FCPA Compliance and Ethics Blog

December 20, 2011

The Saga of MF Global – Don’t Shoot the Messenger, Fire the Chief Compliance Officer

In a post last week on his site, Corruption, Crime and Compliance, Mike Volkov named the Chief Compliance Officer (CCO) his “Person of the Year”. He did so because “There is no other position in a company which has taken on more significance.” This significance was foretold, in part, by the Department of Justice’s (DOJ) minimum best practices compliance program, where they have listed in each Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA) released beginning in 2010 and continuing into 2011,  the following:

Senior Management Oversight and Reporting. A Company should assign responsibility to one or more senior corporate executives of the Company for the implementation and oversight of the Company’s anti-corruption policies, standards, and procedures. Such corporate official(s) shall have direct reporting obligations to the Company’s Legal Counsel or Legal Director as well as the Company’s independent monitoring bodies, including internal audit, the Board of Directors, or any appropriate committee of the Board of Directors, and shall have an adequate level of autonomy from management as well as sufficient resources and authority to maintain such autonomy.”

In November 2010, the US Sentencing Guidelines were also amended to make the role of the CCO more robust and allow direct reporting to a Board of Directors or subcommittee of the Board. The amendment read “the individual…with operational responsibility for the compliance and ethics program…have direct reporting obligations to the governing authority or any appropriate subgroup… (e.g. an audit committee or the board of directors)”. If a company has the CCO reporting to the General Counsel (GC) who then reports to the Board? Such structure may not qualify as an effective compliance and ethics program under the amended Sentencing Guidelines.

These two bits of guidance came to mind when reading about MF Global over the past few weeks, regarding its Chief Risk Officer, the financial services equivalent of a CCO. As reported on December 15, in a New York Times (NYT) article entitled “MF Global’s Risk Officer Said to Lack Authority” Ben Protess and Azam Ahmed reported that the company replaced its Chief Risk Officer, Michael Roseman, earlier in 2011, after he “repeatedly clashed with Mr. Corzine [the CEO] over the firm’s purchase of European sovereign debt.” He was given a large severance package and left the company. When he left, there was no public reason given. His replacement was brought into the position with reduced authority.

Writing in the December 16, edition of the NYT’s DealB%K, in an article entitled “Another View: MF Global’s Corporate Governance Lesson” Michael Peregrine stated that “compliance officer is the equivalent of a “protected class” for governance purposes, and the sooner leadership gets that, the better.” Particularly in the post Sarbanes-Oxley world, a company’s CCO is a “linchpin in organizational efforts to comply with applicable law.” When a company fires (or asks him to resign), it is a significance decision for all involved in corporate governance and should not be solely done at the discretion of the Chief Executive Officer (CEO) alone.

Both the DOJ minimum best practices and the amendment to the US Sentencing Guidelines, giving the CCO direct access to a company’s Board of Directors, would seem to provide the profile that would mandate that a Board wants to know the reason why a CCO (or Chief Risk Officer) would suddenly resign, particularly after he “repeated clashed” with a CEO over compliance issues. The universal corporate blanket “resigned to pursue other opportunities” is a white-wash that a Board should look beyond, if indeed that reason was given to the MF Board. The bottom line is that when a CCO leaves, particularly if it was due to a clash with the CEO, the Board had better take a close look into the reasons as it may be that the CEO wants to take risks which could put the company at grave risk.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

September 26, 2011

How Cole Porter Informs the Debate: Ethical Compliance v. Legal Compliance

In an article in the October 2011 issue of the ACC Docket, entitled “Who Needs Business Ethics When You’ve Got the Law on our Side?”, author James Nortz explores the question, “What good is this business ethics crap when there’s a law for everything?” While perhaps phrased in a different manner, most lawyers were certainly trained in law school to focus on the question of whether something was ‘legal’ in performing an analysis of whether a client could engage in some action. Lawyers were generally not trained on whether a client should engage in some action. Nortz looks at some of the differences.

Nortz frames the question more along the lines of “let the law be your guide” and recognizes this approach has “a certain simple, minimalistic, free-market appeal, avoiding messy questions regarding whose sense of right and wrong will prevail.” Within the Foreign Corrupt Practices Act (FCPA) compliance world this approach can be shown by contrasting the examples of the requirements of the Us Sentencing Guidelines and the Department of Justice’s best practices compliance program as set out in various Deferred Prosecution Agreements (DPAs) over the past 14 months.

USSG’s 7 Elements of an Effective Compliance Program Panalpina DPA Best Practices  Compliance Program
1. Standards and procedures to prevent and detect criminal conduct.  1. Clearly articulated and visible compliance program.
 2. Leaders understand/oversee the compliance program to verify effectiveness and adequacy of support, specific individuals vested with implementation.  2. Sr. management’s strong and explicit visible support.
 3. Deny leadership positions to people who have engaged in misconduct.  3. Develop and promulgate compliance standards and procedures governing gifts, hospitality, travel, etc.
 4. Communicate standards and procedures of the compliance program and conduct effective training.  4. Risk assessment as basis for standard and procedures.
 5. Monitor and audit, maintain reporting mechanism.  5. Annual review of program.
 6. Provide incentives; discipline misconduct.  6. Assign responsibility to one or more senior corp. execs for implementation and oversight; directly reporting to the BOD; adequate level of autonomy and sufficient resources.
 7. Respond quickly to allegations and modify program as required.  7. System of financial and accounting procedures.
8. Effective communication and periodic training and certifications.
9. System for guidance, confidential reporting and response.
10. Disciplinary procedures.
11. Agent and business partner due diligence.
12. Agent and business partner agreements.
13. Period review and testing of standards and procedures.

