Archive for the ‘Compliance’ Category

Friday Roundup

Friday, September 4th, 2015

Roundup2Vote, motion for reconsideration, and for the reading stack. It’s all here in the Friday roundup.

Vote

FCPA Professor has been selected as one of the best legal blogs by the Expert Institute.  If FCPA Professor adds value to your practice or business or otherwise enlightens your day, you can vote for FCPA Professor as the best niche/specialty blog here. It only takes a minute and your vote is most appreciated.

Motion for Reconsideration

Unhappy with U.S. District Court Judge Janet Bond Arterton’s (D. Conn.) recent interpretation in U.S. v. Hoskins (see here) of the FCPA that Congress actually enacted, the DOJ recently filed this motion for a reconsideration. The motion is based almost entirely on the DOJ’s views on the FCPA’s legislative history, demonstrating once again the importance of the FCPA’s legislative history (see here).

Reading Stack

Speaking of the recent decision in U.S. v. Hoskins, this King & Spalding alert states:

“[T]he Government argued for an accomplice theory, consistent with the Resource Guide to the Foreign Corrupt Practices Act. That guidance, first released in 2012, posed just such a hypothetical scenario:

Moreover, even if [defendant] had never taken any actions in the territory of the United States, they can still be subject to jurisdiction under a traditional application of conspiracy law and may be subject to substantive FCPA charges under Pinkerton liability, namely, being liable for the reasonably foreseeable substantive FCPA crimes committed by a co-conspirator in furtherance of the conspiracy.

The District Court rejected that theory, based on the U.S. Supreme Court’s decision in Gebardi v. United States, which established that whenever Congress has intentionally excluded certain individuals from liability for a specific law, this congressional intent must not be circumvented by prosecuting such individuals based on accomplice liability.

While the District Court rejected accomplice liability as an additional basis for FCPA jurisdiction, it remains to be seen how other courts will address this question, and whether the DOJ and the SEC will revisit their guidance on the matter. Given the rarity of written judicial opinions interpreting the FCPA, this ruling is likely to have an outsized impact on future FCPA enforcement actions.”

For additional reading on how the FCPA Guidance is an advocacy piece and not a well-balanced portrayal of the FCPA as it is replete with selective information, half-truths, and, worse information that is demonstratively false, see here.

*****

An informative read here from the FCPAmericas blog titled “Localizing Compliance Programs in Latin America.”

“The compliance programs for Latin American subsidiaries of foreign companies often consist of translated versions of the program used at headquarters, without any (or just minor) adaptations. Oftentimes, this practice has the potential to negatively impact the ability of the program to operate at optimum levels and can lead to problems. Here are five practical steps that companies can take to maximize the efficiency of their compliance programs in Latin America.”

*****

An interesting read here from Robert Appleton titled “Despite Prosecutions, Corruption Levels Stay the Course.”

“In light of this [increased corruption enforcement] activity [around the world], one might expect that corruption levels would decrease. But they have not. Why hasn’t it happened? The focus of this piece is to propose some possible explanations for this anomaly.”

*****

A good weekend to all.

FCPA “Summer School” – A Free Two-Part Webinar Series

Thursday, September 3rd, 2015

Learn3Don’t let the dog days of summer make you lazy.

Elevate your Foreign Corrupt Practices Act knowledge and practical skills.

Recently, I conducted a two-part FCPA “summer school” series sponsored by Hiperos (a leading third-party management company).

Hundreds participated in the live webinars in July and August, but if you missed out, the webinars can be accessed at the below links.

The first webinar titled “Understanding FCPA Scrutiny and the Enforcement Landscape” provide participants with an understanding of:

  • current FCPA enforcement theories;
  • the long term and short term costs associated with an FCPA enforcement action or merely FCPA scrutiny; and
  • how the FCPA is enforced by the Department of Justice and the Securities and Exchange Commission.

The second webinar titled “FCPA Third Party Compliance Best Practices” provides participants with an understanding of:

  • the FCPA risks of utilizing third parties
  • FCPA compliance best practices relevant to third parties (including pre-engagement, engagement, and post-engagement practices) and learning from third-party compliance failures in past enforcement actions; and
  • how best to effectively communicate compliance expectations to third parties

Do Your Hiring Practices Live Up To The SEC’s New Expectations?

Monday, August 24th, 2015

HRAs highlighted several times on FCPA Professor, there are two distinct questions that can be asked in connection with many instances of Foreign Corrupt Practices Act scrutiny and enforcement.

The first is whether, given the DOJ’s and/or SEC’s enforcement theories, the conduct at issue can expose a company to FCPA scrutiny and an FCPA enforcement action?

