Halliburton Shareholder Derivative Action Settlement: Lessons for Enhancements to Your Compliance Program

In a story first reported in the Wall Street Journal (WSJ), entitled “Halliburton Says Court Approved Corruption Lawsuit Settlement”, Sam Rubenfeld reported that Halliburton has settled a shareholder derivative action which had been filed in state district court in Houston, Texas. The lawsuit, the consolidation of actions brought by two institutional shareholders and one individual shareholder against the company and its Board of Directors individually, had alleged that “the board’s failure to stop the activity caused the company to have to pay hundreds of millions of dollars in settlements and fines, and it damaged Halliburton’s reputation”.

The settlement is interesting for several reasons. Initially, it should be noted that Halliburton will not pay any damages but more than that, Rubenfeld reported that “the plaintiffs said in the settlement they faced “very steep hurdles” in establishing that the directors named in the suit were liable for the illegal activity, and that it was unlikely they would win damages “even closely approaching” what they sought in litigation”. In the settlement, Halliburton agreed to make changes to its corporate governance structure “including a clawback of compensation for board members who were involved in or approved the activity, beefing up its compliance program and strengthening the roles of its board members.” In other compliance areas, the company agreed to publish “newsletters and internal bulletins to include at least six articles per year addressing ethics and compliance issues.” Finally, Halliburton agreed that it’s “code of conduct has to be revised so as a layperson can understand it, and it has to be changed to specifically prohibit the use of bribes and kickbacks.”

I.                   Clawback Provisions

There were several specific provisions relating to clawbacks which may well now become standard provisions for officers and directors of companies going forward. They related to both monetary compensation and non-monetary compensation, such as stock. All the provisions turn on the following:

1. If an officer or director is named for “substantially participating in a significant violation of the law”;
2. And either a company investigation determines the officer’s or director’s conduct was “not indemnifiable”; OR
3. The officer or director “does not prevail at trial, enters into a plea arrangement…or otherwise admits to the violation in a legal proceeding.”
4. Then the clawback is triggered.

 II.                Greater Oversight of Compliance

The settlement specifies several steps the Audit Committee of the Board should take to enhance its role in the compliance function including holding more regular meetings and reporting to the full Board on issues relevant to compliance and risk management in general. The settlement also specified that a Management Compliance Committee shall be created and detailed investigation and reporting protocols for any “Significant Violation of any federal or state law”.

III.             Compliance Program Enhancements

Here the settlement specified that for employees working in high risk countries “who have job descriptions associated with business development and procurement activities [emphasis mine] they should have annual compliance training. The settlement also specified Halliburton to rewrite its Code of Business Conduct in plain English “so that it is written in a manner as is commonly understood by a layperson.” The Code of Business Conduct rewrite is to be expanded to make clear that foreign bribery and kickbacks are prohibited and will not use agents recommended by foreign governmental officials, unless such agents are screened through appropriate due diligence. As noted by Rubenfeld’s article Halliburton agreed to publish newsletters and provide email updates and intranet postings, which will address compliance at least six times per year. The company agreed to strive to maintain a ratio of one “Audit Service position for every 5,000 employees” and to certain restrictions in hiring a Chief Financial Officer (CFO).

In a section specified “To assure that its compliance program be deemed “effective” under the revised Federal Sentencing Guidelines” the company agreed to have a compliance program which would be designed to detect an offense “before discovery outside of the organization or before discovery was reasonably likely”. If there is a determination that such conduct occurs the company will take steps to prevent it from reoccurring. Halliburton agreed to take “reasonable steps to remedy the harm from criminal conduct”. Lastly, the Chief Compliance Officer (CCO) was given direct reporting authority to the Board and directed to report “no less than annually on the implementation and effectiveness of Halliburton’s compliance program.”

