corruption Group in June 2006.

(2) Morgan Stanley distributed to Peterson written training materials specifically addressing the FCPA, which Peterson maintained in his office.

(3) A Morgan Stanley compliance officer specifically informed Peterson in 2004 that employees of Yongye, a Chinese state-owned entity, were government officials for purposes of the FCPA.

(4) Peterson received from Morgan Stanley at least thirty five FCPA-compliance reminders. These reminders included FCPA-specific distributions; circulations and reminders of Morgan Stanley’s Code of Conduct, which included policies that directly addressed the FCPA; various reminders concerning Morgan Stanley’s policies on gift-giving and entertainment; the circulation of Morgan Stanley’s Global Anti-Bribery Policy; guidance on the engagement of consultants; and policies addressing specific high-risk events, including the Beijing Olympics.

(5) Morgan Stanley required Peterson on multiple occasions to certify his compliance with the FCPA. These written certifications were maintained in Peterson’s permanent employment record.

(6) Morgan Stanley required each of its employees, including Peterson, annually to certify adherence to Morgan Stanley’s Code of Conduct, which included a portion specifically addressing corruption risks and activities that would violate the FCPA.

(7) Morgan Stanley required its employees, including Peterson, annually to disclose their outside business interests.

(8) Morgan Stanley had policies to conduct due diligence on its foreign business partners, conducted due diligence on the Chinese Official and Yongye before initially conducting business with them, and generally imposed an approval process for payments made in the course of its real estate investments. Both were meant to ensure, among other things, that transactions were conducted in accordance with management’s authorization and to prevent improper payments, including the transfer of things of value to officials of foreign governments.

Based on the foregoing, the DOJ declined to prosecute Morgan Stanley and noted in its Press Release, “After considering all the available facts and circumstances, including that Morgan Stanley constructed and maintained a system of internal controls, which provided reasonable assurances that its employees were not bribing government officials, the Department of Justice declined to bring any enforcement action against Morgan Stanley related to Peterson’s conduct.  The company voluntarily disclosed this matter and has cooperated throughout the department’s investigation.”

Compliance Program as Compliance Defense

The second point of note in this enforcement action is that if it was not clear that a company receives credit for having a best practices compliance program it is now. Recognizing that a compliance program is not available as a formal affirmative defense, it is clear that Morgan Stanley was able to use not only their written compliance program, but its ongoing maintenance, communication and due diligence aspects to shield the employer from liability. Remember that Peterson was a Managing Director for Morgan Stanley. This is not a low level functionary but a person far up the food chain. Neither the DOJ nor the SEC invoked the doctrine of Respondeat Superior in any enforcement action against Morgan Stanley. The bottom line is what the DOJ and SEC representatives have been saying all along and that is that companies with best practices compliance programs receive credit in negotiating with the government. Here the DOJ spelled it out in their Press Release so kudos to the DOJ and SEC for doing so in such a public manner.

What Can You Do?

So what can you as a compliance officer do with the lessons learned from this enforcement action? Borrowing from my This Week in FCPA Colleague Howard Sklar’s recent blog post, entitled “The Most Marketable Compliance Officer In The World” I suggest the following:

(1) Regularly update your policies and procedures. The DOJ has said over and over, and has included in Schedule C – its description of an effective anti-corruption compliance program – that companies must update programs, and have several areas of compliance mentioned. Morgan Stanley took that lesson and did exactly what the DOJ expected.

(2) Increase the frequency of your training. Peterson was trained on the FCPA seven times and over a 7-year period Morgan Stanley trained its Asia-based employees 54 times on anti-corruption. This clearly shows that training is important and the documentation of training is critical. How else was Morgan Stanley able to demonstrate the DOJ just how many training sessions Peterson had sat through?

(3) Send out compliance reminders. Peterson received reminders about FCPA compliance 35 times. This is an easy and quick action that you can take often. You can send them out by email, use your internal messaging system or a myriad of other media. Better yet, you could write an email for your company President pointing out that Morgan Stanley was NOT indicted because it had such a robust compliance program.

