FCPA Compliance and Ethics Blog

July 22, 2014

Code of Conduct, Compliance Policies and Procedures-Part I

Policies and ProceduresFor the remainder of this week, I will have a four-part episode on your Code of Conduct and anti-corruption compliance policies and procedures. In today’s post I will review the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. In subsequent posts, I will review how to go about drafting your Code of Conduct and anti-corruption compliance policies and procedures and how to assess, review and revise them on a timely basis.

The cornerstone of a US Foreign Corrupt Practice Act (FCPA) compliance program is its written protocols. This includes a Code of Conduct, policies and procedures. These requirements have long been memorialized in the US Federal Sentencing Guidelines (FSG), which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). These requirements were incorporated into the 2012 FCPA Guidance. The FSG assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct? The starting point, as per the FSG, reads as follows:

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws. 

In the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) state, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company chapter has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In each DPA and NPA over the past 36 months the DOJ has said the following as item No. 1 for a minimum best practices compliance program.

  1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code. 

Stephen Martin and Paul McNulty, partners in the law firm of Baker and McKenzie, developed one of the best formulations that I have seen of these requirements in their Five Elements of an Effective Compliance Program. In this formulation, they posit that your Code of Conduct, policies and procedures should be grouped under the general classification of ‘Standards and Procedure’. They articulate that every company has three levels of standards and controls. First, every company should have a Code of Conduct, which should, most generally express its ethical principles. But simply having a Code of Conduct is not enough. So a second step mandates that very company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. From the base of a Code of Conduct and standards and policies, every company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors which should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

June 9, 2014

Why the Compliance Function is Different Than the Legal Function

Joseph WelchI have long been proud of my profession. I would often tell students that they ware about to join a profession which extended as far back as Demosthenes, who practiced his closing orations against crashing sea waves so that the full Greek demos might hear him when he closed a trial. Further, while thoughts of Atticus Finch are never far from a Southern lawyer’s mind, if not aspirations to emulate him, today we celebrate a real life lawyer who did the profession proud. It was on this day, 60 years ago in 1954 that Joseph Welch, then Special Counsel to the US Army, unmasked Senator Joseph McCarthy for what he and his hearings into communism were. In response to McCarthy’s charge, that Frederick G. Fisher a young associate in Welch’s law firm had been a long-time member of an organization that was a “legal arm of the Communist Party,” Welch responded, “Until this moment, Senator, I think I never really gauged your cruelty or your recklessness.” Welch then uttered these immortal lines, “Have you no sense of decency, sir, at long last?” The audience applauded Welch’s stinging comeback. The hearings closed one week later. The US Senate officially condemned McCarthy for contempt against his colleagues later that year.

Unfortunately the legal profession took one in the eye last week when General Motors (GM) released its internal investigation into the company’s failure to recall millions of defective small cars, and found no evidence of a cover-up. As reported by Bill Vlasic in a New York Times (NYT) article, entitled “G.M. Lawyers Hid Fatal Flaw, From Critics and One Another”, stated the GM law department did not come out of this matter looking too well. Vlasic said that “interviews with victims, their lawyers and current and former G.M. employees, as well as evidence in the report itself, paint a more complete picture: The automaker’s legal department took actions that obscured the deadly flaw, both inside and outside the company.”

While GM’s General Counsel (GC), Michael Millikin, survived dismissal in the aftermath of the internal investigation, he certainly did not come out as a GC who was particularly engaged with what was going on in his own department. Vlasic reported, “At least three senior lawyers are among the employees who lost their jobs as a result of the investigation conducted by the former United States attorney Anton R. Valukas… One of the lawyers dismissed this week was William Kemp, who had been orchestrating G.M.’s legal strategy and in-house investigations of the defective ignition switch for more than two years before the recall. Yet it was not until early February, days after a high-level committee finally ordered the switch recall, that Mr. Kemp informed Mr. Millikin of the deadly consequences of the flawed part. G.M. has linked 13 deaths and 54 crashes to the defect.” Two other lawyers reported to have been dismissed, as a result of the internal investigation, were Lawrence Buonomo, head of product litigation, and Jennifer Sevigny.

Equally damning were the internal investigations report that during safety meetings relating to the ignition switch failure, “Mr. Valukas said employees he interviewed told him they had refrained from taking notes in safety meetings “because they believed G.M. lawyers did not want notes taken.”” Beyond this ban on note taking, Vlasic said “The secrecy factor extended to how some employees kept or discarded old emails. According to two former G.M. officials, company lawyers conducted annual audits of some employees’ emails that could be used as evidence in lawsuits against the company.” While GM euphemistically called this email deleting program “information life-cycle management,” when the purpose is to remove evidence that could be used against the company in lawsuits, it once again shines a very bad light on my legal profession brethren.

This sordid tale of the complicity of the GM legal department is all part of what GM Chief Executive Officer (CEO) Mary Barra “denounced as a “pattern of incompetence and neglect” at the company that allowed a defective part to exist in its vehicles for more than 10 years.” But more than simply causing the corpse of Atticus Finch to spin over in his fictional grave, the GM legal department’s role in the company’s debacle points to something that Donna Boehme and Mike Volkov have been articulating and writing about for some time. It is not simply that the Chief Compliance Officer (CCO) needs to be out from under the roof of the GC’s office; it is that the compliance function is different than the legal function.

When I initially went in-house, it was made clear to me that the role of the in-house department in the company I worked for was to protect the company. When I became a GC, I took that role to heart and felt like I was the company’s lawyer (even if the CEO felt like I was his lawyer). But as Boehme points out in her article in the June 2014 issue of the SCCE Magazine, entitled “Toldya. (Reason #119 why Compliance is not a subset of Legal),” there are distinct differences in approaches to doing compliance from practicing law. She said, “one thing is clear – the two functions have very different mindsets, mandates and priorities.” She notes that the legal department mandate is to “advise and protect the company.” However, Boehme believes that the compliance mandate is much broader. She writes, “Compliance, on the other hand, is tasked with detecting and preventing misconduct.” The compliance mandate includes constant vigilance on the integrity of the compliance program, protecting internal whistleblowers (in part to demonstrate to others that it is safe to come forward), and supporting a culture of accountability, especially at levels of management.