A review of the above shows additional detail in the Panalpina DPA best practices compliance program. Simply following the law in the FCPA context will not provide a company with the detail which a compliance program should sustain to adequately protect a company. Nortz also notes that an approach of “let the law be your guide” will also fail because “it implies, in the absence of a definitive rule that anything goes” (and here he is NOT referring to the Cole Porter revival.)

Nortz concludes by noting that a more rounded ethical approach will not only prevent more absurd results but provide for greatly employee productivity and more loyalty from third parties, whether those third parties are customers, agents or vendors. While noting what may seem like the obvious, that business professional must take ethical obligations into account, lawyers must remember that simply complying with legal compliance is not always sufficient.

————————————————————————————————–

Please join Mike Volkov, Stephen Martin, Jim Feltman and myself on Oct. 6 in NYC for a presentation on ” The Gathering Storm: Anti-Corruption Compliance for Private Equity and Hedge Funds”. The presentation is hosted by World Check and Ethisphere and the event is complimentary. More information and registration details can be found at http://ethisphere.site-ym.com/events/event_details.asp?id=179863. If you are in the NYC area I hope you can attend.

————————————————————————————————–

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

July 27, 2011

Will No One Rid Me of this Meddlesome Priest?

Tone at the Top has become a phrase inculcated in the compliance world. The reason it is so important to any compliance program is because it does actually matter. Any compliance program starts at the top and flows down throughout the company. The concept of appropriate tone at the top is in the US Sentencing Guidelines for organizations accused of violating the Foreign Corrupt Practices Act (FCPA); the Department of Justice’s (DOJ) best practices for effective compliance programs which have been released with each Deferred Prosecution Agreement (DPA) over the past year; the UK Bribery Act’s Six Principles of Adequate Procedures; and the OECD Good Practices. The reason all of these guidelines incorporate it into their respective practices is that all employees look to the top of the company to see what is important. Or to quote my colleague Mike Volkov, who quoted Bob Dylan, in opining “You don’t need to be a weatherman to know which way the wind blows”.

The US Sentencing Guidelines reads:

High-level personnel and substantial authority personnel of the organization shall be knowledgeable about the content and operation of the compliance and ethics program … and shall promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

The OECD Good Practices reads:

  1. strong, explicit and visible support and commitment from senior management to the company’s internal controls, ethics and compliance programs or measures for preventing and detecting foreign bribery;

The UK Bribery Act Guidance for the Six Principles of Adequate Procedures reads:

The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.

Attachment C, to each DPA released in the past year, has the following

2. [The Company] will ensure that its senior management provides strong, explicit, and visible support and commitment to its corporate policy against violations of the anti-corruption laws and its compliance code.

The Foreign Corrupt Practices Act (FCPA) world is riddled with cases where the abject failure of any ethical “Tone at the Top” led to enforcement actions and large monetary settlements. In the two largest monetary settlements of enforcement actions to date, Siemens and Halliburton, for the actions of its former subsidiary KBR, the government specifically noted the companies’ pervasive tolerance for bribery. In the Siemens case, for example, the Securities and Exchange Commission (SEC) noted that the company’s culture “had long been at odds with the FCPA” and was one in which bribery “was tolerated and even rewarded at the highest levels”. Likewise, in the KBR case, the government noted that “tolerance of the offense by substantial authority personnel was pervasive” throughout the organization.

In addition to the two cases set out above, in a 2003 report, the Commission on Public Trust and Private Enterprise cited a KPMG survey covering selected US industries; found that 37 percent of employees had, in the previous year, observed misconduct that they believed could result in a significant loss of public trust if it were to become known. This same KPMG survey found that employees reported a variety of types of misconduct and that the employees believed this misconduct is caused most often by factors such as indifference and cynicism; pressure to meet schedules; pressure to hit unrealistic earnings goals; a desire to succeed or advance careers; and a lack of knowledge of standards.

So how can a company overcome these employee attitudes and replace the types of corporate cultures which apparently pervaded at News Corp and re-set its “Tone at the Top”? In a 2008 speech to the State Bar of Texas Annual Meeting, reprinted in Ethisphere, Larry Thompson, PepsiCo Senior Vice President of Governmental Affairs, General Counsel and Secretary, discussed the work of Professor Lynn Sharp at Harvard. From Professor Sharp’s writings, Mr. Thompson cited five factors which are critical in establishing an effective integrity program and to set the right “Tone at the Top”.

  1. The guiding values of a company must make sense and be clearly communicated.
  2. The company’s leader must be personally committed and willing to take action on the values.
  3. A company’s systems and structures must support its guiding principles.
  4. A company’s values must be integrated into normal channels of management decision making and reflected in the company’s critical decisions.
  5. Managers must be empowered to make ethically sound decisions on a day-to-day basis.

So whether with malicious intent or simply said out of frustration, when Henry II uttered the words which are the title of today’s posting, it set the tone for the four knights which overheard him. They set off and murdered Thomas Becket. Perhaps less starkly into today’s world, if the tone from the top is that you must meet you quarterly numbers or the company will find someone else to do the job; that is the message that will come across to company employees. But whether you are the King of England, the CEO of a Fortune 500 company or simply in a leadership position in your company; the tone does matter.

=======================================================

Episode 13 of This Week in FCPA is up. Check out Howard Sklar and myself on this week’s topics.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

February 8, 2011

Disclosure and Negotiating with the Government – A FCPA Conundrum?-Part II

In yesterday’s blog we explored the question of whether a company should self-report a potential FCPA violation to the pertinent US governmental authorities. Today, conclude our two-part series by exploring three issues: (1) What should you disclose; (2) How/When Should you Disclose; and (3) Negotiating the Final Settlement with the Government.

What should you disclose?

