The Drugstore Cowboy and Compliance

One does not have to look very far in the business world to come across the phrase “Know Your Customer.” A company certainly needs to know if an entity that it may sell products or provide services to will pay for those items. Running a Dun & Bradstreet credit check is routinely performed to ascertain if a counter-party is a good credit risk. But how much more should a company do in regards to its customers? Clearly banks, other financial institutions and even casinos need to assess a customer from the perspective of anti-money laundering (AML). Is there a reason grounded in the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act that would suggest that customers should go through background scrutiny from the anti-bribery/anti-corruption compliance perspective?

I thought about internal controls regarding due diligence requirements on customers, effective compliance programs and third party validation of credentials when reading an article in June issue of Wired Magazine, entitled “Drugstore Cowboy”, by Jake Pearson. I found this article to be a very cautionary tale for those companies which need to consider just whom they are doing business with or for. The story involved an undercover sting operation by the US government against Google. The operation involved a convicted felon, one David Whitaker, who convinced law enforcement authorities that Google had assisted him, in violation of its own internal protocols and US laws, to sell illegal “black market steroids and human growth hormones” online. Whitaker told federal officials that “Google employees had actively helped him advertise his business, even though he made no attempt to hide its illegal nature.” Based upon his experience, Whitaker believed that Google must be “helping other rogue Internet pharmacies too.”

On paper, it appeared from the article that Google has a systems designed to ferret out sites which used words or had other indicia that they were selling illegal drugs. There was an initial screening by a Google sales representative. There was an automated program which searched for key words that might indicate illegal drugs were being sold. There was a review of the website itself to see of other factors were present which might show that illegal products were being sold. Finally, Google used a third party verification service, to attest that any site selling pharmaceutical products was properly licensed.

Based upon his experiences, the government set Whitaker up with an alias, fake company, bank account and phone lines and then monitored and watched him to see if his claims were true. He was told to see if Google would actively assist him to sell advertising for a non-existent company called “SportsDrugs.net, a website that sold HGH and steroids from Mexico, with no doctor’s prescription.” The plan that Whitaker used was straightforward.

1. Establish a fake identity. Whitaker made cold calls to representatives of Google to get set up as an account in the company’s system.
2. Submit the site. The feds designed the sting operation so that it would be obvious the false company was selling illegal drugs. So it offered HGH and steroids, had pictures of the drugs and even had a ‘Buy Now’ button to make clear that no doctor’s prescription was required. The Google sales representative passed the fake sales site along for “policy review, an automated process that Google uses to vet all advertisers.”
3. Scrub the site. After the fake sales company was initially rejected by the policy review process, a Google representative agreed to help “tweak it” so that it would pass through the Google approval process. The Google sales representative advised Whitaker to rename the site, remove the pictures of the illegal drugs and delete the ‘Buy Now’ button from the site.
4. Rework the site. After the suggested changes were made by Whitaker, his fake site was approved by Google. Thereafter the items which had been removed from the website, including both the photos of illegal drugs and ‘Buy Now’ button were added back into the site, all with the assistance of the Google sale representative.
5. Raise the stakes. In this phase, the undercover sting operation widened. After their initial success with SportsDrugs.net; the feds created other fake websites for Whitaker, all of which purported to sell illegal drugs. The other sites included one selling “RU-486, better known as the abortion pill, which is normally taken under close supervision of a doctor.”  Another site sold the psychotropic drugs Xanax and Valium, both without any need of a doctor’s prescription. In a final example the feds created a ‘Trojan Horse’ site; in which a pharmacy site that held a valid license also had sales for “three clearly disreputable online pharmacies.”

The chilling thing I found in this article was it reported that in each one of the false scenarios, Whitaker was reported to have explained to the Google representative the true nature and purpose of the site. All of the information that Whitaker conveyed made clear that these sites were designed to sell drugs which are illegal in the US, without a doctor’s prescription. In just over the span of three months, the undercover operation spent over $200,000 with Google.

Google ended up settling with the US government for a fine of $500 million. Although Pearson did not quote the US Assistant District Attorney, who headed the investigation and enforcement action, Peter Neronha, was quoted as telling the Wall Street Journal (WSJ) the “culpability went far higher than the sales reps that Whitaker worked with. Indeed, he said, some of the company’s most powerful executives were aware that illegal pharmacies were advertising on the site.” Google itself would not comment for the Pearson article.