(4) Engage in ongoing Due Diligence, including transaction monitoring. As Howard noted, “Morgan Stanley had a robust due diligence program. The program included transaction monitoring – a sure sign that a company really cares about diligence is the extent it realizes diligence is ongoing – and included random audits of people and partners.” Ongoing due diligence and monitoring is becoming the new normal so I suggest that you get ahead of the curve, as in now.

I believe that the Peterson enforcement action is one of the most significant in 2012 to date. It provides solid guidance to the compliance practitioner on what the DOJ and SEC think is important and gives you actions that you can engage in now to increase the visibility of your compliance program within your company. Kudos to Morgan Stanley for their compliance victory. You do not have to parade in five pitchers to pitch to five different batters as Brad Mills did, but I think the import should be to take action now.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Welcome to Howard’s Nightmare and How to Deal with It-(spoiler alert-Internal Controls)

Ed. Note-as most of you will recognize, Henry Mixon is a frequent guest commentator, focusing on internal controls as a part of a best practices compliance program. He recently called me and said that he thought he could provide some information which might help my This Week in FCPA co-host Howard Sklar get some sleep by suggesting a way to deal with his “Nightmare Scenario”. I asked Henry to write up a blog post and this is what he delivered.

In his Nightmare Scenario posted on his OpenAir Blog, Howard Sklar wrote about a very bad dream in which a $5 payment to a customs official in a foreign country by a business development employee might result in the employer filing an 8-K to report a violation of the FCPA.  The employee who paid the USD 5 to the customs agent included the payment in his expense report as “tips.”

Howard references the examples in SEC Staff Accounting Bulletin 99 in which a transaction can become material for SEC reporting purposes, even though it falls well below the typically-used percentage thresholds used by auditors and preparers of financial statements. Two of the considerations from the Staff Accounting Bulletin which can transform a small misstatement into a material one are:

• whether the misstatement affects the registrant’s compliance with regulatory requirements, and
• whether the misstatement involves concealment of an unlawful transaction.

I agree with Howard’s concerns about the potential impact of transactions typically considered immaterial. The risk of the 8-K being required may not result from a single USD 5 payment, but can certainly result from a pattern of individually immaterial illegal payments made over time.

When processing reimbursement for transactions occurring outside the US, I believe a different mindset for internal controls is needed.  First, the amount of a transaction is not as important as the nature and whether the transaction has proper business purpose. Many approvers in US companies do not focus on that important difference.

Second, internal controls in many US companies do not focus on the prevention of illegal payments, but instead focus on detection.

Expense report reviewers should be trained to look for Red Flags and to question suspicious items, or items for which proper business purpose is not clearly documented, regardless of perceived materiality.  For example, standard procedure for expense reports is to describe who, what, where, when, and why.  Failure to provide such transparent description should be a Red Flag, whether the requested reimbursement is for meals, hotel, taxi, car rental or any other “common” expense report items.

I would certainly never advise a client to develop internal controls specifically designed to deal with very small dollar items.  However, in the FCPA world, controls should be designed on the basis of the risk profile of the transaction, not the dollar amount. Expense reports of employees traveling to high corruption risk locations outside the US should be high on any risk profile.

Relatively small amounts paid frequently can result in violations of meaningful proportions, especially if all adopt the belief that small illegal payments are permitted and concealment can be rationalized.

In particular, creating the wrong mindset in the business development function can lead to Nightmare Scenario II:  illegal payments made when they result directly in obtaining or retaining business, rather than a payment made to a customs official to be allowed to cross a border.

If nobody questions the concealed illegal payment to a customs official, might an employee see opportunity, and rationalize misbehavior, when a potential customer asks for a bribe in exchange for business advantage?