Once a company makes a decision to self-report, the next question is what to disclose. The clear weight of advice on this point is that a company should disclose all information about the problem because credibility of your company is on the line. If you underplay the facts it may do more damage in the long run. A company needs to be prepared to explain why the problem arose, what systems worked well or failed and what corrective actions were taken. In other words, what did your company do to prevent the violative conduct, and if such conduct occurred, how was it detected and what did your company do to deter a similar occurrence in the future?

In preparing your company’s self-disclosure, there will be several detailed issues which the DOJ and/or SEC will want some answers to. These include:

  • How was the conduct discovered?
  • How long have you known?
  • Who was or is involved? Are they still employed?
  • What was the bribe amount and intended benefit?
  • When did the conduct occur?
  • How were the payments made?
  • How has the relevant evidence been secured?
  • Have you looked for all related conduct?
  • Has the Board/Audit committee been notified?
    • Was corrective action taken or is it planned?
    • Are local prosecutors involved?

The DOJ and SEC will expect not only full cooperation during the investigation phase but also full communications. This will include briefings on interviews, updates on email findings/document review and presentation of forensic accounting findings. Also during this entire investigation phase, your company should be remediating the specific issue and implementing and updating their compliance program and internal controls. A company will also have to make a decision on how (and when) to deal with the employees involved in the conduct at issue. You should place any employees involved on paid-administrative leave and at some point, you will need to make the decision on whether to terminate the employees from employment with your company. This final step needs to be considered carefully as it may end all cooperation by those employees.

How/When to Disclose?

After your company has made the decision to self-report, you will need to consider how and when to report. Initially a company should simultaneously self-disclose to both the DOJ and SEC or other applicable agency. There is no advantage to disclosing to only one as both the DOJ and SEC share such information quite quickly. Perhaps a more difficult question is how much investigation to do before disclosure. Once again, Lanny Breuer has suggested that “[a] corporation should seriously consider seeking the government’s input on the front end of its internal investigation.”  This allows the DOJ to focus on issues it may see as more important than the company does. Such an example could be if the DOJ has an ongoing, unannounced investigation regarding a certain country and the self-disclosing company has agents in that country, the DOJ may want information on those agents. This could be even if the conduct at issue took place in different part of the world.

The final, and perhaps most difficult, question would appear to be the following: if and when to disclose to a foreign government. A foreign government may react quickly by arresting company officers in its country or take other actions which may seem inconsistent with US judicial proceedings. However, the DOJ has made it clear that it is increasingly cooperating with foreign governments in the fight against corruption so the DOJ itself may put the foreign government on notice.

Negotiating the Settlement

The initial starting point when negotiating a FCPA settlement is that you should retain a former federal prosecutor to lead your negotiating team. Do not have a civil litigation attorney lead this effort. This is because prosecutorial discretion governs the entire process and to understand the ins, outs and implications, your company needs someone who has been through the process from the government’s prospective. Some of this prosecutorial discretion includes whether to prosecute, who to prosecute and what conduct to prosecute.

After these decisions have been made an equally important set of decisions is up next for consideration. These involve the form of the Resolution; will it be a Deferred Prosecution Agreement (DPA); a Non-Prosecution Agreement (NPA), or best yet-a declination for the DOJ. In negotiating with the SEC there will be issues around whether the company will enter into Consent Decree or the SEC will seek and/or obtain a Permanent Injunction.

The next area for discussion will be that of penalties. The first decision will probably be whether or not individuals in the company are to receive any criminal sanctions and if this decision is in the affirmative, it will certainly have implications for the company. Next will be the penalties, both from the DOJ and SEC, these can be fines, monetary penalties and profit disgorgement; all of which can add up to hundreds of millions of dollars.

Finally will be the decisions regarding post-resolution obligations and the time line for resolution of said obligations. Will an external monitor be involved and if so what will be the terms and conditions of the monitorship? Will your company have to create, enhance or implement a best practices compliance policy or a portion thereof, to remediate the conduct at issue? Will there be an increase in your company’s compliance staff; will there be a Board mandate, with separate guaranteed funding for compliance issues and initiatives? Finally, how, and at what interval, will your company report its progress to the DOJ and SEC?

The FCPA investigation road can be a long and rocky one. Unfortunately there is no one path that a company can or should follow; each step must be considered, under the facts and circumstances of the company involved. There does appear to be one step that all agree upon and that is that your company must give the DOJ and SEC its full cooperation after an investigation commences, whether through self-disclosure, whistleblowing or other mechanisms.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

November 11, 2010

Additional Proposed Amendments to the Foreign Corrupt Practices Act

Ed. Note-we are pleased to post a guest article by our colleague James McGrath.

A fortnight ago, the US Chamber Institute for Legal Reform issued a white paper entitled “Restoring Balance – Proposed Amendments to the Foreign Corrupt Practices Act”.  Written by Andrew Weissmann and Alixandra Smith, it is the Institute’s response to stepped-up FCPA enforcement activities over the past five years that have highlighted deficiencies in the statute.  These shortcomings make for onerous investigations, prosecutions, and penalties seemingly beyond its legislative intent.  This article suggests two additional amendments not in response to any textual deficiency, but rather, to evolving government enforcement philosophy.       

The FCPA is only a small part of the larger effort to get American business entities to behave ethically and police themselves, thereby ensuring good corporate citizenship. Since 1991, Chapter Eight of the United States Sentencing Guidelines has provided the framework for these efforts by mandating that companies institute and maintain vibrant compliance and ethics programs to ensure that corporations and their employees are trained in, and adhere to, morally-sound practices within their industries.  When there are ethical lapses, as infamously seen with Enron, et al., the Guidelines mandate that companies to respond to these breakdowns. 