From the account in the Pearson piece it would appear that Google had a system in place to check and make sure that it was not advertising sites which sold illegal drugs but that system, both human and automated, was worked around. For the anti-corruption compliance practitioner, I think that there are several key lessons which can be learned from this tale.

Train, Train, Train. If you sell services, which can be used to facilitate illegal conduct, you need to train your sales force to watch out for signs of that illegal activity. The initial Google sales representative who was contacted by Whitaker should have been the first line of prevention to stop the issue before it came up for the company.

Monitor, Monitor, Monitor. There should be several types of monitoring. If a business name comes through your system and it is rejected, there should be a monitoring mechanism in place to note if it reappears later or is approved through some other means, as was done in this situation. Similarly, if the name of a business owner comes up in connection with another company, there needs to a mechanism in place to perform a cross check. The sales representatives should also be monitored to determine if they are manipulating the system.

Incentives, Incentives, Incentives. While not discussed in the Pearson article, what do you want to bet that the Google sales representatives were compensated, at least in part, with a commission based upon the number of GoogleAds that they sold? If your compensation structure or other incentive structure rewards people who use shortcuts, then there will always be employees who take them.

Audit, Audit, Audit. Remember the part of the story about how the Google sales representative would advise Whitaker how to scrub his website of key words, search terms and other information which would indicate that it was selling illegal pharmaceuticals only to reinsert those on the site after the scrubbed site had been approved? You need to audit to determine if any illegal conduct has begun after the contract is signed. And if you do not have audit rights, you have a very slim chance of actually performing an audit.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Four Keys to Compliance Leadership

One of the most divisive moments in American history occurred on this date in 1868. On this day the US Senate voted against impeaching President Andrew Johnson thereby acquitting him of having committed “high crimes and misdemeanors” as required under the US Constitution. After all the arguments had been presented for and against him, Johnson waited for his fate, which hung on one swing vote, as there is a Constitutional requirement that requires a vote of 2/3rds of the Senate for impeachment. The vote was one short, at 35-19. Johnson was acquitted and finished out his term. If Johnson had been impeached, it surely would have led to a very different political development in the US, where not liking the sitting President could have become a constitutional basis for impeachment.

The Radical Republicans who ran the Congress immediately after the conclusion of the Civil War certainly did not think much of President Johnson’s leadership style. So what about you as a compliance officer? Certainly part of your leadership is implementing and enhancing policies and procedures? In many ways it is the human element, which President Johnson sorely lacked, that you may well need to devote most of your time focusing on. I recently read an excellent article it the Corner Office section of the New York Times (NYT), entitled “We’re Family Yes, but We’re Still Accountable”, in which Adam Bryant reported on his interview with Brooke Denihan Barrett, the co-Chief Executive Officer (co-CEO) of the Denihan Hospitality Group (Denihan), a 50-year old family business which focuses on the hospitality business.

Training

One of the things that Barrett has learned is how to train people. She explained that “I thought the way you got things done was by telling people what to do. That’s where I learned what not to do. I spent a good portion of my time telling people what they did wrong instead of really encouraging them about what they did right.” She came to realize that was perhaps not the best way to manage people and “learned to cut people some slack.” She said that she found “that you get a lot more with the carrot routine than the stick routine. I also realized that you really needed to explain the “why” of things. You need to give people a little bit of space to come around, and say, “Yeah, that makes sense,” before you really engage them in what needed to be done.”

I found that her final point may be critical for compliance training. By explaining the why of compliance, employees can better understand what the company is trying to accomplish. So if your goal is to do business in an ethical manner, then explain this and how the company’s compliance program will help to accomplish this goal through its policies and procedures.

Accountability

One of the things that Barrett emphasized was the erroneous perception that because her company was a family business there was no accountability. She made clear that “You have to set certain standards that you want people to live up to. And if people need help, then we want to help them along the way.” However, accountability is a two-way street. Just as the employee must be held accountable, so must the company in terms of providing support to allow employees who want to do the right thing and to do their job well. Barrett said, “Sometimes organizations can fall down if they don’t also ask: How do you give people the tools they need to be successful? How do you get that person to understand what change needs to happen, and how do you help them along the way? Because people can’t always figure it out on their own, and nor should you expect them to.”

