Collaboration and the Compliance Function

Today is the anniversary of two very different musical legacies. On this day 31 years ago the iconic song “Valley Girls” by Moon Unit Zappa broke into the Top 40. Twenty years later Kelly Clarkson won the first American Idol competition. Moon Unit was the daughter of rock and roll satire icon, Frank Zappa. Clarkson was a 20 year old waitress at the time she won the contest. These two somewhat disparate events demonstrate to me the usefulness of collaboration to show how music has evolved.

One of the difficulties that many compliance professionals, who come out of a corporate legal department, have is understanding how important it is to not only to get out in the field with company employees but also how to incorporate ideas from other company disciplines into an overall compliance regime. Most typically, corporate lawyers come from a world where the rules are fairly well known and are often black and white. However, in the world of compliance there is a fair amount of guidance but fewer black and white rules as there are in the legal world. So in the legal part of the company, the benefit of legal department consultation with the business unit is often not seen as a cost worth bearing, especially if international travel is required.

However, in many ways, the compliance function can be seen as a collaboration; that is a collaboration between a legal based function with a business group doing sales and marketing in many different regions and geographic areas across the globe. I recently read in the New York Times (NYT) Corner Office article, entitled “Be Yourself, Even if You’re A Little Goofy”, where reporter Adam Bryant interviewed Glenn Kelman, the Chief Executive Officer (CEO) of Redfin. One of the things that intrigued me in the article was about the company Redfin itself, which is a collaboration between real estate agents and software developers, about two disparate business functions as I can imagine. Indeed Kelman was quoted in the article that “The main project I have at Redfin is to unite two separate cultures — real estate agents and software engineers. One of the ways we do it is by having people do “A Day in the Life” talks during our all-hands meetings, and they talk for 10 minutes about a typical day. Then you hear other people saying things like, “I had no idea how hard it is to be a real estate agent.””

This theme of collaboration seemed key to me in another article I recently read in the September issue of Wired Magazine by Robert McMillian, entitled “The GitHub Way – How the Collaboration Platform Aims to Help Everyone Do Any Project”. In this article, McMillian discussed how this relatively new software platform, GitHub, can be used to work on or develop a wide variety of software, projects or topics. While GitHub was designed to be used by open source software programmers as a collaborative workflow process it turns out that the iterative process can be used for a wide variety of projects which require collaboration. GitHub co-founder and CEO Tom Preston-Werner was quoted in the article for the following, “The open, collaborative workflow we have created for software development is so appealing that it’s gaining traction for nonsoftware projects that require significant collaboration.” Some of the non-software projects discussed in the article included legal contract drafting and even development of wedding invitations.

What the GitHub platform allows is for anyone working on a project to review the current state of the project, make corrections or changes, have those changes documented and dated, then be available for anyone else working on the project to use in the next iteration of the workflow. McMillian writes that “The site’s big innovation is the pull request. It’s what you do after forking [correcting or changing] something, an electronic note saying, “Hey, I was checking out your project and I found a way to make it better. Look here and you can see what I have changed; press this button and the changes will become part of your project.” The pull request makes it easy for anybody to fix a bug in a software program or a mis-spelling in a document.”

These concepts of collaboration are particularly relevant to the compliance function. One of the greatest challenges in implementing or enhancing a compliance program is how it will work in the real world of your company. That is why collaboration is so important. If you can sit down and work through your policies and procedures with your employee base, through a shared workflow or collaborative project, it will allow you to implement a new or enhanced program with less difficulty. If you cannot utilize such collaboration beforehand, then implementation will require not only a steady hand but most probably a full time compliance professional dedicated to that function alone. Answering the day-to-day queries from sale unit employees on how to implement a new or updated compliance regime can be a full time exercise.

I think that is one of the reasons some of the more recent Deferred Prosecution Agreements (DPAs) have spoken to companies who have a sufficient number of personnel dedicated to the day-to-day running of a compliance function and why the FCPA Guidance said that one of the inquires would be “In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

In a recent blog post by Mike Volkov, entitled “Corporate Excuses to Avoid Compliance and Ethics Programs”, he discussed the failure of companies to see the cost benefits of effective Foreign Corrupt Practices Act (FCPA) compliance programs. I would take this idea a step further and posit that without sufficient collaboration between the compliance function and the business units, there could be an equal disconnect. Whether you use an approach like Glenn Kelmen and get people to explain their job roles and functions to each other or you can avail yourself of such collaborative software tools like GitHub; the compliance practitioner needs to make sure that collaboration is in his or her toolbox.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

The Drugstore Cowboy and Compliance

One does not have to look very far in the business world to come across the phrase “Know Your Customer.” A company certainly needs to know if an entity that it may sell products or provide services to will pay for those items. Running a Dun & Bradstreet credit check is routinely performed to ascertain if a counter-party is a good credit risk. But how much more should a company do in regards to its customers? Clearly banks, other financial institutions and even casinos need to assess a customer from the perspective of anti-money laundering (AML). Is there a reason grounded in the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act that would suggest that customers should go through background scrutiny from the anti-bribery/anti-corruption compliance perspective?