These responses require businesses to impartially investigate what happened and why, and then to take remedial action to ensure that such breakdowns do not recur.  Remedial action may include retraining of employees, wholesale or partial re-vamping of compliance and ethics programs, self-reporting of perceived law-breaking to enforcement authorities, or a combination of these.  When companies do self-report and are prosecuted in criminal or civil actions brought by the government, resulting prison sentences, fines, and other penalties – including the disgorgement of profits – can be reduced significantly by cooperating with a federal agency’s investigation of the same.    

The problem with the current state of the FCPA is it’s imprecision.  An anti-bribery statute, it prohibits U.S. companies from giving, promising, or authorizing the giving of anything of value to a foreign official in order to secure a business advantage in a foreign country.  See 15 U.S.C. §78dd-1 through 15 U.S.C. §78dd-3. However, the statute specifies no culpable mental state such as “intentionally” or “knowingly”, provides little guidance as to what constitutes “anything of value”, and is vague in its definition of a “foreign official”.  Further, it contains no provisions defining a company’s liability for the prior acts of a company that it has later acquired or for that of a subsidiary acting without the parent’s knowledge.

Compounding this muddy state of affairs is the DOJ’s very aggressive stance on FCPA enforcement.  In recent years, it has essentially taken the positions that: (1) the FCPA is a strict liability offense, (2) the value threshold can be very low, even de minimus, (3) a foreign official can be almost any foreign national, and (4) successor and subsidiary liability is unlimited.  This makes tough sledding for companies doing business overseas, and DOJ Criminal Division Assistant Attorney General Lanny Breuer’s promise at Compliance Week 2010 of even more heightened FCPA enforcement surely influenced the US Chamber Institute’s formulation of its proposed amendments to that statute. 

The Institute white paper suggests five changes to the law: (1) addition of an affirmative “compliance defense”, (2) limiting corporate liability for prior acts of a company it has later acquired, (3) positing “willfulness” as the culpable mental state under the statute, (4) limiting a company’s liability for the acts of its subsidiaries, and (5) more clearly defining a “foreign official”. 

All of these are excellent proposals, and amending the FCPA by their incorporation would clarify the statute and go a long way toward leveling the enforcement playing field.  However, given statements made in the aforementioned May 27, 2010 address, two more amendments should be considered.  

As noted earlier, an effective compliance and ethics program requires companies to conduct internal investigations into possible FCPA violations.  In his presentation, Mr. Breuer advised that when a possible violation has been discovered, the corporation should (1) seek the government’s input on the front end of its internal investigation, (2) describe its work plan for conducting the inquiry, and (3) be responsive to DOJ questions, suggestions, and requests to expand the scope of the investigation.

From an internal investigations perspective, this “call first” demand constitutes a seismic shift in the government’s perception of its role in the process and should present tremendous business and legal concerns for a company in its crosshairs.  What the DOJ is asking for is access to the inner workings of private-sector companies and how they conduct themselves in a way that has heretofore not been seen.  

At present, when an FCPA violation occurs, there is generally the following investigatory timeline: (1) occurrence of the perceived corporate wrong, (2) performance of the company’s internal investigation, and (3) determination by the company of whether to self-report and cooperate with the government’s parallel investigation and potential litigation. 

In this sequence, the company conducts its own inquiry before making the critical decision to implicate itself or not.  Because these internal investigations are usually conducted by outside counsel, if no wrong is found by that independent investigation, its results are protected from disclosure to third parties by operation of the attorney-client privilege.  See: Upjohn Co. v. United States, 449 U.S. 383 (1981).  This safeguard to the company is vital.  In an era of global markets and instant information, the protection of an exonerated company’s reputation may very well save it from complete ruin, as the mere specter of dirty laundry can be damning on Wall Street.  

Alternatively, if a company contacts and co-ordinates its internal investigation from the outset with the DOJ, its ability to protect the direction, yield, and publicity of any such inquiry will be nil.  Dirty or not, it will have waived attorney-client privilege and laid open it entire operation to government investigators.  That should be unnerving to even the most ethical company. 

A line of cases beginning with Coolidge v. New Hampshire, 403 U.S 443 (1971) stands for the proposition that government  agents need not ignore evidence of other illegal activities they happen upon when they are lawfully present, even on an unrelated matter.  This “plain view” exception to the probable cause and warrant requirement is never lost on law enforcement.  It is therefore not difficult to imagine aggressive government investigators with access to a company’s every last document and memoranda hunting until they find wrongdoing to prosecute, be it the FCPA violation that they were invited in on, or something else. That is a daunting prospect to consider.

 This is not to advocate that companies should be able to hide their illegalities and avoid prosecution.  Quite the contrary.  The USSG laudably balances the sometimes-competing and sometimes-cooperating interests of ensuring self-policing, respecting corporate privacy, and doing justice by prosecuting wrongdoers.  To establish a precedent where the government is called into, and becomes a partner in, every FCPA internal investigation flies in the face of Chapter Eight of the USSG by eradicating the self-policing that is its purpose.  

To be clear, adhering to Mr. Breuer’s suggestion of early government involvement in a company’s internal investigation is not always going to be unacceptable or ill-advised.  Whether to do so or not is a business and legal decision that is best made by corporate leadership.  However, allowing his present request to ripen into a future demand, and then into a policy that over the course of time and through stare decisis becomes the law of the FCPA land, usurps the authority of Congress and is wrong. 

As a result, any prospective legislation amending the FCPA should protect the balance of interests in corporate criminal and civil prosecutions already struck by the USSG.   Involving the DOJ at the outset of the internal investigation process as mandatory for receiving cooperation credit under the Guidelines should be expressly prohibited.  And for those companies that do invite the government in as investigatory partners from the beginning, there should be some transactional or use immunity – or at least some limitation on penalties and sanctions – for other wrongs uncovered during the course of the FCPA investigation in recognition of their good-faith efforts to cooperate with the government.  