Listening

Many of the CEOs that Bryant interviews for his Corner Office section speak about the need for listening skills. Barrett was no exception. But as CEO she found that employees were sometimes reluctant to speak openly and candidly with her. So she began to meet with employees in small groups of 10 to 12 people. At Denihan they call them ‘Roundtables’. Barrett said that she will say to them ““Tell me something I don’t know.” And I’ll get comments like: “Oh, but you know everything. You’re the C.E.O.” It’s just a reminder of the perceptions that people have of the head of the company. But every time I ask that question, I learn something new.” Imagine as a compliance officer if you were to ask that question in a roundtable, what do you think you might hear back from your company’s employees?

Barrett also spoke about how to have a ‘difficult conversation’. She said that if there is a mistake made she views it as an opportunity for learning and professional growth. At Denihan, they call them ‘lessons learned conversations’ and they may occur with a group where a problem has arisen. Barrett related, “we might bring people together in a room who were involved in a project and ask: What were the things that worked? What were the things that didn’t? What could we have done differently? And we’ve had some very spirited and cathartic conversations. You have to be able to let people put something on the table without actually pointing the finger. It allows things to come out in more of a non-accusatory manner.”

Hiring and Promotion

These are two key areas in compliance that are finally beginning to receive the attention that they deserve. Barrett’s thoughts on how she views these in the context of her interviewing are instructive. She acknowledged that by the “time somebody meets me, you can assume that the skills are there. So what I interview for is fit. And I’m always very curious to know, what is it about our company that appeals to that person?” She asks specifically about culture, requesting the candidate define it and how do you think that culture is special. She also asks candidates to talk about a failure and what lessons that they learned from the experience and how they dealt with the experience. I would suggest that both of those lines of inquiries should be used when evaluating a candidate for hire or promotion.

Barrett’s interview provided some interesting insights on leadership. Moreover, her experience in professional growth has shown there are different styles and techniques that you can successfully use in your company’s compliance program. Train people on the reasons why your company is doing compliance so that they will understand how to do it. Make them accountable but also provide them with the compliance tools and support to do business the right way. If there is a problem or issue, use it as a lesson learned so that employees can profit from the experience. Lastly, make a discussion of culture a cornerstone in your hiring interview or promotion interview process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

How to Reach Your Audience in Compliance Training – The Use of Charisma

One often hears or reads about complaints that compliance training is dull, nay even boring. I mean, how many times can you expect someone to be lectured to on the riveting subject of the Foreign Corrupt Practices Act (FCPA) or even the UK Bribery Act? Coupled with the legally spellbinding subject, the sessions are often led by lawyers who are training non-lawyers. What can I say; the audience does not always have the appreciation of the subject that I do. I thought about this ongoing conundrum when I came across a recent article in the Financial Times (FT), entitled “The subtle secrets of charisma”, by author Alicia Clegg. The focus of her article was that senior managers, by learning techniques of rhetoric, vocal cadence and gesture, can help make senior managers more like leaders. However, I thought that her tips could also help the compliance practitioner in the more mundane area of compliance training.

In her article, Clegg cited to the example of an Infosys executive who was introducing a “controversial HR policy to his company.” During the talk, he felt that his audience was quite restless and “sensed that he was failing to take his listeners with him.” The Infosys executive was quoted as saying “After the talk, people asked me, privately ‘Do you really think this is the right thing to do?’” “I thought: ‘Well, yes, actually, I do. Isn’t that what I said?’” He had failed to convince. Today, however, the executive would deliver a far different talk. Clegg said that “he would acknowledge his colleagues’ concerns, share his own feelings and perhaps tell a personal story. He might modulate his voice; organise his key points into pithy three-part lists; use metaphors; smile or frown occasionally, while gradually building to a statement of personal conviction or a vision of a better future.” In other words, he would work these concepts of ‘charisma’ into his chat.

Clegg discussed the work of John Antonakis, a professor of organizational behavior at Lausanne University. In a June Harvard Business Review article he published, along with colleagues Marika Fenley and Sue Liechti, entitled “Leaning Charisma”, Antonakis argues, however, that having charismatic qualities can turn a competent manager into someone that others notice and want to follow. Antonakis and his team claim to have identified twelve communication habits, rooted in the principles of “classic rhetoric, that make a speaker appear more authoritative, trustworthy and persuasive – in short, more like a leader. Nine of the techniques are verbal: using metaphors and easy-to-remember three-part lists; telling stories; drawing vivid contrasts; asking rhetorical questions; expressing moral conviction; reflecting an audience’s sentiments; and setting high but achievable goals. The rest are non-verbal: raising and lowering your voice, letting your feelings show in face and hand gestures to reinforce what you say.” Their case for their charisma training runs counter to a recent theme in management ideas that plays down corporate stars in favor of teams.