I might say that a corporate legal department’s role has traditionally been seen to protect the company from problems, while the role of the compliance function is to remedy problems. Here you can think of McNulty’s Maxim No. 3 – What did you do to fix it when you found out about it? But Boehme takes it a step further by noting, “A well-run compliance program requires hundreds of judgments, big and small, to be made on a weekly basis. The company with the political will to elevate their chief compliance officer to a “separate but equal” status in the C-suite will benefit from those judgments being made with an independent compliance mindset, and not “Always Legal but Occasionally Compliance” prism.”

I often repeat the legal truism that bad facts make bad law. Make no mistake about it; the GM ignition switch imbroglio is very bad. But the GM legal department’s role in the company’s ongoing scandal, clearly points out the difference between the roles of legal and compliance. I am sure that the GM lawyers involved, and those who were terminated, thought their job was to defend the company at all costs. But I have never met a CCO who felt that way. They believe that their job is to prevent, detect and remedy any compliance issues that arise. You cannot do that if you are instructing others not to take notes in relevant meetings, deleting potentially incriminating emails and hiding from your boss that there is a real problem out that that must be dealt with.

For the rest of you out there who are lawyers and reading this, remember Joseph Welch today as a far better example of our historical brethren.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

February 26, 2014

The Alchemist of Comedy and Utility Industry Compliance

Harold Ramis as Dr. SpenglerHarold Ramis died on Monday. For a generation of comedians and fans of comedy he was one of the driving lights of that genre. He was one of the screenwriters of Animal House and wrote the screenplays for both of the Ghostbuster movies, in addition to starring in them. His New York Times (NYT) obituary called him the “Alchemist of Comedy” and quoted from Paul Weingarten, who wrote, in The Chicago Tribune Magazine in 1983, “More than anyone else, “Harold Ramis has shaped this generation’s ideas of what is funny.”” So thanks Harold Ramis for Blutto, Otter, Founder, D-Day, Dr. Spengler and all the rest.

I am currently attending the Society of Corporate Compliance & Ethics (SCCE), 2014 Utilities & Energy Conference. As usual, it is an excellent event for the compliance practitioner. One of the things that I find not only intriguing but also extremely useful about this conference is the pairing of compliance practitioners from the fields of energy and utility. I did not attend the utility focused sessions for the first couple of years but now prefer those sessions because they focus so much on the process of compliance. While the actual compliance issues are not anti-bribery or anti-corruption, the process-oriented approach utilized in the utility energy can be a great set of lessons for the energy industry compliance practitioner to consider when looking at an energy company compliance regime.

On Monday there was a presentation by David Douglass, Federal Energy Regulatory Commission (FERC) Compliance at Kansas City Power & Light Company. Initially, Douglass presented several different compliance models, which the anti-corruption compliance practitioner can use to benchmark or evaluate your company’s compliance program. The first one Douglass termed the Compliance Maturity Model – Compliance at Every Level. It included:

  • Step 1 – Reacting only and engaging in panic. The elements of this level of maturity include the admonition to “Get it done”. Typically under this step compliance is operating in isolation and can only marshal resources as necessary and where ever they might be found.
  • Step 2 – Anticipating and acceptance of compliance. This increased maturity can help to bring about some efficiency, usually through the accepted use of automation. This allows a compliance practitioner to see connections between multiple programs and take steps to plan future approaches to ongoing and ad hoc compliance challenges as they might arise.
  • Step 3 – Collaborating. Under this step, compliance moves to being seen as a collaborative partner with the business units. This allows the identification of risks, the assessment of the company’s exposure to those risks and to prioritizing actions to meet those assessed risk. Finally, the collaboration step can allow for the re-use of technological components for multiple purposes, thus reinforcing great cost savings and value.
  • Step 4 – Orchestrating through and with the rest of the company. Under this ultimate step in the model, compliance works to help set enterprise wide objectives to help to coordinate enterprise wide risk analysis and response. The corporate wide visibility to risk analysis, management and remediation as well as compliance performance.

In addition to the above Compliance Maturity Model, Dougalss discussed two of the programs were set out by federal utility regulators. The first was the FERC’s Effective Compliance Program, which has the following seven standards:

  1.  Internal standards and procedures to prevent and detect violations;
  2. High-level management knowledge and oversight of internal compliance programs;
  3. Reasonable (due diligence) efforts to screen out “poor performers”;
  4. Reasonable internal communications and training efforts;
  5. Reasonable steps to evaluate program effectiveness, including confidential reporting options for employees;
  6. Creating and enforcing compliance incentives and noncompliance sanctions;
  7. After detection of a violation, companies shall take reasonable, responsive steps.

He then cited to the North American Electric Reliability Corporation’s (NERC’s) four hallmarks of effective compliance programs, which included the following:

1.    Senior management / leadership

  • Compliance Program is established in the company.
  • Compliance Program is formally documented and widely disseminated throughout the organization.
  • The Compliance Program is supervised by a high ranking company representative.
  • The head of the compliance function has access to President / CEO and Board.
  • The Compliance Program is designed and managed with independence.
  • There are sufficient resources dedicated to implement Compliance Program.
  • The Compliance Program has the full support of all company leadership

2.    Preventive measures are in place

  • A sufficient frequency of review of compliance program occurs.
  • There is sufficient frequency of training of employees on compliance program.
  • There is sufficiency of subject matter training of employees on compliance program.

3.    Prompt detection, cessation, and self-reporting

  • There is a sustainable process to internally assess compliance with regulations.
  • There is a sufficient response to identification of wrong-doing or misconduct.

4.    Effective remediation

  • There are effective internal controls and procedures present to prevent recurrence of misconduct.

Douglass also discussed the ‘3-lines of defense concept” for a best practices compliance program. Under this concept a properly constructed compliance program has three lines of defense to prevent a compliance incident. These three lines of defense are identified as (1) the Risk Content Owners line of defense; (2) the Risk Process Owners line of defense; and (3) the Risk Content and Content Monitoring Owners line of defense.

 I.                Risk Content Owners

This first line of defense is the business owner(s) who are on the front lines for any company. Their roles include management of day-to-day business risks and to recommend actions to manage and treat that risk. This group also is tasked with complying with the company’s risk management process. Where appropriate, this group will implement risk management processes where applicable and this group will execute risk assessments and identify emerging risk.

 II.             Risk Process Owners

This second line of defense is typically the company legal and compliance departments. Not only are these the standard setters in an organization but they may also be charged with certain monitoring tasks. This group should establish policy and process for risk management. This group is the strategic link for a company in terms of risk. It should provide guidance and coordination among constituencies. It should identify enterprise trends, synergies, and opportunities for change. This group should also initiate change, integration and operationalization of new compliance best practices. Typically this group is the liaison between the third and first lines of defense. Lastly, this group will oversee certain risk areas and in terms of certain enterprise objectives such as compliance with regulations such as Foreign Corrupt Practices Act (FCPA), Export Control, etc.