The second is whether Congress in passing the FCPA intended to capture the alleged conduct at issue and whether a court would find the alleged conduct in violation of the FCPA?

In a legal system based on the rule of law, the second question of course is more important, but as a practical matter risk averse business organizations care more about the first question.

Previous posts (here and here) highlighted critical questions concerning last week’s SEC enforcement action against BNY Mellon based on the company’s alleged internship hiring practices – an enforcement action that is expected to be the first of similar actions expected in coming months.

Now that the dust has settled, and until a business organization stands up to the SEC (small chance that will happen as the SEC has never been put to its burden of proof in a corporate FCPA enforcement action in history), issuers would be wise to ask whether its hiring practices live up to the SEC’s new expectations.

Those expectations, articulated by the SEC in the BNY Mellon action, are phrased below in the form of questions.

  • Does the company’s anti-corruption policy “explicitly address the hiring of government officials’ relatives”?
  • Does the company require “that every application for a full-time hire or an internship be routed through a centralized HR application process”?
  • Does the company’s Code of Conduct “require that every year each employee certify that he or she is not responsible for hiring through a non-centralized channel”?
  • Does the company’s application process require “that each applicant indicate whether he/she is a close personal associate of a government official or has recently been a government official?”

Even if your company is not an issuer subject to SEC jurisdiction, all business organizations should ask the above questions given that the SEC also charged BNY Mellon with FCPA anti-bribery violations – provisions which apply to all forms of business organization.

In short, the compliance message from the BNY Mellon enforcement action is that FCPA compliance is not just a legal function, not just a finance, accounting and auditing function, but now also a human resources function.

The Difficulties Of Compliance

Monday, August 10th, 2015

DifficultIn the minds of some, compliance with the Foreign Corrupt Practices Act or other similar laws is simple:  you just don’t bribe.

As highlighted in this prior post such a simplistic position is entirely off-target. Indeed what I find ironic about certain commentators who have articulated this position is that they devote their professional lives to selling compliance services and products.

Contrary to the simplistic rhetoric of some, a recent report regarding Siemens once again highlights the difficulties of compliance in a multinational business organization with tens of thousands of employees.

First, a bit of background.

In resolving the record-setting FCPA enforcement action against Siemens in 2008, the DOJ praised Siemens for its substantial compliance transformation.

Specifically in its sentencing memorandum, the DOJ acknowledged that Siemens had “already implemented substantial compliance changes” and a settlement term required the company to further implement “rigorous compliance enhancements.”

The “Remediation Efforts” section of the DOJ’s sentencing memorandum stated, in pertinent part, as follows:

“Siemens also overhauled and greatly expanded its compliance organization, which now totals more than 500 full time compliance personnel worldwide. Control and accountability for all compliance matters is vested in a Chief Compliance Officer, who, in turn, reports directly to the General Counsel and the Chief Executive Officer. Siemens has also reorganized its Audit Department, which is headed by a newly appointed Chief Audit Officer who reports directly to Siemens’ Audit Committee. To ensure that auditing personnel throughout the company are competent, the Chief Audit Officer required that every member of his 450 person staff reapply for their jobs. Siemens also has enacted a series of new anti-corruption compliance policies, including a new anti-corruption handbook, sophisticated web-based tools for due diligence and compliance matters, a confidential communications channel for employees to report irregular business practices, and a corporate disciplinary committee to impose appropriate disciplinary measures for substantiated misconduct. Siemens has organized a working group devoted to fully implementing the new compliance initiatives, which consists of employees from Siemens’ Corporate Finance and Corporate Compliance departments, and professionals from PricewaterhouseCoopers (“PwC”). This working group developed a step-by-step guide on the new compliance program and improved financial controls known as the “AntiCorruption Toolkit.” The Anti-Corruption Toolkit and its accompanying guide contain clear steps and timelier required of local management in the various Siemens entities to ensure full implementation of the global anti-corruption program and enhanced controls. Over 150 people, including 75 PwC professionals, provided support in implementing the AntiCorruption Toolkit at 162 Siemens entities, and dedicated support teams spent six weeks on the ground at 56 of those entities deemed to be “higher risk,” assisting management in those locations with all aspects of the implementation. The total external cost to Siemens for the PwC remediation efforts has exceeded $150 million.

Elsewhere, the DOJ sentencing memorandum stated:

“Siemens also significantly enhanced its review and approval procedures for business consultants, in light of the past problems. The new state-of-the-art system requires any employee who wishes to engage a business consultant to enter detailed information into an interactive computer system, which assesses the risk of the engagement and directs the request to the appropriate supervisors for review and approval. Siemens has also increased corporate-level control over company funds and has centralized and reduced the number of company bank accounts and outgoing payments to third parties.”

