WHO Should Handle Serious Internal Investigations?

In the most recent issue of the SCCE, Compliance and Ethics Professional Magazine, Issue 08/2011, is an article entitled “Foxes and henhouses: The importance of independent counsel”, in which author Dan Dunne discussed what he termed a “critical element” in any whistleblower response, which is a “fair and objective evaluation.” Dunne wrote that a key component of this fair and objective evaluation is the WHO question; that is, who should supervise the investigation and who should handle the investigation? Dunne’s clear conclusion is that independent counsel should handle any serious investigation.

Dunne list three factors which he believes should cause a company to retain independent counsel for internal investigations of serious whistleblower complaints. First, for any corporate ethics policy to be effective, it must be perceived to be fair. André Agassi was right, perception is reality. If your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Further, those involved must have confidence that any internal investigation is treated seriously and objectively.

Secondly, if regular outside counsel investigates their own prior legal work or legal advice, Dunne believes that “a plethora of loyalty and privilege issues” can come up in the internal investigation. It is a rare legal investigation, where the lawyer or law firm which provided the legal advice and then investigates anything having to do with said legal advice, finds anything wrong with its legal advice. Dunne also notes that if the law firm which performs the internal investigation has to waive attorney client privilege, it may also have to do the same for all its legal work for the company.

The third point Dunne raises is the relationship of the regular outside counsel or law firm with regulatory authorities. If a company’s regular outside counsel performs the internal investigation and the results turn out favorably for the company, the regulators may ask if the investigation was a “whitewash”. If a regulatory authority, such as the Securities and Exchange Commission (SEC) or Department of Justice (DOJ) cannot rely on a company’s own internal investigation, it may perform the investigation all over again with its own personnel. Further, these regulators may believe that the company, and its law firm, has engaged in a cover-up. This is certainly not the way to buy credibility.

Jim McGrath, writing in his Internal Investigations Blog, noted that despite the fact that using specialized investigation counsel is a best practice that is worth the money, one of the more difficult things is convincing decision-makers of the this advantage. This is particularly so when speaking with mid- or small-sized companies that are part of larger supply chains. While general counsels and compliance officers may be up to speed on outsourcing critical inquiries, managers in business segments often are not and frequently reply that they’ve “got someone” in the company who “takes care of that stuff.” However, it is clear that such an approach will be more costly to a company in the long run. McGrath emphasizes the need for independent counsel for serious corporate investigations.

I would add a couple more reasons to those listed by Dunne and McGrath. If there are serious allegations made concerning your company’s employees engaging in criminal conduct, a serious response is required. Your company needs to hire some seriously good lawyers to handle any internal investigation. These lawyers need to have independence from the company so do not call your regular corporate counsel. Hire some seriously good investigative lawyers.

I believe that there is another reason to hire outside counsel. It is also important because, no matter what the outcome of your investigation, you will most probably have to deal with the government. If the investigation does reveal actionable conduct, your company will need legal counsel who is most probably an ex-DOJ prosecutor or ex-AUSA to get your company through that process. Even if there is a finding of no criminal activity, you will need very competent and very credible counsel to explain the investigation protocol and its results to the government.

One need only look at L’Affair Renault to see the hazards of not following the WHO approach of Dunne, McGrath or myself.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2011

A Modern Fairy Tale: The Company Which Cried Wolf or Lessons Learned from L’Affaire Renault

Once upon a time there was a boy who went to the town square and cried “The Wolf is coming to steal our secrets!” The townspeople all gathered ‘round and asked him how he knew this. “A person named NoMan told me,” he declared. But there was more, as the boy told the now rapt townsfolk “And he said if you give me some money to help pay his ‘expenses’, I can find out when and how the Wolf  will steal our secrets.” As this town was in France, they immediately gave the boy €450,000 (or €700,000 depending on the version of the fairy tale) and he and the money were never seen again.