III.           Risk Content and Monitoring Owners

This third, and final, line of defense is generally thought of as the Assurance Providers and consists of senior management, Internal Audit and up to the Board of Directors. Its roles include either working with or through senior management and/or the Board of Directors. This line of defense is tasked to rationalize and systematize risk assessment and governance reporting so that it is not only transparent but useful and stored in a manner that can be retrieved if a regulator comes calling. It will provide oversight on risk management content/processes, followed by the second line of defense. Finally, it will provide assurance that risk management processes are adequate and appropriate.

This tripartite model is an excellent way for a company to not only think through how to design an overall structure but as an outline to assess how well it may be doing in any one specific compliance area such as anti-corruption compliance under the FCPA. The first line of defense should be driven down to the Business Unit level. This will allow, indeed require, the Business Unit to buy into the overall compliance program. The legal and compliance departments are the key bridge that writes and leads implementation of the overall compliance program through training but also assesses whether the compliance program is effective and remains robust. The role of senior management is to provide overall leadership and deployment of resources throughout this entire process.

I have found that the anti-corruption compliance, or indeed the anti-money laundering (AML) or export-control practitioner can learn quite a bit from their peers in the utility industry. While they may not rise to the level of “Alchemist of Comedy”, as did Harold Ramis, you might want to listen to what they have to say.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

February 24, 2014

Commitment to Compliance: the Compliance Committee

Iwo Jima Flag RaisingSunday was the 69th anniversary the most iconic photo of World War II, at least from the American perspective. Of course it was the raising of the American flag at Mt. Suribachi on Iwo Jima. To say that one photo cannot change the lives of those pictured is belied by this image. The photographer, Joe Rosenthal, won a Pulitzer Prize for the photograph. While three of the six flag-raisers died fighting on Iwo Jima, one survivor, Rene Gagnon appeared during half time at the 1969 Orange Bowl; Ira Hayes was immortalized songs both by Johnny Cash and Bob Dylan and the last remaining flag-raiser, John Bradley, died in 1994.

I once tried a lawsuit in Harlingen County, Texas, where the name of one of the flag-raisers, Harlon Block, is inscribed in the Memorial to the county’s deceased war veterans on the courthouse square. The Judge of the trial used it as an example of civic duty and, years later, when I read James Bradley’s book, “Flags of Our Fathers”, about his father John Bradley and the men who raised this flag, I learned that the Judge in my trial was one of 16 high school seniors from Harlingen High School who all volunteered for enlistment on the same day. Harlon Block was one of the Judge’s classmates and they volunteered together. I am still moved when I think of that story.

One of the commitments I believe can enhance a compliance program is the creation of a compliance committee. As far back as in the 2005 Monsanto Corporation Deferred Prosecution Agreement (DPA) the compliance committee concept appears to have found favor with the Department of Justice (DOJ). In Appendix B to the DPA, Monsanto agreed to, among other things, “the establishment and maintenance of a committee to supervise the review of (I) the retention of any agent, consultant, or other representative for purposes of business development or lobbying in a foreign jurisdiction”, or a Compliance Committee. Later, this concept was used in the settlement of Halliburton’s shareholder action around its Foreign Corrupt Practices Act (FPCA) enforcement action.

The Monsanto DPA provides guidance on this point by stating “The majority of the committee shall be comprised of persons who are not subordinate to the most senior officer of the department or unit responsible for the relevant transaction;” this would indicate that senior management should be involved in the Compliance Committee. It would also indicate that more than one department should be represented on the Compliance Committee. This would include senior representatives from the Accounting (or Finance) Department, Compliance & Legal Departments and Business Unit Operations.

The Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual suggests the following language in its proposed form of Compliance Committee Charter:

The compliance officer shall have ultimate responsibility for operating the compliance program, with the support and assistance of the compliance committee. The committee shall consist of ### members, representative of each major department or area. The committee may appoint ad hoc members, each to serve at the pleasure of the committee, to assist and advise the committee in carrying out this charter. While the ad hoc members of the committee are not entitled to vote on matters formally considered by the committee, the ad hoc members shall be entitled to call a meeting of the committee and, further, to have any matter included on the agenda of any meeting of the committee. The committee shall designate the proper manner for calling meetings and the setting of agendas thereto.

 The compliance officer and committee shall retain a direct line of communication with and a direct reporting responsibility to the board of directors, executive committee, and CEO.

In the November/December issue of the SCCE Compliance & Ethics Professional magazine, Donna Boehme wrote an article entitled “Building a horse and not a camel: The compliance committee”. Where she cautioned that “More often than not, a [compliance] committee that is conceived with all best intentions evolves into something less that ideal: (a) a team of micromanagers that routinely substitutes its judgment for that of the CCO; (b) a source of unnecessary red-tape and ‘make-work’ for the compliance function, (c) a filter between the CCO and the governing body.”

To remedy these potential pitfalls, Boehme recommends three rules for building an effective compliance committee.

  1. The compliance committee should have a clear, written charter that sets out the functionality, goals, and parameters of the group, along the lines discussed above.
  2. The CCO should chair a committee of her peers-senior level officers in a position to make decisions and marshal resources.
  3. The compliance committee should be periodically reviewed for effectiveness and adjusted as necessary to meet the stated goals of the charter.

One of the things  Boehme makes clear is that “every compliance structure should be fit-for-purpose.” In other words, if your company’s highest compliance risk is third party relationships, I think you should focus your compliance committee resources on that issue. The scope of this was not fleshed out in the Monsanto DPA. However, it suggested that a company should incorporate both a pre-execution function and a post-execution management function in overseeing the full relationship with any third party. While this would most necessarily focus on FCPA compliance, there should also be a commercial component to this function.

To this end, a compliance committee should review all documents relating the full panoply of a third party’s relationship with a US company. This would begin with a review of any initial requests to engage a new third party. The information presented to the compliance committee would include a Business Unit’s request to engage the third party, the costs and benefits. The next step would be to review the due diligence and all background investigative materials on the prospective third party.