This settlement is a welcome addition for the compliance practitioner. First and foremost, the no payment of damages is a welcome change from such claims. Moreover, the enhancements agreed to by Halliburton give both compliance practitioners and company specific guidance on good corporate government practices in the compliance arena and specific ways to tie a compliance program to the US Federal Sentencing Guidelines.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

How the DOJ Looks at Compliance Programs in an Enforcement Action – Part II

Today’s post is Part II in our two-part series of how the Department of Justice (DOJ) looks at compliance programs during the pendency of an enforcement action. Today we will review how a prosecutor may review the existence and effectiveness of a Foreign Corrupt Practices Act (FCPA) compliance program based upon the Principles of Federal Prosecution of Business Organizations (“the Principles) and an analysis of what is an effective compliance program under the US Sentencing Guidelines (“the Guidelines). Both yesterday and today’s post are based upon the tract “Complying with the Foreign Corrupt Practices Act: A Practical Primer” (herein “the Primer”), published by the ABA Criminal Justice Section, Global Anti-Corruption Task Force.

Independent Evaluation of Compliance Programs

The Primer reports that under this analysis, prosecutors look into three broad categories to make a determination if a compliance program was in existence and effective “at the time of the FCPA violation.” These categories and their specific inquiries are as follows:

1. The Existence and Design of the Compliance Program

(a)    Whether a compliance program is adequately designed for maximum effectiveness in preventing and detecting wrong doing by employees;

(b)   Whether the compliance program is designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business;

(c)    The comprehensiveness of a compliance program; and

(d)   Whether the compliance program has established corporate governance mechanisms that can effectively detect and prevent misconduct.

2.   The Administration of the Program

(a)    Whether the company’s management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives;

(b)   Whether a compliance program is being applied earnestly and in good faith;

(c)    Whether a compliance program ‘works’;

(d)   Whether a compliance program is merely a ‘paper program’ or whether it was designed, implemented, reviewed and revised, as appropriate, in an effective manner;

(e)    Whether the company has provided for a staff sufficient to audit, document, analyze, and utilize the results of the company’s compliance efforts; and

(f)    Whether the company’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it.

3.   The Misconduct in Question

(a)    The extent and pervasiveness of the misconduct in question;

(b)   The nature and level of the corporate employees involved in the misconduct;

(c)    The seriousness, duration and frequency of the misconduct;

(d)   Whether a corporation has taken remedial actions including discipline against past violators and revisions to the company’s compliance program in light of lessons learned; and

(e)    The promptness of any disclosure of wrongdoing to the government.

As the Primer points out, these factors are “not exhaustive and are often overlapping but they do provide insight into how DOJ prosecutors conduct investigations and determine whether to bring charges under the FCPA.”

I find this final section on how the DOJ analyzes compliance programs the most helpful for the compliance practitioner, particularly when they must explain to management what is required and why the resources need to be expended. Remember, this analysis is performed based upon your company’s compliance program at the time the FCPA violation arose, not after program remediation. So just think about some of the questions posed above:

• Have we trained the appropriate employees?
• If so, how do we prove it?
• Has anyone ever been disciplined for a Code of Conduct violation or more appropriately a compliance program violation?
• If so, is it documented?
• Prior to our FCPA violation, had the company ever audited or even reviewed the state of its compliance policy?
• If so, were any changes made to the compliance program? What changes were made and why?
• Our Chief Executive Officer (CEO) signed a cover letter, written by the Legal/Compliance Department, which introduced our compliance program when we rolled it out (fill in the blank) years ago. What evidence is there of the CEO’s continued commitment to the company’s compliance program since roll-out that can be documented?
• Have we opened any new business lines or gone into any new geographic areas since the compliance program roll-out? Did we assess these new business initiatives?
• When was the last time we did a comprehensive compliance risk assessment?
• Do we have effective internal controls?
• If we believe so, how do we know?
• When was the last time a compliance audit was conducted?
• What were the results or lessons learned?
• Did the company incorporate any of these lessons learned into an enhanced or modified compliance program?
• What criteria is the sales team evaluated upon?
• Is there a compliance component to their annual review/evaluation?
• What is the budget for the Compliance Department?
• Is a senior person assigned to lead the company’s compliance efforts or is it everyone’s responsibility? (i.e.: if everyone is in charge then no one is in charge.)

These are just some of the questions that come to my mind in looking at how a prosecutor might review a compliance program. There are obviously many, many others. I highly recommend that you consider some of these questions plus any that you can develop. I would also urge you to download, read and then keep handy the Primer. It is free and one of the best FCPA compliance resources around.

