The Texans Are 2-7: What is Missing from Your Compliance Program?

I usually do not write about the Houston Texans because (1) unlike the sad sack Astros, they are not often relevant enough to care about and (2) they usually are relatively well-run. They continue to be not relevant this year, coming into this week’s game with a sterling 2-7 record. However, they showed themselves not be too well run this week when they summarily dismissed from the team  safety Ed Reed, after he publicly said that the Texans were “out-coached and out-played” last week following the team’s seventh straight loss. As my friend and colleague Richard Lummis is fond of saying “No sh– Sherlock.”

For those of you who do not know Ed Reed, he is in his 12^th season of playing in the National Football League. He is a two-time Super Bowl Champion, a nine-time Pro Bowler, a former NFL Defensive Player of the Year and a sure-fired first ballot Hall of Famer. In other words, he not only knows pro football but he is winner. Reed played his first 11 seasons with the Baltimore Ravens and was signed as a Free Agent by the Texans to bring some professionalism and winning attitude to the club. He had surgery in the offseason which slowed him down to the point he longer started but he still has the attitude and credentials of a winner. So what does it say about the Texans when a player of Reed’s stature speaks the truth and is summarily cut the next day. How many top notch free agents or top talent would want to play with an organization that punishes people who publicly complain about losing?

I thought about Reed and the Texans when I read a post from the noted site JDSupra entitled, “What’s the One Thing Missing From Your Corporate Compliance Program?” They put that question to various compliance attorneys writing on JD Supra, asking each to commit to just one essential element that, in their experience, they regularly see missing from corporate programs; IE., programs that are required to address myriad regulatory issues to do with privacy and data security, insider trading, bribery and corruption, and other such matters across numerous jurisdictions. I found the replies quite interesting and perhaps some insights which the Texans can use.

From Jeremy B. Zucker, Co-chair, International Trade and Government Regulation practice at Dechert LLP: “For a compliance program to be truly effective, personnel must take ownership of their behavior and take pride in being part of the team. To achieve this, a truly effective compliance program must demonstrate that a values-based approach is relevant to the daily conduct of business…”

From Charles F. Connolly, partner in Akin Gump’s white collar practice in Washington, D.C.: “…the key question enforcement authorities ask when evaluating a company’s compliance program is ‘does it work?’  The only way to answer that question proactively is to review – and test – the program on a regular basis.”

From Joe Bermudez, partner at Wilson Elser: “Crisis management policies, protocols and procedures are a necessary element for any company’s compliance program. Often overlooked because companies refuse or fail to consider the contingencies involved with catastrophic or tragic events, an effective crisis management plan may be the difference between a company surviving a crisis event and not…The issue is not when a crisis will strike, the issue is whether the company is prepared to survive the event.”

From Peter Menard, senior partner in the Corporate Practice Group at Sheppard Mullin: “Forms of policies, procedures and contract provisions are widely available on the Internet to ensure compliance with such diverse regulations as FCPA and other anti-bribery rules, prohibitions on insider trading, protection of confidential personal financial and health records, and import/export controls…Lawyers can draft the most comprehensive policy, but only management can take the policy out of the file cabinet and make it an integral part of the corporate culture…”

From Chester Hosch, partner in the Corporate and Tax Group at Burr Forman: “The one thing lacking in most corporate compliance programs is a culture of unshakable commitment to integrity and ethics. The commitment has to be embraced and encouraged notoriously, unambiguously and completely by senior management. The commitment will manifest itself in adequate funding, effective training and consistent monitoring. In the end, the compliance officer will have absolute confidence top management will remain true to the commitment, no matter the consequences.”

From Bettina Eckerle at Eckerle Law: “In my experience, often companies do not treat their compliance program as living breathing organism that need to be tested, reviewed, changed, brought up-to-date as market conditions, business practices and the regulatory environment evolve.  One should never think one is ‘done’ with what is in place but rather incorporate compliance in the day-to-day ebb and flow of the business.”

From yours truly: Document Document Document

These observations bring to bear a different set of focuses which you should consider in the context of your compliance program. Take each point raised and ask yourself, do we have this concept or protocol in place? If you do, then ask yourself my mantra: Did you Document Document Document it so that if a regulator, from the US to China comes knocking you will be able to demonstrate that you did have such protocol or concept in place.

As to the Texans, I think the thing that they are missing is reality. They should ask themselves about now if they are dedicated to winning or something else. After losing seven straight games it is even obvious to my English wife that they are being out-coached and out-played. Fortunately she cannot be fired from her job for saying so.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

The Drugstore Cowboy and Compliance

One does not have to look very far in the business world to come across the phrase “Know Your Customer.” A company certainly needs to know if an entity that it may sell products or provide services to will pay for those items. Running a Dun & Bradstreet credit check is routinely performed to ascertain if a counter-party is a good credit risk. But how much more should a company do in regards to its customers? Clearly banks, other financial institutions and even casinos need to assess a customer from the perspective of anti-money laundering (AML). Is there a reason grounded in the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act that would suggest that customers should go through background scrutiny from the anti-bribery/anti-corruption compliance perspective?