The compliance committee should receive copies of, and approve, all due diligence and background investigative materials before a contract is executed with a third party. Particular attention should be paid to the form of the contract. If there are deviations from the company’s standard form of agreement, with regard to the FCPA compliance issues, there should be a full explanation by the third party or Business Unit. The compliance committee should determine if the company is taking on any unwarranted FCPA compliance risk if non-standard FCPA compliance terms and conditions are used.

After the commercial relationship has begun the compliance committee should monitor this relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations on the third party with at least a minimum of a Level One Due Diligence and higher levels of Due Diligence based upon an appropriate risk rating. There should be an evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third parties. All FCPA compliance training should be reviewed and certifications confirmed. The compliance committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. As with all things FCPA the three most important words here are Document, Document and Document. If you cannot produce documentary evidence to the DOJ of your annual review and its findings, it is of no use to your company.

In addition to the above remedial review, the compliance committee should review all payments requested by the third party to assure such payments are within the company guidelines and are warranted by the contractual relationship with the third party. Lastly, the compliance committee should review any request to provide the third party with any type of non-monetary compensation and, as appropriate, approve such requests.

The compliance of a third party is one of the key tools that a company can use to prevent and detect any violation of its own Code of Ethics and Compliance and the FCPA. The proper structure of the compliance committee and its full engagement with all aspects of a company’s relationship with a third party is one of the areas that the DOJ will look for in a successful FCPA compliance program.

A compliance committee is a key tool, which can be utilized by a company to manage its relationships with its third parties. Its use has been commented upon favorably by the DOJ through its citation in the Monsanto DPA. A Compliance Committee does not replace any of the other key components of an effective FCPA compliance program but it does provide an additional level of protection, back-up and transparency for all deals with a third party. It should be employed by US companies as an additional protection against any type of FCPA compliance and ethics violation “slipping through the cracks” to become a much larger problem down the road.

But take Boehme’s cautionary words to heart, that the guiding principles of a compliance committee should be that it helps and does not hurt your overall compliance efforts going forward. And then use the raising of the flag on Iwo Jima to think about commitment.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 24, 2013

How Do You Develop a Compliance Practitioner?

The Morrill Act was a seminal moment in American education. This law, passed in 1862, provided that land-grant institutions of higher learning should be created “without excluding other scientific and classical studies and including military tactic, to teach such branches of learning as are related to agriculture and the mechanic arts, in such manner as the legislatures of the States may respectively prescribe, in order to promote the liberal and practical education of the industrial classes in the several pursuits and professions in life.”

Under the Act, each eligible state received a total of 30,000 acres of federal land, either within or contiguous to its boundaries, for each member of congress the state had as of the census of 1860. This land, or the proceeds from its sale, was to be used toward establishing and funding the educational institutions described above. The law had been introduced in the 1850s but the Southern land aristocracy, who most assuredly did not want universal education for the masses, prevented it from being enacted into law. With the South in rebellion, the measure passed in the first Congress elected after the Civil War had begun.

I was at Michigan State University (MSU) this past weekend and one of the school’s biggest points of pride is that it was an original land-grant college, originally named Michigan Agricultural College. I met with the Director of my old graduate program, which is now Human Resources-Labor Relations (HR-LR), Bill Cooke. One of the things that the school does is to train HR professionals. I talked with Director Cooke about my beliefs on how HR ties into a company’s compliance program. That led to a discussion about the training HR professionals receive on anti-corruption compliance programs such as those designed to comply with the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act.

My visit to MSU, and the discussions about training in graduate programs, got me to thinking about the training of a compliance profession. How do you do it? What should go into it? Most compliance practitioners’ experience is somewhat similar to mine; I am a lawyer and worked in a corporate legal department. I was thrown into a compliance role with not little training, but no training. It was simply go to a seminar and learn about FCPA compliance. And, of course, good luck. I had the same happy experience when I was appointed as world-wide export control director. At least I could spell FCPA when I started that role.

What is available out there if you want to learn how to become a compliance practitioner? If you are a law student and attending Southern Illinois University (SIU) School of Law, you could take the FCPA Professor’s upper-level elective course entitled “Current Developments in American Law: Foreign Corrupt Practices Act”. The Professor was interviewed about his class in the Chicago Daily Law Bulletin, in an article entitled “Students take bribe(ry class).” The article noted that through this study of the FCPA itself, its history, judicial decisions involving it, enforcement of it and resolved FCPA enforcement actions, the FCPA Professor believes that “Understanding how the law is enforced and critically analyzing it and developing FCPA compliance skills is really a skill set for any future lawyer to have.” The FCPA Professor also uses this course to expose his students to other areas, “including corporate criminal liability, U.S. Department of Justice and SEC enforcement policies and “a working knowledge of resolution vehicles that are used to resolve FCPA enforcement actions.””

But this is a law school class for (most probably) prospective lawyers. There are many compliance practitioners out there who are not lawyers. In my discussions with Director Cooke there are so many areas where a HR professional can help inculcate compliance into a company’s DNA. Think about some or all of the following areas that are in the core function of HR.

Training – A key role for HR in any company is training. This has traditionally been in areas such as discrimination, harassment and safety, to name just a few and based on this traditional role of HR in training it is a natural extension of HR’s function to expand to the area of FCPA compliance and ethics.

Employee Evaluation and Succession Planning – One of the very important functions of HR is assisting management in setting the criteria for employee bonuses and in the evaluation of employees for those bonuses. This is an equally important role in conveying the company message of adherence to a FCPA compliance and ethics policy. In addition to employee evaluation, HR can play a key role in assisting a company to identify early on in an employee’s career the propensity for compliance and ethics by focusing on leadership behaviors in addition to simply business excellence.

Hotlines and Investigations – One of the traditional roles of HR in the US is to maintain a hotline for reporting of harassment claims, whether based on EEOC violations or other types of harassment. It is a natural extension of HR’s traditional function to handle this role.

I believe that the compliance practitioner needs a multi-disciplinary training. The legal training is a good basis but if you went to a law school like mine, real world discussion were considered what ‘other’ law schools did. Further, there are non-legal areas such as review of financial data and financial controls which are a part of any compliance practitioners remit which also need to be considered. Most of these areas are a part of separate disciplines which need to be tied together for the compliance practitioner.

One resource for such training is the SCCE, which provides a compliance certification through its Compliance Certification Board (CCB) which has developed criteria to determine competence in the practice of compliance and ethics across various industries and specialty areas, and recognizes individuals meeting these criteria through its compliance certification programs. But even these programs only provide a starting point as best practices in a compliance regime continue to evolve, particularly through the use of advanced analytics.