While neither of the foregoing proposals can nor will remedy the adverse publicity aspect of early DOJ involvement where elected, the former does safeguard corporate privacy and attorney-client privilege interests, while the latter fairly and justly limits the impact of a “corporate plain view” violation.    These are adviseable as counterweights to continued and vigorous government FCPA enforcement activity and will maintain a level playing field between companies seeking to ethically do business abroad and the DOJ. 

James J. McGrath is a former prosecutor and the managing partner of McGrath & Grace, Ltd., a law firm that specializes in conducting independent corporate internal investigations. He can be reached at james.mcgrath@mcgrath.grace.com.

November 2, 2010

Proposed Reforms to the FCPA: the Compliance Defense and Respondeat Superior

In a Whitepaper entitled “Restoring Balance-Proposed Amendments to the Foreign Corrupt Practices Act”, authors Andrew Wiessmann and Alixandra Smith, writing on behalf of the US Chamber Institute for Legal Reform who recently proposed amending the Foreign Corrupt Practices Act (FCPA), argue that the time is ripe to amend the FCPA to make the statute more equitable and its requirements clearer. They propose five (5) amendments to the FCPA which they argue would serve to improve the Act. This post will discuss, in greater specificity, their first proposal: to create a compliance defense available to a company if it has an adequate compliance program, similar to the “adequate procedures” defense available under the UK Bribery Act. 

Under this suggestion the authors believe that companies will increase their compliance with the FCPA because they will now have a greater incentive to do so. They envision a defense similar to the “adequate procedures” defense available under the UK Bribery Act where companies will be protected if a rogue employee engages in corruption and bribery despite a company’s diligence in pursuing a FCPA compliance program; and lastly “it will give corporations some measure of protection from aggressive or misinformed prosecutors, who can exploit the power imbalance inherent in the current FCPA statute—which permits indictment of a corporation even for the acts of a single, low-level rogue employee—to force corporations into deferred prosecution agreements.” 

The authors set out the recently released UK Bribery Act Consultative Guidance as one basis of this proposed compliance defense. This Guidance listed 6 Principles of an effective anti-bribery and anti-corruption program which are: 

1.         Risk Assessment – knowing and keeping up to date with the bribery risks you face in your sector and market.

2.         Top Level Commitment – this concerns establishing a culture across the organization in which bribery is unacceptable.

3.         Due Diligence – knowing who you do business with; knowing why, when and to whom you are releasing funds; seeking reciprocal anti-bribery agreements; and being in a position to feel confident that business relationships are transparent and ethical.

4.         Clear, Practical and Accessible Policies and Procedures – this concerns applying them to everyone you employ and business partners under your effective control.

5.         Effective Implementation – going beyond ‘paper compliance’ to embedding anti-bribery in your organization’s internal controls, recruitment and remuneration policies, operations, communications and training on practical business issues.

6.         Monitoring and Review – auditing and financial controls that are sensitive to bribery and are transparent, considering how regularly you need to review your policies and procedures, and whether external verification would help. 

The authors also discuss the Italian Anti-Bribery Bill, which was enacted in 2001. The statute provides a defense under which a business may avoid liability if it can demonstrate that, before employees of the company engaged in a bribery or corruption, the company had (1) adopted and implemented a model of organization, management and control designed to prevent that crime, (2) engaged an autonomous body to supervise and approve the model, and (3) the autonomous body adequately exercised its duties. Further, to determine whether the compliance program was effectively designed, the Italian law required consideration of the following factors: 

1.         Management of Resources – whether financial resources were managed in a way that discouraged the prohibited conduct.

2.         Provision of Information to Management – whether the compliance program required officers and employees to supply the persons responsible for monitoring the compliance program with the necessary information to ensure their compliance with it.

3.         Disciplinary Measures – where there measures in the compliance program which punished those employees who violated the program. 

The authors note that while concepts from both of the above laws are embedded within the US Sentencing Guidelines, they are considered at a very different phase of the criminal process than in the US. Under both the UK and Italian laws, these factors are considered during the liability phase of an anti-bribery or anti-corruption proceeding. In the US, the factors of the adequacy of a compliance program are considered by the Department of Justice (DOJ) in deciding if a corporation “should have a slight reduction in its culpability score when sentencing it for FCPA or other violations.” The authors believe that the adoption of such a compliance defense will not only increase compliance with the FCPA by providing businesses with an incentive to deter, identify and self-report potential and existing violations, but will also protect corporations from employees who commit crimes despite a corporation’s diligence. 

The authors go on to state that the institution of a compliance defense will bring enforcement of the FCPA in line with US Supreme Court precedent, which has recognized that it is appropriate and fair to limit the legal doctrine of respondeat superior liability where a company can demonstrate that it took specific steps to prevent the offending employee’s actions. In the employment context involving punitive damages, the authors cite to the case of Kolstad v. American Dental Ass’n, 527 U.S. 526 (1999) for the proposition that, “an employer may not be vicariously liable for the discriminatory employment decisions of managerial agents where these decisions are contrary to the employer’s ‘good-faith efforts to comply with Title VII.’” The authors believe that this holding was motivated by a concern that the existing standard was “dissuading employers from implementing programs or policies to” comply with Title VII for fear that such programs would bring to light violations for which a company would ultimately be liable, no matter what steps it had undertaken to prevent such violations. From this Title VII case involving punitive damages, the authors extrapolate that businesses may similarly be dissuaded from instituting a rigorous FCPA compliance program for fear that the return on such an investment will be only to expose the company to increased liability and will do little to actually protect the company. A FCPA compliance defense will help blunt this. 