So, while Nightmare Scenario might not occur for one payment made to be allowed to cross a border, how many payments to government officials concealed in expense reports are required before Nightmare Scenario II becomes reality?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. 

The Mercury 7, Chuck Duross and Continuous Improvement to Your Compliance Program

Next Monday, February 20, 2012 is the 50^th anniversary of the first American manned orbital space flight. It made John Glenn a national hero and heralded America’s move into direct competition with the (then) Soviet Union for the race to put the first man on the moon. In an article in the New York Times, entitled, “At 90, John Glenn Looks Back” reporter John Noble Wilford wrote about this flight, the Mercury program and Glenn based upon two interviews with the ex-astronaut and former Senator from Ohio. This coming Saturday, Glenn will be honored at Cape Canaveral at a celebration of the remaining members of the Mercury space team.

These original seven astronauts, known as the “Mercury 7” were true American heroes. Anyone interested in science in the slightest bit in the 60s knew who these men were. They were featured in Life Magazine with their families and each of their space flights were covered on live television by all three networks. Glenn is one of two of the original Mercury astronauts still alive, the other being Scott Carpenter, who will also be honored on Saturday. The remaining astronauts of the Mercury 7 were Deke Slayton, Gus Grissom, Alan Sheppard, Gordon Cooper and Wally Schirra. They were immortalized for a later generation by Tom Wolfe, in his book, “The Right Stuff”.

So what is the compliance angle here? It is that NASA created an entire system, consisting of processes and procedures to put a man on the moon. Were there setbacks? Yes, the Apollo 1 tragedy still resonates at NASA today. However NASA moved forward and fulfilled President Kennedy’s vow to put a man on the moon by the end of the decade. NASA did this largely by continuous improvement of its system.

I thought about this article while reading the tweets coming from my “This Week in FCPA” co-host Howard Sklar last night. Howard is in Hong Kong, chairing the Anti-Corruption Asia Congress this week. Yesterday, Chuck Duross, Deputy Chief, Foreign Corrupt Practices Act (FCPA) Unit, United States Department of Justice (DOJ) spoke to the event and Howard tweeted some of the highlights of Chuck’s remarks. They included:

• To combat anti-corruption, there needs to be political will, as it requires prosecution of bribe takers as well as bribe payers.
• Do not assume that your company is immune from FCPA liability just because you are not a US company. Here you should note that 9 out of the 10 FCPA settlements of all-time are with non-US based companies.
• Charging individuals leading to more trials. Last year the DOJ tried 3,000 cases last year and there were 4 FCPA trials. In Chuck’s words, (as tweeted by Howard) “Let’s all take a breath”.
• There was a FCPA trial first: a Foreign official, charged with money laundering, testified against the business bribe-payer. Here it is important to note that the DOJ can and will be charge foreign government offices.
• Turning to some specifics of compliance programs, Duross remarked that companies using half-measures to prevent bribery are at risk.
• Companies will receive a significant benefit for having robust compliance programs: lower fines, DPA/NPA, even not having a monitor. He gave some examples; Noble got an NPA, paid $2.6 MM, no monitor. Pride which sustained substantial cooperation with the DOJ, received below-the-guideline range penalty of 55%.
• Turning to the facilitation payment exception, Duross said that it is a narrow one: it’s usually illegal locally where it is paid, discouraged in US, illegal internationally.
• He emphasized that third party agents need to be properly vetted.
• He noted that other violations of US law often accompany FCPA violations, such as anti-competitive behavior, trade violations, embezzlement, and money laundering.
• He emphasized that your company should do what it can do regarding your compliance program. If necessary, at first, change the tone at the top. Make it clear that illegal acts will not be tolerated. But you must mean it. Vocal support is necessary, but management’s commitment cannot end there. Compliance is a cost center: management must back up vocal support of compliance with budget and resources.
• Next Duross suggested that companies reevaluate internal controls. They should take the time to review and test, think critically about risk.
• The DOJ looks at proactive compliance efforts when deciding how and whether to prosecute. He also suggested that your company might consider joining an integrity pact.
• Howard’s tweets ended with this suggestion; that it is important to TEST your compliance program. You can run a fake invoice through your system which has information which should raise has red flags. You can run information through the hotline and see what happens. That impresses the DOJ.