Just as the Morrill Act provided an initial basis for professional studies in agricultural and mechanical disciplines, land-grant colleges continue to evolve. MSU, for instance, wants to be a university to the world. The same evolution is true for compliance practitioners. As our field matures, the need for the development of compliance practitioners will increase. Courses like the FCPA Professor leads for lawyers and the SCCE puts on for compliance practitioners will help drive the next generation of compliance professionals.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

October 9, 2013

Be Relevant: How a Compliance Professional Can Influence Corporate Decision Making

So how do you influence decision making as a compliance professional? That topic was explored in a session at the Society of Corporate and Compliance (SCCE), 2013 national Compliance and Ethics Institute by presenters Jennifer O’Brien, Chief Medicare Compliance Officer, UnitedHealthcare Medicare & Retirement, and Shawn DeGroot, Associate Director, Navigant. They, together with a very participative audience, had some insightful thoughts for the compliance practitioner on “how to get to effective”.

The single best piece of advice O’Brien said that she had ever received came from the recently retired Chief Compliance Officer (CCO) of Microsoft, Odell Guyton. It was to “Be Relevant”. Although Guyton used that term in the context of senior management meetings, O’Brien thought it so profound that she applied it to all of her work as a compliance professional. In meetings, you have to know when to both speak up at the relevant times and then when to keep quiet.

Both O’Brien and DeGroot felt the single most important trait that a compliance professional could engage is to build relationships with others in your organization. This means that you have to get out of your office and meet people. It can certainly be corporate executives in the C-Suite but you need to get out into the field and be seen. Training was mentioned as one of the opportunities for you to get out of the office and into the field. By doing such training you do more than simply put a name on a face of the company’s compliance officer as the key is to build trust. You need to have employees trust that they can bring issues to you to report. They are much more likely to bring an issue to you if they have met you and have that personal connection.

O’Brien had some other thoughts about building relationships which I found interesting. Although she is an attorney by professional training and spent a good part of her early in-house career in a corporate legal setting, she emphasized that corporate compliance is very different than corporate legal. You have to answer the phone and be responsive to inquiries. I once worked in a corporate legal department where the standing joke was, call us and we might answer the phone. That type of attitude cannot work in a compliance department.

She also suggested that it is helpful for a compliance practitioner to explain the “why” of a decision and not simply be told what they can or cannot do. She said this helps alleviate the perception that compliance is simply the “Land of No” that many folks in operations or business development feel is the sole raison d’etre for the existance of a compliance department. Contrasting this attitude, once again, with some legal departments, which feel that they are the last bastions against the business folks in the company who seemingly giving it away in contract negotiations, compliance should be properly seen as a unified partner or system in business development (BD) or operations.

O’Brien has some good ideas to get in front of senior management. She said that she targets one person a month to try and meet or reconnect with in some fashion. But before you get in front of a senior executive, you should develop a strategic compliance work plan and use that information as an entrée into that executive. You can seek the executives buy-in to the issue or issues that you raise in the meeting. She cautioned that if it is the first time you are meeting with such a senior executive, you should do your homework and learn as much about them as you can. If you can talk about their family or their interests, it will be a good way to make that initial connection.

DeGroot had an interesting phrase which she added to the mix. It was “let the other person have my way”. By this she intended for other corporate stakeholders to move the compliance regime forward. She said to do so it was important to understand who were both your advocates and your opposition in the C-Suite. While sometimes it is more difficult, you should listen more closely to those who are in opposition to your ideas and plans because in may be that those persons have a more insightful critique which you will need to overcome. Also if you can convince those in opposition to you initially to support you, she believes that you can develop quite the powerful ally. She suggested that you try to determine the outcome desired by both your advocates and your opposition as she believes that often, in the corporate setting, the same outcome is desired, the difference is how to arrive there.

O’Brien concluded her portion of the session with some of her thoughts about the skill set she now looks for when she is hiring a compliance professional for her team. I found her list quite interesting and constructive. Several of these traits will follow the discussion above but she added some additional key elements. She enumerated what she looks for during the interview process.

  • Visibility – A compliance professional needs to be comfortable getting out of the office and meeting others in the company, from the Board Room to the Shop Floor.
  • Rapport – You have to develop a rapport with those who value and support you and those who might oppose you.
  • Transparency – You cannot not answer the phone or hide or not ever answer questions. You must be responsive.
  • Impose rigor – Sometimes you have to put your foot down and say no but more often it is requiring company personnel to follow company process and procedures.
  • Be patient – You do not have to speak at every turn, sometimes the thing unsaid is more important.
  • Be a role model – Compliance personnel must be seen to be doing things better and doing things right. You have to model your ethics to have credibility.
  • Don’t overstep your role – Compliance does not have to answer every question. If others will not and it is their area do not get drawn in.
  • Be an active listener – You have to work to be a good listener.
  • Have a poker face – Even if you hear the worst story you have to maintain a calm demeanor and work through the process.

Both O’Brien and DeGroot ended their joint presentation by agreeing that the most powerful influence that a compliance officer can have is example. Lead by example and that will make management and the rest of the company sit up and take notice.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

October 1, 2013

What is the Fabric of Compliance?

The goal of any company regarding its compliance regime should be to make compliance a part of the fabric of your company and the face that you present to the world. That was the message from the interview conducted by Adam Turteltaub of Loretta Lynch, US Attorney for the Eastern District of New York, in June. The interview was the basis of an article in the September issue of the SCCE, Sept/Oct issue of its Compliance and Ethics Professional Magazine, entitled “In the Spotlight: Loretta Lynch”. The article was as close a ‘must read’ of any Department of Justice (DOJ) representative on the subject of what the DOJ is looking for in a Foreign Corrupt Practices Act (FCPA) compliance program as I have recently come across. I hope that you are a SCCE member and can read the full article as it is worth its weight in gold.

There were three separate enforcement actions that Turteltaub discussed with Lynch which I would like to highlight for this article as lessons learned for the compliance practitioner. The first two were FCPA matters and the third was an anti-money laundering (AML) matter. They were the Morgan Stanley Declination to Prosecute, the Ralph Lauren Non-Prosecution Agreement (NPA), and the final case was the HSBC Deferred Prosecution Agreement (DPA).