In summary, the DOJ recognized that “[t]he reorganization and remediation efforts of Siemens have been extraordinary and have set a high standard for multi-national companies to follow.”

Since the 2008 settlement, Siemens compliance reports as follows:

(1) approximately 600 employees work full time in a single compliance organization managed by a Chief Compliance Officer (of this number approximately eighty work at Siemen’s corporate headquarters with the rest deployed evenly around various sectors/divisions and regional companies); (2) 300,000 employees worldwide have received compliance training, including 100,000 employees who received face-to-face multi-hour courses; (3) all new compliance officers worldwide are required to take an intensive four-day course; (4) approximately 5,500 top managers worldwide have compliance metrics as an aspect of their compensation; and (5) approximately fifty-five high-risk entities and approximately 105 business units were required to implement over 100 compliance systems controls.

(See The Siemens Compliance System: Prevent, Detect, Respond and Continuous Improvement (2011).

In short, there are few companies in the world today that have devoted as many corporate resources towards compliance as Siemens over the past five years.

Despite the above improvements and investment in pro-active compliance that the DOJ labeled as setting “a high standard for multi-national companies to follow,” since 2008 Siemens been involved in numerous allegations of corruption.

This recent report from 100Reporters titled “Siemens Confidential: Reports of Wrongdoing Up, Penalties Down” suggests that since the 2008 FCPA settlement Siemens “received more than 3,000 new internal complaints of wrongdoing … including reports of corruption, bribery, fraud, anti-trust violations, embezzlement and conflict of interest.”  According to the article, the internal company statistics were disclosed by Siemens at industry conferences and obtained by 100Reporters.

To some, the above report and statistics are evidence that Siemens has an ineffective compliance program.

To others, the above report and statistics are evidence of the difficulties of ensuring compliance in a multinational company with tens of thousands employees doing business all over the world.

But remember, in the minds of some it is easy.  Just don’t bribe.

Lessons Learned As A Foreign Corrupt Practices Act Monitor

Thursday, July 23rd, 2015

LeasonsToday’s post is from Scott Fredericksen (Partner, Foley & Lardner) and originally appeared in International Trade Law & Regulation, Vol. 21, Issue 3, 2015 (Thomson Reuters).

*****

Not long ago, Foley & Lardner was selected as a monitor for a medical devices company that had been found to have engaged in activities alleged to have violated the FCPA. As the leader of the investigatory team, I did not have the normal advantage of working with a known client with a known business.

Rather, I needed to quickly develop a multi-faceted team that had to quickly get up to speed on the company’s business model, how it conduct business abroad, its distributor arrangements, its compliance program, its internal controls, and its training. In short, I had to set up a compliance review with the kind of probing that one would find in an in-depth financial audit.

The importance compliance lessons learned from Foley’s experience of a corporate monitor are provided below.

General Lessons

As most people who are involved in the compliance area know, establishing the right corporate culture is paramount. The key requirements include ensuring that the company has a culture of respect for compliance, that senior management is firmly behind all compliance efforts, and that there is a strong and well-funded compliance infrastructure that can catch compliance missteps from a variety of angles.

Establishing the appropriate corporate compliance culture requires constant reiteration of the compliance message. Compliance standards must be public and promulgated throughout the company, including through regular placement in company newsletters and on corporate intranets. Compliance policies should be readily accessible to employees and integrated into all aspects of employment, starting with discussions of compliance during the hiring process and references to the policy in employment contracts. Even employee performance reviews can help serve this purpose, by ensuring that employee adherence to compliance standards are part of the evaluation process.

The involvement of senior management is also essential for the development of a corporate culture focused on compliance. Placing a member of senior management in charge of compliance acts as a vital link between the executives and board members responsible for running a company and the employees on the ground who must deal with potential regulatory violations issues on a regular basis. A high-level member of management who is intimately involved in the compliance process also lends legitimacy to the company’s compliance policy and helps firmly establish the tone from the top.

This is not to say that every company needs to have a dedicated chief compliance officer. The establishment of the compliance infrastructure, like all compliance efforts, needs to be a risk-based endeavor, which means that the compliance needs of a smaller company that only operates in a handful of foreign countries may not be the same as those of a large multinational corporation that operates in a number of high-risk environments. It is common in smaller companies for compliance duties to be handled by an employee who has multiple responsibilities, such as the head of the human resources or audit departments. But at all companies, there should be a single person who is responsible for monitoring potential violations, managing due diligence, developing and providing compliance training, answering questions and resolving red flags, and testing the compliance program. This type of compliance ownership, by a person who is free from business pressures to achieve particular outcomes, is essential to ensure that compliance responsibilities are taken seriously. A Corporate Monitor’s Guide to International Regulatory Compliance.