US Sentencing Guidelines

The Primer notes that the Principles are not the only source of authority which a prosecutor might refer to in evaluating a company’s compliance program during an enforcement action. The US Sentencing Guidelines note that one of the two factors which can mitigate downwards in determing the amount of a fine and penalty is “the existence of an effective compliance and ethics program”. Further under the Amended November 2010 Guidelines, the Primer says that the “government may now significantly reduce fines and other sanctions if an organization takes reasonable steps to achieve compliance with its standards, e.g., by utilizing monitoring and auditing systems reasonably designed to detect criminal conduct by its employees and other agents.”

The Guidelines provide in broad parameters how a prosecutor will evaluate compliance programs during the pendency of a FCPA enforcement action. As such they also provide guidance to the compliance practitioner on DOJ thinking. While there is not a specific program listed, the Guidelines place “an emphasis on the results of a program—that is, whether it is reasonably designed, implemented and enforced so that [it] is generally effective in preventing and deterring criminal conduct.” The Primer goes on to note that an effective compliance program consists of documentation that an organization “exercise[s] due diligence to prevent and detect criminal conduct; and otherwise promote[s] an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”

One of the key factors is that the Guidelines do rely on the existence of a written compliance program. This means that a prosecutor’s primary focus is on the effectiveness of a company’s compliance program. The Primer lists out the following parameters, which the Guidelines suggest that a compliance program should minimally include and I cite from the Primer in its entirety:

• The organization to “establish standards and procedures to prevent and detect criminal conduct.
• The “organization’s governing authority . . . be knowledgeable about the content and operation of the compliance and ethics program and . . . exercise reasonable oversight . . .
• High-level personnel of the organization . . . ensure that the organization has an effective . . . program . . . .
• Specific individual(s) within the organization . . . be delegated day-to-day operational responsibility for the . . . program . . . [and] shall report periodically . . . on the effectiveness of the . . . program.
• To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority.
• The “organization . . . use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known . . . has engaged in illegal activities or other conduct inconsistent with an effective . . . program.
• The “organization . . . take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the . . .program . . . by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities, to “members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.
• The organization . . . take reasonable steps . . . to ensure that the organization’s . . . program is followed, including monitoring and auditing to detect criminal conduct.
• The organization . . . take reasonable steps . . . to evaluate periodically the effectiveness of the organization’s . . . program.
• The organization shall take reasonable steps . . . to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
• The organization’s . . . program . . . be promoted and enforced consistently throughout the organization through appropriate incentives to perform in accordance with the . . . program; and appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct
• After criminal conduct has been detected, the organization . . . take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s . . . program
• And in doing all of the above, “the organization . . . periodically assess the risk of criminal conduct and . . . take appropriate steps to design, implement, or modify each [above] requirement . . . to reduce the risk of criminal conduct identified through this process.

I believe that the DOJ has presented significant information to the compliance practitioner about not only it’s most current thinking on what may constitute a minimum best practices compliance program in recent Deferred Prosecution Agreements (DPAs) and Non Prosecution Agreements (NPAs) but with through the Principles and the Guidelines, the DOJ provides guidance of how a prosecutor will look at and analyze a company’s compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

How the DOJ Looks at Compliance Programs in an Enforcement Action-Part I

Although often discussed in Deferred Prosecution Agreements (DPAs) or Non-Prosecution Agreements (NPAs), most compliance practitioners are not familiar with one of the most important sources of Department of Justice (DOJ) policy regarding the charging of corporations under the Foreign Corrupt Practices Act (FCPA). This source is found in the United States Attorney’s Manual section, entitled “Principles of Federal Prosecution of Business Organizations” (“the Principles”). However, there is an excellent discussion found on this issue in the January 2012 publication of “Complying with the Foreign Corrupt Practices Act: A Practical Primer” (“the Primer”), published by the ABA Criminal Justice Section, Global Anti-Corruption Task Force. The Primer has several authors including Salen Churi, David Finkelstein, Joe Mueller; persons from the University of Chicago School of Law, Dean David Zarfes, Michael Bloom and Sean Kramer; the Microsoft Corporation, including John Frank and Michel Gahard (collectively “the authors”).