I. The Tale

Most people in the compliance world have by now heard about L’Affaire Renault. As reported  extensively in the Wall Street Journal (WSJ), the affair became public in January of this year, when Renault fired three top officials for allegedly selling secret information regarding the company’s electric car program. These allegations were based upon information which came from an unknown informant who claimed that the three terminated officials had large Swiss bank accounts funded by monies which came from the sale of this information. This unknown informant was paid for his information, by two Renault security department employees, and then allegedly onto another party, who eventually passed along some or all of the Renault payment to the informant.

If all of this sounds confusing, well it is. The inquiry began last August with an anonymous letter to company officials stating that one of the now terminated employees was overheard “negotiating a bribe”. By December, the company’s security department had “assembled elements pointing to the existence of bank accounts in Switzerland and Liechtenstein.” The accused employees were terminated in January, 2011. On March 14, the WSJ reported that “state prosecutor Jean-Claude Marin on Monday said his investigation showed that the three didn’t have bank accounts in those countries.” On March 15, the WSJ reported that the Chief Executive Officer (CEO) of the French car maker Renault apologized on national television for the wrongful termination of three company officials for improper allegations of industrial espionage. In addition to this apology, he offered to meet the men and propose that they rejoin the company. They also would be offered compensation, “taking into account the serious hurt that they and their families have suffered…” This case (and the introductory fairy tale) presents several very large ‘Lessons Learned’ for any company which engages in an anti-corruption, anti-bribery or fraud investigation and then disciplines or terminates employees based upon the investigation.

II. The Moral

Look Before You Leap

Our colleague, Lindsey Khan wrote about Fraud Investigation Preparation in a two part series posted on her blog isight.com. Over this two part series, she reviewed author Stephen Pednealut’s book, “Anatomy of a Fraud Investigation”, in which he outlined the steps a company should take when preparing for a fraud investigation. Imagine where Renault might be if they had read Lindsey’s blog. I digress to say you should bookmark and read Lindsey’s blog as she regularly writes on investigations and even provides an investigation template on a complimentary basis.

The first thing to emphasize is that a company cannot over-prepare for such an investigation. With this in mind, here are seven steps he suggested a company should take before they begin a fraud investigation:

1. Timing. If the target(s) know you are on to them, they will have absconded so make this initial determination.

2. Strategize. Figure out who needs to be involved in the investigation and meet as soon as possible to explore options and discuss how they will move forward with the investigation, as each one differs based on the goals, circumstances and people involved.

3. Review laws, policies and other documents. Obtain everything of significance before you start the investigation and then secure it.

4. Available information. If your company uses outside investigators, make certain that they understand company structure, infrastructure and relationships.

5. Whistleblower protection and confidentiality. Although this information or source may need protection, the identity must be known and verified.

6. Lock down evidence. Physical and electronic evidence need to be gathered and secured as soon as possible.

7. Resource allocation. Make sure your company has the tools you need to gather evidence and label it properly for storage.

You Leapt, Now What?

Your actions after you have followed Pedneault’s seven preparation steps will be equally, if not more important. First and foremost your investigation must be thorough. In other words, if the key part of the allegation is that bribes were being funneled into a Swiss bank account, your company had better make certain this information is correct before you go and make that public pronouncement. You should endeavor to make certain that your company CEO does not, as reported in the WSJ, proclaim the statement made by the CEO of Renault when he said publicly “that the company had evidence against them” regarding the existence of foreign bank accounts. Over two months after this public statement, neither Renault nor the French Prosecutor’s Office had discovered such evidence to back up this allegation.

Keep A Sense of Balance

Attorney Stephen Pearlman, quoted in the WSJ, noted that a company must approach any such allegations “with a real sense of balance” and not “over-react.” Mr. Pearlman said he recently had a client who received an anonymous tip on some alleged wrongdoing and wanted to act before the investigation was done. “I told them, ‘You’ve got to take a deep breath, don’t overreact” he recalled.