Clegg writes about old ways of making new points. She says that the modern-day science of persuasion is rooted in three “rhetorical appeals” described long ago by Aristotle. The three are: ethos, logos and pathos.

• Ethos – establishing your credentials and building rapport. Here you should use “useful ethos techniques include speaking your audience’s language and reflecting their concerns in what you say.” You should recognize that staff are likely to be more interested in what’s changing for them – how will their job be different?

• Logos – persuading through logic. Under this you should consider “using useful logos techniques include contrasts and rhetorical questions, which can clarify choices by juxtaposing good and bad outcomes and combine reason with emotion; three-point lists are easy to recall and suggest completeness.” As a lawyer, I found comfort that, as stated in the article, using trios of points can add a purposeful edge to your presenting technique.

• Pathos – persuasion with emotion. Under this technique you should endeavor to use “useful pathos techniques include stories, metaphors, lowering or raising your voice; while gestures and facial expressions can heighten emotional force.” But here one must be careful to respect cultural differences, as “What Asians consider over-the-top, southern Europeans may consider emotionally repressed.”

Clegg cites to other examples of effective rhetoric. She quotes Sam Leith, author of “You Talkin’ to Me?” who says “Effective rhetoric need not be fancy rhetoric.” Rather than cultivating a high-flown style, he advises novices to tune into how their audience thinks, and to listen to how they speak. He identifies General George Patton as a master of the art of persuasive plain-speaking. In the final weeks of World War II, the general exhorted his troops to redouble their efforts with the words “The quicker they are whipped, the quicker we can go home”. This got the audience of his troops on his side because getting home was what mattered to them the most.

Clegg also discussed the well-known technique of repetition. She included Martin Luther King’s ‘I Have a Dream’ speech where King used the device of repeated phrases at the start of successive clauses so that there develops ‘an appreciation of what is easy on the ear is important.” Clegg also discussed the technique of chiasmus, “in which the second half of a statement reverses the order of words in the first − as in “ask not what your country can do for you – ask what you can do for your country”. The words were simple and direct – and their impact all the greater.”

Antonakis argues that these techniques can be taught and, more importantly, learned and that “everyone can improve with practice.” But Clegg cautioned that there is more than simply having commanding rhetoric. A good leader must be a good listener as well. She cites to the work of Harvard academician Rosabeth Moss Kanter who argues in her blog that “it is how well you listen, rather than how well you talk, that persuades people to do things.”

Clegg appropriately ends by noting that no matter how good your rhetorical techniques are, “It is not just what you say, or how you say it, that convinces people you are not phony. You can dress things up with all the anaphora and epistrophe in the world, but if you don’t have a deep sense that something is important you’re not going to persuade anyone.”

So for the compliance practitioner who puts on training there is plenty of good advice on rhetorical techniques that you can use. But, most importantly, don’t be phony.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

NFL Replacement Referees-the Lessons of Training Temporary Employees

The short autumn of our discontent is over as the United States has ended one of its greatest national convolutions of recent memory. Am I speaking of the attack on the US Consulate in Libya; the current stalemate of US politics and the Presidential race or the upcoming financial cliff on which the US may dive over on December 31?

No, I am talking about the debacle of replacement referees by the National Football League (NFL). After an eight week lockout by management, including three regular season games, the results were so catastrophic for America that the NFL finally game to its senses and settled the labor dispute.

How bad was the fallout? So bad that the controversy not only made the front page of the Financial Times (FT) last week but it also made the FT’s Op-Ed page on September 29, in a piece written by FT Senior Editor Christopher Caldwell, in an article entitled “NFL falls foul of the ‘drunken Santa’ problem”. Caldwell used the (unfortunately) well known fact of US department stores hiring alcoholics to pose as Santa Claus during the Christmas holidays as the lead in for a discussion of “O-Ring Theory of Economic Development” as articulated by Michael Kremer. Kremer’s thesis is that in “high-value added fields, where one malfunction in a complex chain can destroy all value, special rules apply.” This leads to the concept, found in the employment relations context, where there is a “positive correlation between the wages of workers in different occupations within enterprises.”

I would add one additional corollary to the above. That is training. The replacement referees obviously did not know the rules and when they did know the rules, they had great trouble applying them in game situations. In other words, they had not been properly trained.