Morgan Stanley

This case involved Morgan Stanley and its Managing Director Garth Peterson. Peterson tried to convince Morgan Stanley to sell its interest in a building in Shanghai to the Shanghai government. However, the group purchasing the interest was actually made up of Peterson and a local government official “who had provided assistance to Peterson in securing business for Morgan Stanley in China.” Morgan Stanley discovered the subterfuge, thoroughly investigated the matter and self-disclosed to the DOJ. Morgan Stanley received the first publicly announced Declination from the DOJ.

While the numerous factors that the DOJ cited in its Press Release announcing the Declination are well known, the part I found interesting was the following quote in the SCCE article, “What set Morgan Stanley apart was that, after considering the facts and circumstances, the government concluded that Morgan Stanley was a company that had done all it could.” This matter presented “a fundamentally different situation from companies that say they don’t tolerate wrongdoing, yet push employees to meet goals and quotas overseas with little to no guidance on risks and consequences.” Further, this fundamental difference contrasted with companies who to tell employees “to “go along” to avoid being disadvantaged in overseas markets.” A final fundamental difference is that the Morgan Stanley matter was different from “companies that say “That’s not who we are,” yet have nothing on the record that informs me otherwise.” [Emphasis mine – that is TRF speak for Document, Document and Document].

Ralph Lauren

In the article, we found out greater specifics on the bribery scheme used. The investigation “revealed that, over the course of five years, the manager of Ralph Lauren’s subsidiary in Argentina had made roughly $580,000 in corrupt payments to customs officials for unwarranted benefits, like obtaining entry for its products into the country without the necessary paperwork or without any inspection at all. The bribes were funneled through a customs broker who, at the manager’s direction, created fictitious invoices that were paid by Ralph Lauren in order to cover up the scheme.”

Interestingly the company did not have an anti-corruption program or provide any training during the five years of the conspiracy. Nevertheless, both the DOJ and Securities and Exchange Commission (SEC) “were impressed with their [Ralph Lauren’s] resulting commitment to compliance in this area globally, as well as their self-disclosure and full cooperation.” Lynch explained that these steps included a “host of remedial measures” that the company instituted; improvements in internal controls and their overall compliance regime; and termination of the employees engaged in the illegal conduct. Finally, the DOJ took into account “that they swiftly and voluntarily disclosed the conduct” in agreeing to the NPA only.

HSBC

Coming in at an eye-popping fine of $1.9 billion the HSBC AML enforcement action was the largest forfeiture matter in history. While the size of this fine caught a lot of attention, Lynch emphasized that it could have been much higher and that the Bank acquitted itself well enough to reduce the size of its overall penalty. First she pointed to the admission of criminal conduct by the Bank. She also said that the Bank “gave the government every remedy we could have gained, and arguably even more, had we indicted the bank and taken it to trial to prove guilt.”

I have previously detailed the remedial steps that HSBC engaged in during the pendency of the enforcement action so I will not go into them again. But there are two items which seemed to standout in the mind of Lynch, the first of which was unprecedented. It was that HSBC agreed to “subscribe to a single global standard for compliance. This means that HSBC will apply the highest or most effective compliance requirements for operations worldwide, regardless of the laws and regulations that apply where a particular office or affiliate is located. In other words, if the U.K. has the toughest anti-corruption laws in the world, HSBC will apply them worldwide. If the AML requirements of in the United States are the most stringent, they will apply.” This last step told the DOJ that HSBC really did desire to create a gold standard best practices compliance program across all disciplines and the company.

The second notable action taken by HSBC was to split the role of the Chief Compliance Officer (CCO) out of the General Counsel’s (GC’s) office. Lynch believed that this showed “a deliberate, carefully crafted effort to give Compliance more prominence, more autonomy and more authority within the bank.” However, and most interestingly, she later averred that the splitting of these functions do not make sense in every organization, saying that a variety of factors, such as “organizational size, industry, regulatory, environment, staffing constraints and individual capabilities” can be taken into account by a company, and presumably the DOJ, when looking at an organization.

At the end of the day, what the regulators want to see is that a company “gets it” regarding compliance. While this is far from an ‘it’ factor, Lynch seems to indicate that it is a relatively simple task to see when company’s make compliance a top priority. As both DOJ and SEC representatives continue to speak through informal channels such as magazine article interviews, at conferences, in formal mechanisms such as enforcement action resolutions and Opinion Releases, companies need to use this information to drive home the message of compliance into the very fabric of their business.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

August 8, 2013

Pope Francis and the Chief Compliance Officer Position

Leadership can take as many forms and can be as varied as the number of leaders. But whatever form it takes leadership in a company’s compliance function does matter. A recent On Management article in the Financial Times (FT) by Phillip Delves Broughton, entitled “Leadership lessons from the pontiff”, looked at what is being termed by Catholics as ““the Francis effect”, the way the new pope is paring down the inherited pomp of his office to become more accessible.” Broughton noted that not only has the Pope made himself more accessible but that he seems to be intent on opening up the Church more to the needs of its flock, rather than simply as an existence unto itself. Broughton wrote that not only does the Pope’s more modest style reflect “a new set of priorities for the Vatican” but the Pontiff has also “set up a commission to reform the Vatican’s administration, notably its bank”. Getting out of the Ivory Tower (or Vatican) is always a good sign for a leader and it is no different for a Chief Compliance Officer (CCO). While I am not sure what criteria the newly invested Pope was judged on during the recent papal election, I thought about the criteria that could guide the selection of a CCO for a corporation.

An article in the SCCE Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, author Donna Boehme laid out what she believes to be the five elements that should be “carefully considered by boards and senior management who are serious about structuring (or updating)” the CCO position for success.

1.      Empowerment

Boehme believes that a CCO must have “the appropriate unambiguous mandate, delegation of authority, senior-level positioning, and empowerment to carry out his/her duties.” Such can be accomplished through a “board resolution and a compliance charter, adopted by the board.” Additionally, the CCO job description should be another manner in which to clarify the CCO “mandate, and at a minimum should encompass the single point accountability to “develop, implement and oversee an effective compliance program.”” All of the above should lead in practice to a “close working relationship with an independent board committee.”

2.      Independence

It is incumbent that any CCO must have “sufficient authority and independence to oversee the integrity of the compliance program.” Some indicia of independence would include a reporting line to the company’s Board of Directors and Audit/Compliance Committee but, more importantly, “unfiltered” access to the Board. There should also be protection of employment including an employment contract with a “nondiscretionary escalation clause” and a requirement for Board approval for any change in the terms and conditions of employment, including termination. There must also be sufficient resources in the form of an independent budget and adequate staff to manage the overall compliance program.