Robert Fatovic, the chief legal officer at Ryder System Inc., also quoted in the WSJ, said “Renault is the poster child for why you want to approach these situations with a sense of balance, and not have people rush to judgment.”  Fatovic also noted that “By ending an investigation prematurely, you run the risk of a frivolous issue going public too soon.” Or having your CEO go on national television and personally apologize to those wrongfully accused.

Get Some Serious Advice

So how does a company tread through this minefield? If there are serious allegations made concerning employees engaging in criminal conduct a serious response is required. The first thing to do is hire some seriously good lawyers to handle the investigation. These lawyers need to have independence from the company so do not call your regular corporate counsel.  Do not send down Internal Audit or HR to take a look at things and report back. Attorney Jim McGrath, writing in Internal Investigations Blog, drives this point home by stating, “Despite the fact that using specialized investigation counsel is a best practice that is worth the money, one of the more difficult things is convincing decision-makers of the same… The Renault scandal reiterates the need of companies of all sizes to go outside to specialized counsel for sensitive inquiries.”

The hiring of outside counsel is also important because you will most probably have to deal with a government. If the investigation does reveal actionable conduct and you are in the US, your company will need legal counsel who is most probably an ex-Department of Justice prosecutor or ex-US Attorney to get your company through that process. Even if there is a finding of no criminal activity, you will need very competent and very credible counsel to explain the investigation protocol and its results to the government. If you are in the UK you need to hire someone with credible Serious Fraud Office- type experience or an ex-Crown Prosecutor. If you are in France, well you are in France.

There is a very good list of attorneys who specialize in the FCPA provided by my colleague Howard Sklar in his blog entitled “Getting Advice”. He knows the folks he listed personally and tells you their strengths. It is a great resource and now would be an excellent time to use it.

Don’t Pay Bounties to Unknown Persons for Unsubstantiated Rumors

A very troubling aspect of this case is the payment for the information. The payment itself has reportedly ranged from a high of €700,000 to €450,000 down to €250,000. It is not clear as to the timing of this payment but apparently the payment was handled by two security department employees, who handed it over to a third person, not the informant, who resided in Algeria. This third party in Algeria now cannot be located and the WSJ reported that initially “an employee in the security unit refused to disclose to Renault who ultimately received the money…” Reuters has reported that French criminal justice officials are now investigating the two security department employees regarding whom this anonymous source was and where the money went. The WSJ later reported that this employee, who has been in custody for a couple of weeks, has finally named this anonymous source.

Many US companies are worried about the impact of the Dodd-Frank Whistleblower provisions. However, a clear difference is that Dodd-Frank requires substantiated securities violation, as in an admission by a company, settlement agreement or judicial finding, for payment of any bounty rewards. In L’Affaire Renault, the company apparently paid a bounty to an unknown source, for unsubstantiated information, which did not result in any criminal finding or even a civil wrong. Whatever your company does DO NOT PAY BOUNTIES TO PERSONS UNKNOWN.

The moral of the fairy tale that started our piece and L’Affaire Renault is that your company needs to get it right. The costs for not doing so are simply too great.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Disclosure and Negotiating with the Government – A FCPA Conundrum?-Part I

All compliance programs are designed to prevent, detect and deter ethical violations. In the United States, they are also designed to bring companies into compliance with the Foreign Corrupt Practices Act (FCPA). However, as important as these programs are, it is equally important for a company to deal with any alleged FCPA violations which may arise. The disclosure to and negotiating with the appropriate US governmental agencies charged with enforcement of the FCPA is as critical task which a General Counsel or Chief Compliance Officer may face. Over the next two posting, we will discuss this topic and give some guidelines which a company may consider if such an eventuality occurs. This post will discuss the issue of whether or not a company should self-report a potential or actual FCPA violation. In our next post, we will continue this discussion by focusing the process after self-disclosure.

The question which sits at the forefront is whether to self-report to the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) thereafter. Unfortunately there is no easy answer to this question and to make this decision will require a thorough and thoughtful analysis and perhaps some deep soul searching by any company which uncovers or is made aware of a potential FCPA violation. This article will explore this issue.