Other commentators have noted that the doctrine of respondeat superior puts a company a great disadvantage in any FCPA enforcement proceeding. In a blog post entitled, “Quiz Time Answer”, the FCPA Professor explained: 

Individual FCPA defendants tend to work for companies. Under respondeat superior theories of liability, the company is going to have a very difficult time “distancing” itself from its employees conduct.” 

The FCPA Blog went further, opining that the doctrine of respondeat superior “does more harm than good” and that corporations are “defenseless once employees are found to have committed [FCPA] violations” in an enforcement action because of the doctrine of respondeat superior. In a blog post entitled, “Naked Corporate Defendants”, the FCPA Blog said: 

Sure, it produces a 100% corporate “conviction” rate in FCPA cases, which must go down well at the Justice Department. But, it probably doesn’t deter illegal behavior or encourage better compliance programs. And it puts overwhelming pressure on organizations to resolve threatened criminal cases. Because of the catastrophic effects of any potential conviction, companies have to settle with the government. So they rush into agreements that may require them to waive the attorney–client privilege, hand over employees’ private documents and data, cut off support for their legal defense, and fire those who don’t cooperate with government investigations. ”

This pressure to settle and avoid the fate of Arthur Anderson is often on the minds of many corporate General Counsel’s and other corporate officers. The FCPA Professor, in the same blog post cited above, noted that “corporate FCPA enforcement actions tend to be resolved through a non-prosecution agreement, a deferred prosecution agreement, or a plea. Entering into one of these resolution vehicles is often easier, more cost efficient, and more certain than actually mounting a legal defense based on the FCPA’s statutory elements. Further, because these resolution vehicles are subject to little or no judicial scrutiny and are entered into the context of the DOJ possessing certain “carrots” and “sticks” they do not necessarily reflect the triumph of one party’s legal position over the other.” 

Many corporations are faced with a true Hobson’s Choice during a FCPA enforcement action. Simply put, they do not believe that they can face the prospect of a guilty verdict after trial to a judge or jury. While there is the example of Aibel Group Ltd., which pled guilty to a FCPA charge during the pendency of its Deferred Prosecution Agreement and survived; the example of Arthur Anderson is the one which is foremost in the minds of all corporate officers. The provision of a compliance defense as suggested by authors Wiessmann and Smith may provide companies with a mechanism to actually defend themselves from a FCPA enforcement action. However, it is not clear at all what the DOJ position will be on this issue.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2010

US Sentencing Guidelines Changes Become Effective November 1

Yesterday, on November 1, 2010, the proposed changes in the US Sentencing Guidelines became effective. This post will highlight the changes and what they may import for the FCPA compliance professional. The US Sentencing Guidelines are used in the sentencing of organizations and serve as the de facto blueprint for corporate ethics and compliance programs. The changes, which were approved at an April meeting of the US Sentencing Commission and were formally submitted to Congress by May 1, became effective yesterday. These proposed changes followed public hearings and public comment period which ended in March. The most significant changes in the Sentencing Guidelines are as follows.

1. Direct Report. The amendment changed the reporting structure in corporations where the Chief Compliance Officer (CCO) reports to the General Counsel (GC) rather than a committee on the Board of Directors. The change reads “the individual…with operational responsibility for the compliance and ethics program…have direct reporting obligations to the governing authority or any appropriate subgroup… (e.g. an audit committee or the board of directors)”. If a company has the CCO reporting to the GC, who then reports to the Board, such structure may not qualify as an effective compliance and ethics program under the amended Sentencing Guidelines. The better practice would now appear to be that the CCO should be a direct report to the Board or appropriate subcommittee of the Board such as compliance or audit. 

2. Discovery of Problem Inside the Organization Rather Than Outside. This amendment encourages a company to have a hotline and other mechanisms to detect any compliance and ethics violations internally. While most companies have a Code of Conduct, with attendant implementation policies and procedures in place, training thereon and a hotline; many companies have yet to implement any type of self-audit program to measure Foreign Corrupt Practices Act (FCPA) compliance program performance. This encourages companies to not only monitor its internal self reporting to actively test the information available to it through a system such as continuous controls monitoring. 

3. Promptly Report. This amendment inserts specific language regarding the “prompt” reporting of any violation of a compliance and ethics program. While no definition of the word “prompt” is provided, the revisions to the Commentary note that an organization will be “allowed a reasonable time to conduct and internal investigation” and that no reporting is required if “… the organization reasonably concluded…that no offense has been committed”. Nevertheless this language reiterates what many former Department of Justice (DOJ) employees tell industry representative at conferences and events regarding the FCPA. It is always preferable to report a violation to the US government rather than the US government finding out and coming to you. 

4. No Person With Operational Responsibility Condoned or Was Willfully Ignorant. This proposed amendment is aimed at those personnel within a company’s compliance and ethics organization. While operational responsibility could be defined to mean only those who might report to the Board, this commentator would suggest the better approach is to include all company personnel with direct reporting responsibility in the compliance and ethics group. The definition of “willfully ignorant” has not changed from the current version of the Sentencing Guidelines, which is provided in Application Note 3 of Commentary to §8A1.2 (Application Instructions-Organizations). The definition reads in full “An individual was “willfully ignorant of the offense” if the individual did not investigate the possible occurrence of unlawful conduct despite knowledge of circumstances that would lead a reasonable person to investigate whether unlawful conduct had occurred”. 

All companies subject to the Foreign Corrupt Practices Act should review their compliance policies and procedures to ascertain if they are in compliance with these changes. With the upcoming effective date of the UK Bribery Act on April 1, 2011, companies should have a comprehensive review of their compliance program to determine if any changes need to be made.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The author can be reached at tfox@tfoxlaw.com.