The last few points raised by Duross emphasized to me the process of compliance. But as important as putting the program in place is testing the program and using the lessons learned to upgrade and update your compliance program. While we celebrate John Glenn, the Mercury 7 and NASA for what they achieved, we should remember that NASA used continuous improvement in its space program. These same techniques can be brought to bear in your compliance program. Based upon the remarks of Chuck Duross, such monitoring, improvement and upgrades will be counted in a positive light by the DOJ if you are involved in a FCPA enforcement action.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Two Great Upcoming Webinars

There are two upcoming FCPA and compliance webinars that I want to tell you about. They will provide to you some excellent information on the FCPA and compliance in general.

First is myself and Patrick Kelkar, partner at The Mintz Group. We will present a webinar, hosted by Ethics Point on Tuesday, February 14 at 1 PM EST. We will discuss altering areas of FCPA enforcement that present higher or different risk as evidenced by recent legal actions. Patrick will use the incredibly fabulous resource of the The Mintz Group’s new “Where the Bribes Are” FCPA heat map to lead a discussion of new trends in the marketplace, specifically around new areas that present greater or different FCPA risks. We will use it to explore examples of industry-specific FCPA cases in Energy/Defense/Aero and geographically specific cases, such as Brazil. Lastly we will discuss specific cases associated with new minimum best practices moving forward (specifically Johnson & Johnson and Aon). For information, click here.

Second, my “This Week in FCPA” colleague Howard Sklar squares off in a battle royal with the FCPA Professor, Mike Koehler, in a discussion/debate on the merits of a compliance defense under the FCPA. The event is hosted by Bruce Carton at Securities Docket and is scheduled for Tuesday, February 21 at 12 noon, EST.

Drawing upon his just-released paper on the topic (“Revisiting a Foreign Corrupt Practices Act Compliance Defense”), Professor Koehler will argue in favor of Congress creating an FCPA compliance defense. He will explain why the unique aspects and challenges of complying with the FCPA in the global marketplace warrant a specific FCPA compliance defense and how the DOJ already recognizes a de facto FCPA compliance defense, albeit in opaque, inconsistent and unpredictable ways. Howard Sklar contends that there are two overriding reasons why Congress should not include a compliance defense to violations of the FCPA. Sklar contends that corporations will not see any incremental benefit from making effective compliance a defense, and, moreover, that taking discretion out of the hands of the prosecutors will create unintended and adverse consequences that will more than offset any slight benefit corporations may obtain. For information, click here.

I hope that you can attend both of these great events.

Third Party Checkup

In a January 29, 2012 editorial in the New York Times (NYT), entitled “Made in the World”, columnist Thomas Friedman wrote about the end of ‘outsourcing’; his thesis being the “world is now so integrated that there is no “out” and no “in” anymore. In their businesses, every product and many services now are imagined, designed, marketed and built through global supply chains that seek to access the best quality talent at the lowest cost, wherever it exists.” However, the ‘cheapest’ does not necessarily mean the best for your company.

What are your company’s risks for not knowing such information? Clearly anti-corruption legislation has remedies for civil and criminal liability. However, equally great may be reputational damage, “even from public investigations into a third party.” Put another way, how do you think the folks at Apple felt when they woke up on the morning of January 25, 2012 to find the following headline on the front page of the NYT “In China, Human Costs are Built into an iPad”?

In a recent White Paper, entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, authors Marjorie Doyle and Diana Lutz posit that in most foreign business partner relationships, your company will be held responsible for the actions of third parties which work for and with your company. The new global expectation is that “you know who they are, you have vetted them and you are in control of the activities for which you hired them.” They further believe that such is even more important when anti-corruption and anti-bribery laws, such as the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other OECD based legislation, are applicable. They note, “Gone are the days when organizations could wash their hands of liability or damage to reputation from outsourced work due to ethics and compliance failure.”