The Issue

The initial question of whether or not to self-report came up in 2010 in two of the major FCPA investigations. The first was Avon, which self-reported some three months after initial notification via an internal company whistleblower, the second, in contrast, was HP, where both the DOJ and SEC announced investigations after a story appeared in the Wall Street Journal detailing the allegations and reported on an investigation by German authorities.

Moreover, many companies wonder if, at the end of the day, they will be better off in terms of potential fines and penalties by self- reporting. Lanny Breuer, Assistant Attorney General for the Criminal Division of the US Department of Justice, has made clear, in several speeches over then the past year, that the DOJ prefers a ‘call first’ approach and that such an approach will be taken into account under the US Sentencing Guidelines.

Conversely, then law student (and now graduate), Bruce Hinchey discussed this issue in an upcoming publication “Punishing the Penitent: Disproportionate Fines in Recent FCPA Enforcements and Suggested Improvements”, which analyzes differences between bribes paid and penalties levied against companies that do and do not self-disclose under the FCPA. Using a regression analysis, Hinchey concluded that those companies which did voluntarily self-disclose paid higher fines than companies which did not self-disclosure their FCPA violations to the DOJ. He concluded by noting that this evidence was contrary to the conventional wisdom that a company receives a benefit from self-disclosure and such evidence would ”raise questions about whether current FCPA enforcement is fundamentally fair”.

To Disclose or Not to Disclose

While initially noting that there is no legal requirement or obligation to self-report, a company has to answer several questions in making this initial decision. Lanny Breuer has articulated the DOJ’s ‘call first’ policy. The DOJ (and SEC) consistently tout the benefits to self-disclosure, even if Mr. Hinchey’s research does not bear this out. Further there may be tangible benefits such as credit available under the US Sentencing Guidelines. Other factors for consideration may be a company’s reporting obligations as a public company or obligations to other third parties such as disclosure during M&A due diligence, and lastly, and one which may become increasing problematic, is the risk of disclosure by a third party. Leaving the Wikileaks phenomena aside, the Dodd-Frank Act provides a financial incentive for persons who report securities violations to the SEC. Violations under the FCPA would fall within this provision so there may be a real risk that a company could be ‘outted’ by someone inside or outside the company.

As a part of a company’s decision making calculus on disclosure, there may be quite good reasons for not disclosing a potential FCPA violation to the DOJ or SEC. The initial threshold is that it may be unclear if the conduct violates the FCPA. Further, based upon the Hinchey article, or simply anecdotal information, some may feel that a company may be in the same position whether or not it discloses. Here they may cite to the Siemens example, where the company did not self-disclose but fully cooperated with the Government after its corruption and bribery issue became known. This also may be the situation with HP as noted above. Additional concerns include the possibility that self-disclosure may lengthen the investigation process; make it very costly and that the company may well lose control of the process.

From a legal perspective is the potential waiver of the attorney client privilege. Jim McGrath has written that if a company self-discloses and involves the government in the investigation process from the outset, its hand is tipped and there can be no assertion of attorney-client privilege and the work-product doctrine protection in subsequent reviews or in litigation. In addition, and once DOJ is involved, its knowledge of Company X’s alleged problem becomes part of the public domain and subject to disclosure to the investing public on a schedule of the government’s own making. This could also increase the possibility of civil litigation as was demonstrated in the SciClone matter from the summer of 2010. Along these same lines, some believe that even if the DOJ or SEC provides more lenient treatment, other investigating agencies, whether federal or state, may not.

Lastly and perhaps most sadly, is what I will call the Bunker mentality. It is more than just putting your head in the sand and engaging in conscious avoidance by hoping that the conduct at issue is never discovered. It is making a business decision that the cost of an investigation is so high and the risk of doing nothing is so much less costly, that some company’s believe they should ‘Bunker Down’ until they are caught to sort it all out then.

More tomorrow…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011