The Principles themselves recognize that while prosecutors are to apply “the same factors in determining whether to charge a corporation as they do with respect to individuals” such as evidence, likelihood of trial success, deterrent to others similarly situated and others factors, the prosecution of corporations is different than prosecuting individuals. The Primer notes that the Principles state “that prosecutors have a duty to protect economic and capital market, to protect those compete in those markets through lawful means and to generally protect the American public from corporate misconduct.”  To assist prosecutors in making these determinations, the Principles provide a list of factors which must be considered in any decision on whether or not to bring charges or enter into DPAs or NPAs with companies. They are:

• The nature and seriousness of the offense, including the risk of harm to the public and any policies governing the prosecution of corporations for specific types of crimes;
• The pervasiveness of wrongdoing within the corporation, including managerial complicity;
• The organization’s history of similar misconduct;
• The corporation’s disclosure of wrongdoing and willingness to cooperate;
• The existence and effectiveness of the corporation’s compliance program;
• The corporation’s remedial actions, including efforts to implement or improve effective compliance programs, to replace management, to discipline or terminate wrongdoers, to pay restitution, and to cooperate with government agencies;
• The harmful collateral consequences of charges or agreements, including those to investors and the public;
• The adequacy of personal prosecution as opposed to organizational prosecution; and
• The adequacy of non-criminal remedies.

In addition to these specific guidelines, the Principles “indicate that compliance programs are specifically relevant to the DOJ’s evaluation of four general contexts: (1) the pervasiveness of wrongdoing within the corporate; (2) the history of a corporation’s conduct; (3) whether a corporation should be eligible for a reduced sanction because of voluntary disclosures; and (4) whether a corporation has taken significant remedial actions to deter future violations.” The Principles also require a prosecutor to “independently consider the sufficiency of a company’s compliance program.” The Primer further discussed these four general contexts plus the requirement for an independent consideration of a company’s compliance program.

Pervasiveness of Wrongdoing

The Primer initially notes that a company should not be held liable for isolated or small numbers of FCPA violations by company employees particularly if the company has a “robust compliance program in place.” Pervasiveness will be determined on a case-by-case basis and is a fact intensive analysis. However, one of the clearest pronouncements is that corporate management is responsible for “a corporate culture in which criminal conduct is either discouraged or tacitly encouraged”. In other words, tone at the top does matter. The Primer relates that “in evaluating pervasiveness, compliance programs are relevant in determining when any wrongdoing can be fairly attributed to the actions of a corporate management and the culture it has fostered.”

History of Conduct

The history of a wrongful conduct is relevant in how the DOJ may well resolve a case. This means that your company had better have a written compliance program in place but such written program should not simply be a paper program, present as window dressing in case the DOJ comes knocking. This is the document, document and document part that I continually write and speak about. Not only must you document your actions and decisions but you must be able to call up such documentation in a reasonable time frame. Further, if the company has a history of misconduct it may well be construed by the DOJ as “probative of a corporate culture” which condones, if not actively encourages, violations of the FCPA.

Voluntary Disclosures

Voluntary disclosures and compliance programs converge in the DOJ’s analysis because, as the Primer denotes the DOJ desires that company’s “conduct internal investigations and to disclose …relevant facts to the appropriate authorities.” Recognizing that under Dodd-Frank, or other legislation, a disclosure could come to the DOJ via another mechanism, it is still important to understand that a prosecutor “may consider a corporation’s timely and voluntary disclosure in evaluating the adequacy of the corporation’s compliance program and its management’s commitment to the compliance program.”

Remedial Actions

The Primer reports that the DOJ assesses several factors when looking at a corporation’s response to a FCPA violation. The Primer lists these factors as the following:

• Has the corporation “appropriately disciplined the wrongdoers, even if they are at the highest level of seniority?;
• Is the company focused on ‘the integrity and credibility of its remedial and disciplinary measures” rather than the protection of the wrongdoers?;
• Has the corporation paid restitution in advance of a court order, most particularly under the restitution has the corporation accepted responsibility for its actions?; and
• Whether the corporation “quickly recognized the flaws in its compliance program and has made efforts to improve the program?”

These four factors seem to boil down into two areas: (1) did the company take “meaningful” steps to ensure the conduct does not occur again; and (2) did the company take responsibility for its own actions?

Tomorrow we will take a look at how a prosecutor might analyze a company’s compliance program and also review the US Sentences Guidelines related to FCPA compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012