I thought about internal controls regarding due diligence requirements on customers, effective compliance programs and third party validation of credentials when reading an article in June issue of Wired Magazine, entitled “Drugstore Cowboy”, by Jake Pearson. I found this article to be a very cautionary tale for those companies which need to consider just whom they are doing business with or for. The story involved an undercover sting operation by the US government against Google. The operation involved a convicted felon, one David Whitaker, who convinced law enforcement authorities that Google had assisted him, in violation of its own internal protocols and US laws, to sell illegal “black market steroids and human growth hormones” online. Whitaker told federal officials that “Google employees had actively helped him advertise his business, even though he made no attempt to hide its illegal nature.” Based upon his experience, Whitaker believed that Google must be “helping other rogue Internet pharmacies too.”

On paper, it appeared from the article that Google has a systems designed to ferret out sites which used words or had other indicia that they were selling illegal drugs. There was an initial screening by a Google sales representative. There was an automated program which searched for key words that might indicate illegal drugs were being sold. There was a review of the website itself to see of other factors were present which might show that illegal products were being sold. Finally, Google used a third party verification service, to attest that any site selling pharmaceutical products was properly licensed.

Based upon his experiences, the government set Whitaker up with an alias, fake company, bank account and phone lines and then monitored and watched him to see if his claims were true. He was told to see if Google would actively assist him to sell advertising for a non-existent company called “SportsDrugs.net, a website that sold HGH and steroids from Mexico, with no doctor’s prescription.” The plan that Whitaker used was straightforward.

1. Establish a fake identity. Whitaker made cold calls to representatives of Google to get set up as an account in the company’s system.
2. Submit the site. The feds designed the sting operation so that it would be obvious the false company was selling illegal drugs. So it offered HGH and steroids, had pictures of the drugs and even had a ‘Buy Now’ button to make clear that no doctor’s prescription was required. The Google sales representative passed the fake sales site along for “policy review, an automated process that Google uses to vet all advertisers.”
3. Scrub the site. After the fake sales company was initially rejected by the policy review process, a Google representative agreed to help “tweak it” so that it would pass through the Google approval process. The Google sales representative advised Whitaker to rename the site, remove the pictures of the illegal drugs and delete the ‘Buy Now’ button from the site.
4. Rework the site. After the suggested changes were made by Whitaker, his fake site was approved by Google. Thereafter the items which had been removed from the website, including both the photos of illegal drugs and ‘Buy Now’ button were added back into the site, all with the assistance of the Google sale representative.
5. Raise the stakes. In this phase, the undercover sting operation widened. After their initial success with SportsDrugs.net; the feds created other fake websites for Whitaker, all of which purported to sell illegal drugs. The other sites included one selling “RU-486, better known as the abortion pill, which is normally taken under close supervision of a doctor.”  Another site sold the psychotropic drugs Xanax and Valium, both without any need of a doctor’s prescription. In a final example the feds created a ‘Trojan Horse’ site; in which a pharmacy site that held a valid license also had sales for “three clearly disreputable online pharmacies.”

The chilling thing I found in this article was it reported that in each one of the false scenarios, Whitaker was reported to have explained to the Google representative the true nature and purpose of the site. All of the information that Whitaker conveyed made clear that these sites were designed to sell drugs which are illegal in the US, without a doctor’s prescription. In just over the span of three months, the undercover operation spent over $200,000 with Google.

Google ended up settling with the US government for a fine of $500 million. Although Pearson did not quote the US Assistant District Attorney, who headed the investigation and enforcement action, Peter Neronha, was quoted as telling the Wall Street Journal (WSJ) the “culpability went far higher than the sales reps that Whitaker worked with. Indeed, he said, some of the company’s most powerful executives were aware that illegal pharmacies were advertising on the site.” Google itself would not comment for the Pearson article.

From the account in the Pearson piece it would appear that Google had a system in place to check and make sure that it was not advertising sites which sold illegal drugs but that system, both human and automated, was worked around. For the anti-corruption compliance practitioner, I think that there are several key lessons which can be learned from this tale.

Train, Train, Train. If you sell services, which can be used to facilitate illegal conduct, you need to train your sales force to watch out for signs of that illegal activity. The initial Google sales representative who was contacted by Whitaker should have been the first line of prevention to stop the issue before it came up for the company.

Monitor, Monitor, Monitor. There should be several types of monitoring. If a business name comes through your system and it is rejected, there should be a monitoring mechanism in place to note if it reappears later or is approved through some other means, as was done in this situation. Similarly, if the name of a business owner comes up in connection with another company, there needs to a mechanism in place to perform a cross check. The sales representatives should also be monitored to determine if they are manipulating the system.

Incentives, Incentives, Incentives. While not discussed in the Pearson article, what do you want to bet that the Google sales representatives were compensated, at least in part, with a commission based upon the number of GoogleAds that they sold? If your compensation structure or other incentive structure rewards people who use shortcuts, then there will always be employees who take them.

Audit, Audit, Audit. Remember the part of the story about how the Google sales representative would advise Whitaker how to scrub his website of key words, search terms and other information which would indicate that it was selling illegal pharmaceuticals only to reinsert those on the site after the scrubbed site had been approved? You need to audit to determine if any illegal conduct has begun after the contract is signed. And if you do not have audit rights, you have a very slim chance of actually performing an audit.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013