Why is training of temporary employees important in the context of an anti-corruption/anti-bribery compliance program? I would point to the ongoing Foreign Corrupt Practices Act (FCPA) investigation into the activities of Hewlett-Packard (HP) as the Poster Child for training of temporary (or contract) employees on your company’s anti-corruption, anti-bribery program. As reported by Karin Matussek of Bloomberg News on September 13, 2012 three former HP managers were charged in Germany in a corruption investigation over improper payments made to win a €35 million ($45 million) sale of computers to Russia about nine years ago. One of the ex-managers charged is a Finnish woman; the other two are men, one American and one German. The German authorities started their probe back in 2009, after provincial tax authorities found, in a routine audit of an unrelated company, evidence of payments for which “real use could be established for some payments found in the accounts. The owner of that company was charged.” German Prosecutors also requested and received permission from the Court to make HP an associated party to the case. Prior to the Court ruling on this request, Matussek quoted Wolfgang Klein, spokesman for Saxony’s Chief Prosecutor’s Office, who told her that “If the court grants that request and the allegations are proved, Hewlett-Packard’s profits from the transaction may be seized”.

The HP story was broken in the US by the Wall Street Journal (WSJ) in April, 2010. In the article it was reported that one witness said that the transactions in question were internally approved by HP through its then existing, contract approval process. Mr. Dieter Brunner, a bookkeeper who is a witness in the probe, said in an interview that he was surprised when, as a temporary employee of HP, he first saw an invoice from an agent in 2004. “It didn’t make sense” because there was no apparent reason for HP to pay such big sums to accounts controlled by small-businesses. He then proceeded to say he processed the transactions anyway because he was the most junior employee handling the file, “I assumed the deal was OK, because senior officials also signed off on the paperwork”.

Think what position HP might be in today if this temporary employee had been trained on the company’s system for internally reporting compliance issues? If Brunner had escalated his concern that the payment to the agent “didn’t make sense” perhaps HP would not have been under investigation by governmental authorities in Germany and Russian. In the United States, both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have announced they will also investigate the transaction, which it can only be supposed are for potential FCPA violations. While HP has not made any public announcements regarding the costs of the investigation date, it can only be speculated that the costs are in the millions because HP is the subject of investigations in at least three separate jurisdictions, the US, Germany and Russia, regarding the transaction at issue. Further, HP is now investigating other international operations to ascertain if other commissions paid involved similar allegations of bribery and corruption as those in this German subsidiary’s transaction.

Training is recognized as one of the points in the 13 point minimum best practices compliance program as delineated by the DOJ and as one of the elements under the US Sentencing Guideline’s Seven Elements of an Effective Compliance Program. It is also recognized in Principle 5 of the Six Principles of an Adequate Procedures compliance program as set out by the UK Ministry of Justice (MOJ). Lastly, it is recognized by the OECD in its 13 Good Practices for Internal Controls, Ethics and Compliance.

When refereeing a sporting event, one has to know the rules and how to apply them. What were the real referees doing while the NFL had locked them out? They were training. Each week, they took a written test on the rules of football. Each week they studied the games which were played for issues that arose. In other words, during the NFL lock-out of its referees, the referees were still training. This ongoing training for the real referees was nothing new or different than they have traditionally done as they did so when a contract existed and they were working NFL games.

I understand that compliance training fatigue can set in if such training is given too often. However companies need to realize that when professionals handle job duties which are high risk within the context of a FCPA or UK  Bribery Act compliance regime; there must be training on not only the specifics of a company system but also on how to escalate a concern. Think about where HP might be right now if the contract accountant had been trained on how to use the company hotline.

So the autumn of our discontent has turned into glorious fall colors with the return of the real referees. But for the compliance professional, the real lesson is training. Coupled with the ongoing HP FCPA investigation matter as a teaching moment, I would suggest that you review how many contract employees your company has in high risk compliance positions. Do not simply look at persons in the sales chain but also those in positions who may be reviewing high risk transactions. Do you have any contract accountants, such as HP had in its German subsidiary? How about contract attorneys or even outside counsel reviewing such transaction? What about contract personnel in internal audit? If so, have they been trained on your company’s compliance program and how to escalate a concern?

I hope that you will consider these questions before you end up as a national laughingstock or on the front page of the FT.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Using KPIs to Measure Your FCPA Compliance Program

One of the ongoing questions faced by compliance practitioners is how to measure the effectiveness of your company’s Foreign Corrupt Practices Act (FCPA) compliance program. In an article in the December 2011 issue of the SCCE Magazine, entitled, “How does your compliance program measure up?” author Danielle Herrick explores this question. She concludes that the best manner “to measure colleague knowledge and adherence to policies and procedures is through the development of a comprehensive compliance monitoring program.” Herrick sets out a six point plan which not only contain clear metrics but can also be “used to foster continuous improvement” in your company’s compliance program.