October 18, 2010

Risk Assessments: FCPA and UK Bribery Act Best Practices

We recently wrote about ongoing assessments as a key component of a best practices anti-corruption and anti-bribery program. One of our colleagues commented that such a tool is also one with which a company should begin to craft its compliance program. The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face. Therefore this post will discuss the tool that an entity should utilize to build its anti-corruption and anti-bribery program around, the Risk Assessment.

We believe that for this reason both the Principles of Federal Prosecution of Business Organization (US Sentencing Guidelines) and its section on corporate compliance programs and the UK Bribery Act’s Consultative Guidance list Risk Assessment as the initial step in creating an effective anti-corruption and anti-bribery program. This posting will review the specifics of an effective Risk Assessment and how it will form the development, implementation and maintenance of any best practices compliance program.

US Sentencing Guidelines

The US Sentencing Guidelines state “compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.” The Report of the Ad Hoc Advisory Group on the Organizational Sentencing Guidelines stated that “Each organization will need to scrutinize its operating circumstances, legal surroundings, and industry history to gain a practical understanding of the types of unlawful practices that may arise in future organizational activities.”

Writing in the most recent issue of the Society of Corporate Compliance and Ethics Magazine (SCCE) (Vol. 7 / No. 5)(Oct. 2010), Russ Berland suggested that a compliance risk assessment (1) catalogues the legal and compliance requirements facing the company; (2) uses information gathering tools such as interviews, surveys, benchmarking and document review to determine the company’s risks of failing to comply with legal and regulatory requirements; and (3) analyzes those risks to prioritize them according to likelihood, impact, and velocity.

Properly utilized, a Risk Assessment will identify risks/gaps and monitor/review performance against ongoing business requirement and compliance best practices. Such an assessment can also be used to guide a company on how to mitigate the most significant risks through implementation of a best practices compliance program and to make an organization’s effort less “reactive” and more “proactive”.

UK Bribery Act

Principle 1 of the UK Bribery Act’s Consultative Guidance states, “Risk Assessment-The commercial organisation regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” The Guidance points towards several key risks which should be evaluated in this process. These risk areas include:

1. Internal Risk – this could include deficiencies in
• employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks;
• employee training or skills sets; and
• the company’s compensation structure or lack of clarity in the policy on gifts, entertaining and travel expenses.

2. Country Risk – this type of risk could include: (a) perceived high levels of corruption as highlighted by corruption league tables published by reputable Non-Governmental Organizations such as Transparency International; (b) factors such as absence of anti-bribery legislation and implementation and a perceived lack of capacity of the government, media, local business community and civil society to effectively promote transparent procurement and investment policies; and (c) a culture which does not punish those who seeks bribes or make other extortion attempts.

3. Transaction Risk – this could entail items such as transactions involving charitable or political contributions, the obtaining of licenses and permits, public procurement, high value or projects with many contractors or involvement of intermediaries or agents.

4. Partnership risks – this risk could include those involving foreign business partners located in higher-risk jurisdictions, associations with prominent public office holders, insufficient knowledge or transparency of third party processes and controls.

Risk Assessment as ‘Best Practices’

Both cornerstones of guidance available to the Foreign Corrupt Practices Act (FCPA) compliance practitioner include ongoing Risk Assessment as a key component of any best practices program. The text of each document and the remarks by commentators make clear the reasons for such an ongoing assessment. Not only do best practices evolve but companies and business evolve. A well-managed organization makes an assessment of the risks it faces now and in the future and then designs appropriate risk management and control mechanisms to control such risks.

Attention should also be paid to who and how the assessment is conducted. Berland, in his article cited above, has noted that unless the Risk Assessment is protected by some form of privilege, such as the attorney-client privilege or attorney work-product privilege, the Risk Assessment “May be disclosed outside the company in the event of criminal investigation or private litigation.” However, the key point is that a Risk Assessment is absolutely mandatory and must be used as a basis for design of an effective compliance policy, whether under the FCPA or the UK Bribery Act. If a Risk Assessment is not used, it might be well nigh impossible to argue that your compliance program meets even the basic standards of either law.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2010

October 16, 2010

Ongoing Compliance Assessments: FCPA, UK Bribery Act and OCED Best Practices

One of the requirements consistent throughout the Principles of Federal Prosecution of Business Organization (US Sentencing Guidelines) and its section on corporate compliance programs; the Organization for Economic Co-operation and Development (OECD) Good Practice Guidance on Internal Controls, Ethics, and Compliance, and the UK Bribery Act’s Consultative Guidance is the need for continued assessment of an anti-corruption and anti-bribery compliance program. This posting will review the specifics of each of these documents and will provide to the compliance and ethics practitioner some ideas on how to implement what each of these protocols stress is key component of any best practices compliance program.

US Sentencing Guidelines

The US Sentencing Guidelines state that there should be periodic reviews of a company’s compliance program, utilizing internal resources, such as a company’s Internal Audit function, and outside professional consultants. The OECD Good Practice states that a compliance program should be periodically re-assessed and re-evaluated to take into account any new developments. The UK Bribery Act Consultative Guidance, recently released by the UK Ministry of Justice, requires ongoing monitoring and review by noting that a compliance program and procedures should be reviewed regularly and a company should consider whether an “external verification [of the compliance program] would help.”

Speaking at the Compliance Week 2010 Annual Conference, Assistant Attorney General for the Criminal Division of the US Department of Justice, Lanny Breuer, indicated that such an external verification or assurance of the effectiveness of a compliance program is a key component to assist a company in maintaining a ‘best practices’ FCPA compliance program. He noted that it is through a mechanism such as an ongoing assessment that a company could continue to evaluate its own compliance program with reference to compliance standards which are evolving on a world wide basis.