I thought about internal controls regarding due diligence requirements on customers, effective compliance programs and third party validation of credentials when reading an article in June issue of Wired Magazine, entitled “Drugstore Cowboy”, by Jake Pearson. I found this article to be a very cautionary tale for those companies which need to consider just whom they are doing business with or for. The story involved an undercover sting operation by the US government against Google. The operation involved a convicted felon, one David Whitaker, who convinced law enforcement authorities that Google had assisted him, in violation of its own internal protocols and US laws, to sell illegal “black market steroids and human growth hormones” online. Whitaker told federal officials that “Google employees had actively helped him advertise his business, even though he made no attempt to hide its illegal nature.” Based upon his experience, Whitaker believed that Google must be “helping other rogue Internet pharmacies too.”

On paper, it appeared from the article that Google has a systems designed to ferret out sites which used words or had other indicia that they were selling illegal drugs. There was an initial screening by a Google sales representative. There was an automated program which searched for key words that might indicate illegal drugs were being sold. There was a review of the website itself to see of other factors were present which might show that illegal products were being sold. Finally, Google used a third party verification service, to attest that any site selling pharmaceutical products was properly licensed.

Based upon his experiences, the government set Whitaker up with an alias, fake company, bank account and phone lines and then monitored and watched him to see if his claims were true. He was told to see if Google would actively assist him to sell advertising for a non-existent company called “SportsDrugs.net, a website that sold HGH and steroids from Mexico, with no doctor’s prescription.” The plan that Whitaker used was straightforward.

1. Establish a fake identity. Whitaker made cold calls to representatives of Google to get set up as an account in the company’s system.
2. Submit the site. The feds designed the sting operation so that it would be obvious the false company was selling illegal drugs. So it offered HGH and steroids, had pictures of the drugs and even had a ‘Buy Now’ button to make clear that no doctor’s prescription was required. The Google sales representative passed the fake sales site along for “policy review, an automated process that Google uses to vet all advertisers.”
3. Scrub the site. After the fake sales company was initially rejected by the policy review process, a Google representative agreed to help “tweak it” so that it would pass through the Google approval process. The Google sales representative advised Whitaker to rename the site, remove the pictures of the illegal drugs and delete the ‘Buy Now’ button from the site.
4. Rework the site. After the suggested changes were made by Whitaker, his fake site was approved by Google. Thereafter the items which had been removed from the website, including both the photos of illegal drugs and ‘Buy Now’ button were added back into the site, all with the assistance of the Google sale representative.
5. Raise the stakes. In this phase, the undercover sting operation widened. After their initial success with SportsDrugs.net; the feds created other fake websites for Whitaker, all of which purported to sell illegal drugs. The other sites included one selling “RU-486, better known as the abortion pill, which is normally taken under close supervision of a doctor.”  Another site sold the psychotropic drugs Xanax and Valium, both without any need of a doctor’s prescription. In a final example the feds created a ‘Trojan Horse’ site; in which a pharmacy site that held a valid license also had sales for “three clearly disreputable online pharmacies.”

The chilling thing I found in this article was it reported that in each one of the false scenarios, Whitaker was reported to have explained to the Google representative the true nature and purpose of the site. All of the information that Whitaker conveyed made clear that these sites were designed to sell drugs which are illegal in the US, without a doctor’s prescription. In just over the span of three months, the undercover operation spent over $200,000 with Google.

Google ended up settling with the US government for a fine of $500 million. Although Pearson did not quote the US Assistant District Attorney, who headed the investigation and enforcement action, Peter Neronha, was quoted as telling the Wall Street Journal (WSJ) the “culpability went far higher than the sales reps that Whitaker worked with. Indeed, he said, some of the company’s most powerful executives were aware that illegal pharmacies were advertising on the site.” Google itself would not comment for the Pearson article.

From the account in the Pearson piece it would appear that Google had a system in place to check and make sure that it was not advertising sites which sold illegal drugs but that system, both human and automated, was worked around. For the anti-corruption compliance practitioner, I think that there are several key lessons which can be learned from this tale.

Train, Train, Train. If you sell services, which can be used to facilitate illegal conduct, you need to train your sales force to watch out for signs of that illegal activity. The initial Google sales representative who was contacted by Whitaker should have been the first line of prevention to stop the issue before it came up for the company.

Monitor, Monitor, Monitor. There should be several types of monitoring. If a business name comes through your system and it is rejected, there should be a monitoring mechanism in place to note if it reappears later or is approved through some other means, as was done in this situation. Similarly, if the name of a business owner comes up in connection with another company, there needs to a mechanism in place to perform a cross check. The sales representatives should also be monitored to determine if they are manipulating the system.

Incentives, Incentives, Incentives. While not discussed in the Pearson article, what do you want to bet that the Google sales representatives were compensated, at least in part, with a commission based upon the number of GoogleAds that they sold? If your compensation structure or other incentive structure rewards people who use shortcuts, then there will always be employees who take them.

Audit, Audit, Audit. Remember the part of the story about how the Google sales representative would advise Whitaker how to scrub his website of key words, search terms and other information which would indicate that it was selling illegal pharmaceuticals only to reinsert those on the site after the scrubbed site had been approved? You need to audit to determine if any illegal conduct has begun after the contract is signed. And if you do not have audit rights, you have a very slim chance of actually performing an audit.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013