1. Agreed upon scope and strategy. This is more than simply buy-in from management. There are several approaches which you can take and consistency in your approach is a key to obtaining measurable results.
2. Core program. Herrick believes that the broadest range of policies and procedures which apply to all employees across the globe should be the foundation of your company’s monitoring program. This should include your Code of Conduct and the policies and procedures of your compliance program.
3. Standard tools and templates. These are important not only to achieve consistency but also due to the upfront cost of development. If you can develop and utilize the same measuring tools and reporting templates this will decrease costs and increase efficiencies over monitoring cycles.
4. Reporting. Herrick states that “By assigning numeric results to key performance indicators, you can easily manage the effectiveness of your compliance program.” This will also allow you to better track progress over times as well.
5. Training and communication. This allows the compliance practitioner to engage in further compliance training when performing compliance monitoring. This is a useful tool where computer based compliance training is the norm as it allows the compliance officer to have another opportunity to interact on a more direct level with company employees.
6. Continuous improvement. Ongoing monitoring provides not only the opportunity but sets the basis for ongoing enhancement to your company’s compliance program. You can utilize the results to effect improvement on a broad based focus or at a more granular level.

Herrick’s approach is a good starting point for any compliance practitioner to design an ongoing monitoring program. As your company’s compliance program matures, further and greater refinement will be not necessary but also more difficult. Management will expect performance measurements of a compliance program, as it would from any other program. I recommend her article to as valuable guide.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

The Seven Deadly Sins for a Compliance Program

In an article in the October/November issue of Society of Corporate and Compliance Ethics Magazine (SCCE), entitled “The seven biggest mistakes companies make that erode ethical culture and destroy reputation”, author Eric Feldman reviews his version of the Seven Deadly Sins for a company’s compliance and ethics program. While noting that the “most severe consequences of corporate ethical lapses can be mitigated, even avoided, by proactive care and feeding of a corporate culture” when a compliance crisis arises it may well be “too late to put the genie back in the bottle.” However, by following his seven prescriptions, it may well be the difference between a “bump in the road or falling into quicksand” when the government comes knocking.

1.      Putting the Code of Conduct on your Shelf

A Code of Conduct is not solely a reference tool, like a dictionary. An effective Code of Conduct is a “manifestation of a company’s core values.” In the words of Lanny Breuer, it is a living document and should be regularly updated, not sitting on the shelf for many years, without any updates. Recommendation- Demonstrate leadership and tone at the top.

2.      Ignoring your Company’s Culture

Feldman defines compliance as adherence to “laws, rules and regulations” and ethics as a guiding set of “core principles that “guide a company’s behavior”.” Put another way, does your company only “talk the talk” of ethics or more importantly does it “walk the walk” as well? Recommendation – Corporate focus on regular assessment and improvement of ethical culture.

3.      Worshiping at the Altar of Highest Grade Point Average

Interestingly, Feldman believes that companies which proudly proclaim that they hire only the “best and the brightest” may be setting themselves up for a big compliance problem. His root cause analysis, Gen X’ers and Gen Y’ers have more problems with “résumé credibility” than older workers. He notes that integrity needs to be a high basis in employee recruitment. Recommendation – Incorporate an ethics component into your hiring and interview process.

4.      Letting the Money Talk

There needs to be a clear compensation system based on reference to how an employee conducts business. This is true both for monetary compensation and promotion in the organization. Recommendation – System of sanctions for ethical violations and rewarding those who do business in an ethical manner.

5.      The Parent Trap – Do as I say, not as I do

This relates to Point 2. Your company needs to have in place a compensation and promotion system which rewards good ethics and compliance. I often use the example of the following: some Regional VP (outside the US – you pick the foreign region) is alleged to have said the following, “If I violate the Code of Conduct, I may or may not get caught; If I violate the Code of Conduct and get caught, I may or may not be disciplined; If I miss my numbers for two months, I will be fired.” If that is the reality, guess what, the Regional Vice President (VP) will make his or her numbers. Recommendation – Values based ethics training.