OECD

In this same speech, Breuer cited as a benchmark for a best practices compliance and ethics program the protocols set forth in the OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance. In this protocol the OECD suggested that “periodic reviews of the ethics and compliance programs or measures, designed to evaluate and improve their effectiveness in preventing and detecting foreign bribery, taking into account relevant developments in the field, and evolving international and industry standards.” Writing in the Society of Corporate Compliance and Ethics Magazine (SCCE) (Vol. 7 / No. 3), Russ Berland explained that this guidance meant that companies should regularly reassess their anti-bribery and anti-corruption compliance program to evaluate and improve its overall effectiveness. Although he did not give a time frame for this regular assessment, Berland noted that any such assessment “should take into account new developments in the area and evolving standards.

UK Bribery Act

Principle Six of the UK Bribery Act’s Consultation Guidance discusses the need for ongoing monitoring and review. The Principle states “The commercial organization institutes monitoring and review mechanisms to ensure compliance with relevant policies and procedures and identifies any issues as they arise. The organization implements improvements where appropriate.” The reasons for this continued monitoring was to ensure that if, external events like government changes, corruption convictions, or negative press reports occur, an appropriate compliance response is triggered. The Guidance noted that it would be prudent for companies to consult the publications of relevant trade bodies or regulators that could highlight examples of good or bad practice. Organizations should also ensure that their procedures take account of external methods of issue identification and reporting as a result of the statutory requirements applying to their supporting institutions, for example money laundering regulations reporting by accountants and solicitors.

The Consultative Guidance provided advice for companies which covered several specific suggestions. The senior management of higher risk and larger organizations may wish to consider whether to commission external verification or assurance of the effectiveness of anti-bribery and anti-corruption policies. An independent review can provide to a company, which is undergoing structural change or entering new markets, with an insight into the strengths and weaknesses of its anti-bribery policies and procedures and in identifying areas for improvement. Such independent assessment would also enhance a company’s credibility with business partners or to restore market confidence following the discovery of a bribery incident, to help meet the requirements of both voluntary or industry initiatives and any future pre-qualification requirements.

Ongoing Assessment as ‘Best Practices’

All three cornerstones of guidance available to the Foreign Corrupt Practices Act (FCPA) compliance practitioner include ongoing assessments as a key component of any best practices program. The text of each document and the remarks by commentators make clear the reasons for such an ongoing assessment. Not only do best practices evolve but companies and business evolve. An assessment is key to measuring where your program currently stands to allow you to know where it needs to be updated.

Attention should be paid to who and how the assessment is conducted. The entity, be it a law firm; professional consultant or other, which designed the FCPA compliance program for your company should not be the assessor. Such assessment would obviously be a conflict of interest. Additionally a drafter usually has blind spots when assessing one’s own work. An outside FCPA compliance professional should be engaged to assess your compliance policy, at no less than every two years, to review and make recommendations to keep your program at the best practices standard.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2010

September 28, 2010

FCPA Investigations – Now Call First?

Ed. Note-today we are pleased to host a guest posting by our colleague James McGrath

At the Compliance Week 2010 Annual Conference one of the issues discussed by Assistant Attorney General, for the Criminal Division of the US Department of Justice, Lanny Breuer, was what the Department of Justice (DOJ) might consider as an “effective compliance and ethics program” under the Foreign Corrupt Practices Act (FCPA) if an FCPA violation occurs and a company’s compliance program comes under scrutiny from the Criminal Division of the DOJ. Breuer noted that the most effective type of compliance program is one that “prevents fraud and corruption in the first place but when such compliance program has not done so, there are defined policies in place to “quickly detect, fix and report the [FCPA] violations.” 

Mr. Breuer’s call for defined compliance and ethics policies to “quickly detect, fix and report the [FCPA] violations” preceded his suggestion that “[a] corporation should seriously consider seeking the government’s input on the front end of its internal investigation.”  From an investigations perspective, this “call first” game plan presents immediate business and legal concerns. 

While the goal of both the government and corporate citizens under the USSG is self-policing, the pursuit of that objective has heretofore been initiated and controlled at the outset by companies themselves.  For example, a hotline call comes in alleging misconduct: Company X evaluates the substance of the claim, and if deemed credible, initiates an internal investigation in line with a robust compliance and ethics program.  If the assertion is serious and sensitive enough, Company X entrusts the inquiry to in-house or outside counsel.  This is specifically done to protect the existence and yield of the investigation through application of the attorney-client privilege and work-product doctrine.  

The foregoing protections are advisable and well within the long-protected rights of the corporation.  See: Upjohn Co. v. United States, 449 U.S. 383 (1981).  And they serve two vital purposes.  After all, a poker player does not show his hand to his opponents until called and a moviegoer does not yell fire in a crowded theater without seeing flames. 

The DOJ’s shift to a “call first” policy is seismic and defeats both of the foregoing tenets.  If a company involves the government in the investigation process from the outset, its hand is tipped and, there can be no assertion of attorney-client privilege and the work-product doctrine protection in subsequent reviews or in litigation. In addition and once DOJ is involved, its knowledge of Company X’s alleged problem becomes part of the public domain and subject to disclosure to the investing public on a schedule of the government’s own making. 

As a result, while following Mr. Breuer’s suggestion may be advisable for a given company in a given situation, the pitfalls of a blanketed adherence to this recommendation should be carefully considered by the business, compliance, and legal functions of every corporation. 

© James McGrath 

James McGrath is the managing partner of McGrath & Grace, Ltd., a law firm that specializes in conducting independent corporate internal investigations for companies across the United States and around the world.

« Previous PageNext Page »

Blog at WordPress.com.