To help companies navigate through the issues, the authors have prepared a checklist to test an “organizations health status concerning your relationship to your third parties.” It is as follows:

1. Do you have a list or database of all your third parties and their information? Does your company have a full list of all third parties including such basic information as name, location, type of services provided, contract files and dates, principals of the third party and primary contact, due diligence files and any other information you might need to manage the third party relationship going forward?
2. Have you done a risk assessment of your third parties and prioritized them by level of risk? You need to know which third party services present the greatest risk to your company by asking some of the following questions: (a) Is the third party’s service critical to your business?; (b) Is the third party’s service performed with little company supervision or oversight?; (c) Does the third party have access to any company funds, resources or assets?; (d) Can the third party fund the company contractually?; and (e) Does the third party obtain any foreign governmental licenses, certifications or other approvals for your company?
3. Do you have a due diligence process for the selection of third parties, based on the risk assessment? You should use the information determined through the risk assessment to “tailor the level of diligence to the level of risk.” Assign a risk profile to categories, such as high, medium and low. The higher the risk, the more due diligence will be required to vet the third party.
4. Once the risk categories have been determined, create a written due diligence process. Here you need to have a written policy and defined procedures to implement that policy. The policy should include the following: (a) who is responsible for implementation; (b) list of red flags and how such red flags are to be dealt with and cleared; (c) a procedure to pay for any due diligence performed; (d) reference checks on third parties; (e) procedures for in-person interviews for third parties in a high risk category; (f) conflicts of interest checks, and (g) process for documentation and storage of all of the above information.
5. Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations? In addition to your standard commercial terms, your third party contract should also include compliance terms and conditions, which should including the following: (a) anti-corruption and anti-bribery certification; (b)requirement that the third party maintain accurate books and records and that your company has audit rights; (c) indemnity rights; (d) anti-corruption and anti-bribery training for the third party’s employees; (e) an anonymous reporting mechanism for ethics complaints; (f) require the third party to obtain pre-approval to subcontract out any of its work for your company; (g) require the third party to report any ownership change back to your company, and lastly (h) clear termination rights.
6. Is there someone in your organization who is responsible for the management of each of your third parties? Just as your company would never have an employee who is not supervised, your company should not have a third party which does not have company oversight. You should designate a manager to maintain the third party relationship with your company. Such relationship manager should maintain and update documentation on the third party, work with Internal Audit to schedule and perform audits, meet regularly with the third party and oversee adherence to the third party’s contract with your company.
7. What are “red flags” regarding a third party? Red flags are generally recognized as signs or situations which should give rise to further investigation by your company. While there are innumerable questions which can be asked and answered, I believe that red flags are generally organized into some or more of the following categories: (a) something seems out of the ordinary; (b) reluctance of party to supply information/difficulty of verifying information; (c) the company/services/principals are not verifiable by data, only anecdotally; and (d) mismatch in business experience with the product or services offered. Whatever red flags you list, if they are undiscovered or left unresolved, it could certainly cost a reputational loss or worse for your company.

Many companies understand the maxim “Know Your Customer (KYC)”, nevertheless, in today’s global economy this maxim may well need to be expanded to “Know Your Third Party”. The authors conclude by agreeing with Thomas Friedman’s observation in his Op-Ed piece “that there is no “out” and no “in” anymore” and that “the rule is: Source everywhere, manufacture everywhere, sell everywhere.” However, with this opportunity brings potential costs. Your company should “apply the same rigor in selecting, training and managing third parties” as it does for its own employees. A good place to start is with a third party checkup.

============================================================================================
Episode 29 of This Week in FCPA is up. Howard Sklar and I visit with the winning defense lawyers in the O’Shea case.

============================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012