6.      Ethics in the Corner

Feldman writes that nothing speaks volumes louder than creating a company Chief Compliance Officer (CCO) and not giving sufficient clout within an organization to get the job done. This will certainly be true if the government comes knocking. If the CCO is not high enough up in the organization or does not have the budget to accomplish the compliance mission, employees will clearly see this and react accordingly. Recommendation – A CCO who has both the authority and the budget to get the job done.

7.      Shooting or Ignoring the Messenger

Here Feldman is referring to the employee who reports ethical misconduct and suffers retaliation. Although every company says they never retaliate, the sad truth is very different in corporate America. This leads to too many employees staying silent about “fraud and misconduct striving in their organizations.” Worse yet is when the government comes knocking and they tell the investigator, that they were afraid to report the misconduct. Recommendation – An anonymous hotline that earns employee credibility.

Feldman’s seven deadly mistakes provide an excellent framework for any company to assess  their overall compliance program from a high level. While perhaps not rising to the level of “sins”, the answers will allow the compliance practitioner to be ready to respond if the Department of Justice comes a calling.

=======================================================

My This Week in FCPA colleague Howard Sklar begins a 4 part webinar series on “A Brave New World FCPA and UKBA: Take Steps to protect your organization now” next week. Registration and information is available at http://ht.ly/7ewKI. 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

FCPA Training: Some Practical Aspects of Resisting a Bribe

I recently was asked to prepare some Foreign Corrupt Practices Act (FCPA) training which used examples of requests for bribes to help prepare the company’s employees if they are solicited to pay a bribe. To do so I relied on the expanded edition of Resisting Extortion and Solicitation in International Transactions (RESIST). It is a practical tool to help companies train employees to respond appropriately to a variety of solicitations.

Iohann Le Frapper, who chaired the RESIST initiative, stated that “RESIST is the only anti-bribery training toolkit developed by companies for companies and sponsored by the four global anti-corruption initiatives working on the supply side of the issue of fighting corruption,” and it “helps businesses avoid solicitation from the onset”; it also provides practical advice on how best to confront demands for bribes when they do arise.

RESIST presents 22 scenarios which discuss solicitation of bribes in the context of project implementation and in day-to-day project operations. Each scenario presented is designed to respond to two basic questions with real world facts and responses:

• Demand Prevention – How can the company prevent the demand from being made in the first place?
• Demand Response – How should the company react if such a demand is made?

The paper also presents a general list of suggestions which companies can implement to assist in their overall FCPA compliance effort. Embedded within are specific procedures to put these general suggestions into practice, for example the suggestions on Demand Prevention  include (1) general company anti-corruption polices; (2) policies on facilitation payments; (3) policies for company representatives who may be exposed to solicitation of bribes; (4) techniques for dealing with specific risks; (5) due diligence of agents and intermediaries; (6) management of agents and intermediaries; (7) implementation of additional control procedures; (8) transparency in the procurement process; (9) initiation of collective action to improve overall business integrity; and (10) implementation of legal and financial precautions. The suggestions on Demand Response include: (1) the immediate response; (2) internal company reporting; (3) company investigation, including discussion with the relevant persons; (4) disclose to the appropriate external source, if appropriate; and ultimately (5) withdrawal from the situation, whether it is the project or the entire country.

Using the RESIST scenarios I was able to create training which many of the participants felt gave them some hands on advice in situations they might face. It fleshed out many of what the employees felt were the more theoretical aspects of the FCPA. The RESIST tool is a useful aid and one that I recommend for the FCPA compliance specialist. It provides a list of common scenarios, which companies have faced in the past, how to handle them and proposes controls to implement to try and ameliorate the solicitation of bribes and outright extortion.

The full document may be downloaded at http://www.iccwbo.org/policy/anticorruption/index.html?id=37568.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Evaluation of FCPA Compliance Training

One of the key goals of any Foreign Corrupt Practices Act (FCPA) compliance program is to train company employees in awareness and understanding of the FCPA; your specific company compliance program; and to create and foster a culture of compliance. The testing and evaluation of your FCPA compliance training program is recognized under the US Federal Sentencing Guidelines as a key component in the overall effectiveness of a FCPA compliance program. Indeed the overall effectiveness of a FCPA compliance program is one of the factors that the Department of Justice (DOJ) reviews in determining whether or not to charge a company. In their book entitled, “Foreign Corrupt Practices Act Compliance Guidebook”, authors Martin and Daniel Biegelman explore some techniques which can be used to inform a company’s FCPA compliance training.