3.      Seat at the Table

Boehme believes that the CCO must “have formal and informal connections into the business and functions of the organization – a seat at the table at important meetings where all major business matters (e.g., risk, major transactions, business plans) are discussed and decided.” She argues that, at a minimum, the CCO should participate in “budget reviews, strategic planning meetings, disclosure committee meetings, operational reviews, and risk and crisis management meetings.”

4.      Line of Sight

Here the author urges that the CCO should have “unfettered access to relevant information to be able to form independent opinions and manage the [compliance] program effectively.” This does not mean that the CCO should have veto power over functions such as safety or environmental nor that such functions report to the CCO, but unless there is visibility to the CCO for these risk areas, the CCO will not able to adequately assess and manage such risks from the compliance perspective. The correct structuring of the CCO role, to allow it visibility into these areas, will help the CCO coordinate compliance convergence training.

5.      Resources

It is absolutely mandatory that the CCO be given both the physical resources in terms of personnel and monetary resources to “get the job done.” I have worked at places where the CCO had neither and the CCOs did not succeed because they never even had the chance to do so. Boehme focuses on both types of resources. Under monetary resources she points, as an indicia, to the independence of the CCO from the General Counsel (GC), “rather than a shared budget”. This can also bleed over to ‘headcount’ and shared or dotted line reporting resources. There should be independent resources reporting into the compliance function.

One thing that Boehme has consistently advocated is that the CCO should not report to the company’s GC. She believes that a CCO should have unfiltered access to a company’s Board of Directors and should report to a company’s Chief Executive Officer (CEO). She points to the “long line of companies forced to separate their” CCO positions from their corporate legal department; both under “corporate integrity agreements, and headlines such as the very public Wal-Mart scandal”. She also writes that the 2010 Amendments to the US Sentencing Guidelines, give support for the independence of the CCO from the legal department.

Boehme’s article reflects the structure and support that she believes a CCO should have in a corporate function. Broughton’s article on the new Pope points out that how a leader positions himself can be critical to an organizations overall success. Further, he writes that over-centralization can stifle out growth but if there is a decentralization of authority, to get it closer to those doing the day-to-day work, they will not only be more empowered but that they can help transform a culture more quickly and effectively. Broughton ends his article with the following, “After years of bad news from the Vatican, the crowds welcomed a man willing to travel fast and light along a new course.” I think that is consistent with the guidance that Boehme provides for the structure and requirements of a CCO position.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

August 7, 2013

Board of Directors and Doing Business in China Under the FCPA

The case of GlaxoSmithKline PLC (GSK) is still resonating across the corporate globe. While many questions are still unanswered, one that seems to be at the forefront of the inquiry was where was the GSK Board of Directors? The role of a Board of Directors is becoming more important and more of a critical part of any effective compliance program. Indeed Board involvement is listed as one of the ten hallmarks of an effective compliance program, set out in last year’s FCPA Guidance. In addition to helping to set the proper tone in an organization, the Board has a specific oversight role in any Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance program.

In addition to the pronouncements set out in the FCPA Guidance, other commentators have discussed the legal duties set out for Board members regarding compliance. Donna Boehme, writing in the SCCE Complete Compliance and Ethics Manual, 2nd Ed., entitled “Board Engagement, Training and Reporting: Strategies for the Chief Ethics and Compliance Officer”, said that a Board’s responsibility for compliance and ethics can be traced back to the Caremark decision (1996), which was later augmented by Stone v. Ritter (2006). She believes that these state court decisions establish the parameters of Board duty of care for corporate compliance activities. Moreover, this case law on the duty of a Board member, read in conjunction with the US Sentencing Guidelines, sets out the elements of an effective program to be overseen by the Board. The US Sentencing Guidelines also require that a Board “be “knowledgeable” about the content and operation of the company program and exercise “reasonable oversight” over its implementation and effectiveness.”

A timely article in the July/August issue of the NACD Directorship, entitled “Corruption in China and Elsewhere Demands Board Oversight”, by Eric Zwisler and Dean Yoost notes that as “Boards are ultimately responsible for risk oversight” any Board of a company with operations in China “needs to have a clear understanding of its duties and responsibilities under the FCPA and other international laws, such as the U.K. Bribery Act”. Why should China be on the radar of Boards? The authors report that “20 percent of FCPA enforcement actions in the past five years have involved business conduct in China. The reputational and economic ramifications of misinterpreting these duties and responsibilities can have a long-lasting impact on the economic and reputation of the company.” You can certainly ask GSK that right about now.

The authors understand that corruption can be endemic in China. They write that “Local organizations in China are exceedingly adept at appearing compliant while hiding unacceptable business practices. The board should be aware that a well-crafted compliance program must be complemented with a thorough understanding of frontline business practices and constant auditing of actual practices, not just documentation.” Further, “the management cadence of monitoring and auditing should be visible to the board.” Echoing one of the Board’s roles, as articulated in the FCPA Guidance, the authors believe that a “board must ensure that the human resources committed to compliance management and reporting relationships are commensurate with the level of compliance risk.” So if that risk is perceived to be high in a country, such as China, the Board should follow the prescription in the Guidance which states “the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

To help achieve these goals, the authors suggest a list of questions that they believe every director should ask about a company’s business in China.

  • How is “tone at the top” established and communicated?
  • How are business practice risks assessed?
  • Are effective standards, policies and procedures in place to address these risks?
  • What procedures are in place to identify and mitigate fraud, theft, corruption?
  • What local training is conducted on business practices and is it effective?
  • Are incentives provided to promote the correct behaviors?
  • How is the detection of improper behavior monitored and audited?
  • How is the effectiveness of the compliance program reviewed and initiated?
  • If a problem is identified, how is an independent and thorough investigation assured?

The authors correctly point out that third parties generally present the most risk under a FCPA compliance program and that “more than 90 percent of reported FCPA cases involve the use of third-party intermediaries such as agents or consultants.” However, they also point out that “all potential opportunities in China will have some level of compliance related issues.” As joint ventures (JV) and the acquisition of Chinese entities are an important component of many organizations’ strategic plans in China, it is important to have Board oversight in the mergers and acquisition (M&A) process.