The authors suggest an approach, which is formulized by the acronym SMART, which is defined as follows:

• Specific: clear and concise training which can be understood by all employees;
• Measurable: the training has defined metrics requirement such as post-training testing and pass rates;
• Achievable: reachable, sustained and reasonable results such as training attendance;
• Relevant: a program which will inform and/or measure the desired behavior; and
• Timed: a realistic time frame for completion.

The authors also list several other considerations in the delivery of FCPA compliance training. What is the most effective type of training for your organization? Obviously live training is an important method of delivery. But this may not always be possible so computer based training, video training, web-based training or a combination of these different types of training can be useful to your organization. (For our prior two part series on Effective Compliance Training, see here and here.)

While most people tend to overlook the issue of attendance at training, it is an issue that should also be considered. You should determine that all senior management and company Board members have attended FCPA compliance training. You should review the documentation of attendance and confirm this attendance. Make your department, or group leaders, accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program.

The authors encourage post-training measurement of employees who participate in training. A general assessment of those trained on the FCPA and your company’s compliance program is a starting point. They list five possible questions as a starting point for the assessment of the effectiveness of your FCPA compliance training:

1. What does the FCPA stand for?
2. What is a facilitation payment and does the company allow such payments?
3. How do you report compliance violations?
4. What types of improper compliance conduct would require reporting?
5. What is the name of your company’s Chief Compliance Officer?

The authors set out other metrics which can be used in the post-training evaluation phase. They point to any increase in hot-line use; are there more calls into the compliance department requesting assistance or even asking questions about compliance. Is there any decrease in compliance violations or other acts of non-compliance?

In addition to the training and the  evaluation you perform on your company and its employees, you should also consider the FCPA compliance training of your business partners. Companies need to consider the FCPA compliance training of its supply chain vendors, contractors, agents, resellers, distributors, joint venture partners and others with which it does business or in some way represent your company. This requirement for training of third party business relations is becoming a more critical component of a best practices FCPA compliance program.

The DOJ has made clear that it believes that both assessment and evaluation of FCPA compliance training as a best practice. This overall evaluation should become a standard part of your FCPA compliance program. The authors Martin and Daniel Biegelman have provided a valuable resource to guide you in following this best practice.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

 

EFFECTIVE COMPLIANCE TRAINING

Effective Compliance Training

“Conducting effective training programs” is listed in the 2005 Federal Sentencing Guidelines as one of the factors the Department of Justice will take into account when a company, accused of an FCPA violation, is being evaluated for a sentence reduction. The Sentencing Guidelines mandate states “(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.”

But what is an “effective training program”? Andrea Wrage has written in her blog Wragblog and Ethisphere Magazine that she believes there are two general approaches to ethics and compliance training. The first approach focuses on knowledge of the rules “as clear and sharp as barbed wire” so that the cowboys in the company will not run wild. This is the approach most US in-house lawyers feel is required for their company’s operations teams and is generally designed to help avoid criminal liability.

The second is to train on ethical values and is more prevalent in Europe where ethics and compliance are more designed to communicate a company’s underlying corporate values in its operations. This approach anticipates that most employees are decent and law-abiding and will not knowingly engage in bribery and corruption. Additionally, you can never create enough rules to govern every situation and train each employee on every rule so a company must hire trustworthy people and give them sufficient information to make the correct ethical and compliant decision. Ms. Wrage characterizes the two different approaches as “ethics” vs. “values”.

Both approaches have merit but both can catastrophically fail without the other components of an effective compliance program. Although it was not brought down by an FCPA violation, the Enron Code of Ethics was viewed (at least at one time) as one of the strongest in the energy industry. And not to focus on US companies only, Siemens had one of the most robust Codes of Ethics for a European company before its multi-billion dollar (or euro-take your pick) fine and profit disgorgement. So the training on both of these company’s “Gold Standard” codes of ethics did not turn out to be too helpful.

So what should a company’s training focus on to be “effective” under the Sentencing Guidelines? It appears that effective ethics and compliance training should emphasize both approaches. Americans are long taught what the rules are in whatever life they choose. They expect to be told what the rules will be so that they know where the line is drawn that they should not step over. Probably the single comment I have heard the most when putting on ethics and compliance training in the US is “Just tell me what I can and can’t do”. However, really effective training requires that employees be able to apply the rules to the incredibly wide and ever-changing situations which confront them in the real world. This is where communicating a company’s values are important. In other words, how would your conduct look if it was plastered on You Tube the next week?

This is the first of a two-part series on ethics and compliance training.

——————–
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.

© Thomas R. Fox, 2010