The authors understand that “non-compliant business practices and how to bring these into compliance is often a major and defining deal risk.” But, more importantly, it is a company’s “inability to understand actual business practices, the impact of those practices on the core business, and effectively dealing with a transition plan is one of the main reasons why joint ventures and acquisitions fail.” So even if the conduct of an acquisition target was legal or tolerated in its home country, once that target is acquired and subject to the FCPA or Bribery Act, such conduct must stop. However, if such conduct ends, it may so devalue the core assets of the acquired entity so as to ruin the business basis for the transaction. The authors cite back to the FCPA Guidance and its prescribed due diligence in the pre-acquisition stage as a key to this dilemma. But those guidelines also make clear that post-acquisition integration is a must to avoid FCPA liability if the illegal conduct continues after the transaction is completed.

The authors conclude by articulating that many Boards are not engaged enough to understand the way that their company is conducting business, particularly in a business environment as challenging as China. They believe that a Board should have a “detailed understanding of the business if it is to be an effective safeguard against fraud or corrupt practices.” They remind us that not only should a Board understand the specific financial risks to a company if a FCPA violation is uncovered; but perhaps more importantly the “potential impact on the corporate culture and the risk to the company’s reputation, including the reputations of individual board members.” Finally, the authors believe that “effective oversight of corruption in China will only become increasingly more important”. That may be the most important lesson for any Board collective or Board member individually to take away from the ongoing GSK corruption and bribery scandal.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

July 2, 2013

Gettysburg Day 2: Dan Sickles, Political Generals and the CCO Position

Day 2 at Gettysburg saw the fighting swing south of the village, along a ridge line that formed a fishhook at its end on an outcropping called the Little Round Top. This was the far south end of the Union line and its defense was made famous in the book, “The Killer Angels”, which focused on the last stand by the 20th Maine led by Joshua Chamberlain. However, for today’s post I would like to focus on one of the more fascinating characters in the Civil War; that being Union General Daniel Sickles.

Sickles was a New York politician, who became one of the most prominent political generals of the Civil War. Prior to the war, Sickles was involved in a number of public scandals, most notably the killing of his wife’s lover, Philip Barton Key II, son of Francis Scott Key. He was acquitted with the first use of temporary insanity as a legal defense in US history. His appointment as a Union General was controversial as he had no military experience. Unfortunately, this lack of military training showed on  July 2, 1863,  when after the Army of the Potomac commander Major General George G. Meade ordered Sickles’ corps to take up defensive positions on the southern end of Cemetery Ridge, anchored in the north to the II Corps and to the south on the hill known as Little Round Top. Sickles violated these orders by marching his III Corps almost a mile in front of Cemetery Ridge. This had two effects: it greatly diluted the concentrated defensive posture of his corps by stretching it too thin, and it created a salient that could be bombarded and attacked from multiple sides. His III Corps was virtually wiped out and this insubordination effectively ended Sickles military career.

I.                   Requirements for a CCO Position Under the USSG

There has never been an adequate explanation of Sickles departure from his clear orders. Was it insubordination or incompetence? We will probably never know. I thought of Sickles in particular and Lincoln’s general problem of the ‘Political Generals’ in the context of a compliance program under the US Sentencing Guidelines, which under  §8B2.1.  specifies that under Subsection 2 of an “Effective Compliance and Ethics Program” the following is required:

(A)       The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.

(B)       High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.

(C)       Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

II.        Requirements for a CCO Position under the Ten Hallmarks of an Effective Compliance Program

The Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance specifies that when appraising a compliance program, they will consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively. Adequate autonomy generally includes direct access to an organization’s governing authority, such as the Board of Directors or an appropriate Committee such as the Audit Committee.

Further, depending on the size and structure of an organization, it may be appropriate for day-to-day operational responsibility to be delegated to other specific individuals within a company. However, the reporting structure will depend on the size and complexity of an organization. Moreover, the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls the DOJ and SEC will typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.

Debbie Troklus, Greg Warner, and Emma Wollschlager, writing in the Society of Corporate Compliance and Ethics (SCCE) “The Complete Compliance and Ethics Manual”, relate that as both anti-corruption compliance and Compliance are still relatively new fields many compliance officers will not have extensive previous experience in this field. Consequently, a Chief Compliance Officer (CCO) position “requires an individual who understands the nature of the business or industry, is capable of understanding and questioning financial and billing statements, is knowledgeable of applicable legal requirements and sanctions that may be imposed in the industry for wrongdoing, has strong written and verbal communication skills, and is firm yet approachable. Whatever the tenure or the educational level, the compliance officer, as “focal point” of the program, must be a figure respected and trusted throughout the organization. Strong interpersonal skills, good listening abilities, and discretion are mandatory.”

III.             The SCCE Code of Ethics

They also note that CCOs are stewards of a public trust, and, therefore, the services provided must be of the highest standards of professionalism, integrity, and competence. To this, the SCCE has developed a Code of Ethics for Compliance and Ethics Professionals that addresses three principles, which are broad standards of an aspirational nature.

Principle I: Obligations to the Public — Compliance and ethics professionals should abide by and promote compliance with the spirit and the letter of the law governing their employing organization’s conduct and exemplify the highest ethical standards in their professional conduct in order to contribute to the public good.

Principle II: Obligations to the Employing Organization — Compliance and ethics professionals should serve their employing organizations with the highest sense of integrity, exercise unprejudiced and unbiased judgment on their behalf, and promote effective compliance and ethics programs.

Principle III: Obligations to the Profession — Compliance and ethics professionals should strive, through their actions, to uphold the integrity and dignity of the profession, to advance the effectiveness of compliance and ethics programs, and to promote professionalism in compliance and ethics.

So what about General Sickles, the Political Generals and the CCO position? Did Sickles have the moral authority to command troops after the shooting of Key? After all he was acquitted so perhaps the answer is ‘maybe’. But as to his lack of military experience, by not obeying Meade’s explicit orders, Sickles risked both his III Corps and the army’s defensive plan on July 2 as the Confederate assault smashed the III Corps and rendered it useless for further combat. Gettysburg campaign historian Edwin B. Coddington assigns “much of the blame for the near disaster” in the center of the Union line to Sickles.

I think that the message from the DOJ/SEC in their collective FCPA Guidance is clear regarding the CCO position. They will evaluate the person, the position within an organization and the resources dedicated to the CCO, his department and his staff to determine if it is sufficient for the specific organization at issue. The US Sentencing Guidelines also make clear such an analysis will be made when making a determination of whether to or what sentencing should be for a Foreign Corrupt Practices Act (FCPA) violation. Don’t be a Dan Sickles.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Next Page »

Blog at WordPress.com.