A final issue is the adequacy of funding. Effective compliance requires hiring appropriate compliance personnel, taking time from busy employees for training, the establishment of internal controls and processes to monitor the effectiveness of the program and procedures in place, and periodic revisions to the policies and training materials. Companies should put in place programs that will be supported by commensurate resources. If, for example, a company states that it will perform due diligence on every agent it hires, then it should ensure that it has set aside sufficient resources to carry through on this commitment. Although compliance can be expensive, it pales in comparison to the multimillion dollar fines and high investigatory costs that now accompany even routine violations of U.S. regulations.

Compliance Program Improvements

A thorough and proper risk assessment forms the core of any good compliance program. No compliance program has the luxury of drawing on unlimited resources. Therefore, it is necessary to begin with a sober assessment of the regulatory risks facing the business, including those posed by its corporate profile, business model, types of products sold, areas of operation, use of third parties, degree of government interaction, and other business-profile issues that impact the degree of regulatory risk.

The ways in which to conduct a proper risk assessment vary, but certain principles are universal. Involvement from senior management and employees that understand the company, its business model, and its specific regulatory risk points is essential. The risk assessment must be conducted free of business pressures, without clouded judgment regarding where the highest risks arise. The risk assessment also should take into account all the ways in which outside actors can implicate the company or create regulatory liability, such as agents, distributors, joint venture partners, and other third parties.

Companies also need to update their risk assessments on a regular basis. Corporate expansions, mergers and acquisitions, establishment of new joint ventures, expansions into new countries or product lines, and new distributor arrangements are all activities that can alter the risk profile of a company. Even regulatory developments, such as enactment of broad anticorruption laws such as the UK Bribery Act or the recent ramping up of OFAC sanctions and related enforcement activity, can impact compliance requirements. Not all of these changes, or their impact on compliance efforts, are obvious, which makes a regular reassessment of risk an important compliance function.

After conducting a risk assessment, a company must decide how to allocate its compliance resources. Allocating most resources to identified high-risk areas is important. So, however, is recognizing that the risk even in low-risk areas seldom is zero, and thus deserve some compliance attention as well. A well-structured risk assessment can help balance the distribution of compliance resources.

It also is important to regularly update compliance measures. Compliance standards regularly change, driven not only by changes in the regulatory framework but also the expectation of the regulators. As a result, it is important for a company to remain educated about compliance issues, including through regularly sending compliance personnel to specialized conferences, and following developments that bear on the ever-evolving standards for an acceptable compliance program.

When changes are made, the changes to the compliance program must be appropriately promulgated throughout the company. Depending on the change, this could require anything from company-wide training to a simple email from the company’s chief compliance officer. Regular communications regarding the company’s compliance message serves the dual purposes of keeping the compliance message top-of-mind while also communicating the company’s evolving compliance efforts and its commitment to compliance.

Training Enhancements

Training is an integral part of every compliance program, and serves a function that is much greater than merely communicating information. Done properly, it is an important part of the compliance-related dialogue that helps minimize the risk of violations and while helping to discover violations that already have occurred. It also is a key cog in the central goal of communicating the importance of compliance to the organization.

Although many companies conduct training electronically, including through the use of innovative compliance presentations and on-line quizzes, in-person training remains the gold standard. Company personnel tend to pay more attention to a live presentation, and the presentation can be tailored to the requirements of the audience. Allowing time for discussion not only allows employees the opportunity to ask questions about areas that are unclear, but often reveals areas where further inquiry may be appropriate. Properly presented, in-person training can result in compliance feedback that can be incorporated to improve the overall compliance program.

No matter how training is provided, it cannot be a one-time event. Although all employees should receive initial training upon their hiring, reinforcement of the training on a periodic basis is essential. Annually is a good benchmark that works for most companies.

Finally, companies should make training relevant to the evidence. The training should use as many real-world examples as possible, such as case studies drawn from actual problems confronted by the company in the past, as well as those that are more likely to occur based on the industry and where and how the company does business.

Audits and Compliance Checkups

Compliance as envisioned by the compliance program, and compliance as it actually occurs in the field, often are two very different things. A company that implements rigorous procedures, but then fails to live up to them, often enjoys the worst of two worlds, since its failure to meet its compliance goals would be held against it in any enforcement proceeding. To avoid this possibility, compliance implementation should be monitored by direct observation, by supervision of the program, and by testing the controls.

Some of this testing can be done in the company’s normal internal audit process, and it is important that internal audit employees receive specific compliance training so they understand what to do and why they are doing it. One increasingly common way of ensuring the testing of the controls is to conduct compliance audits. These audits are intended to stress-test compliance procedures by picking high-risk transactions at random to see whether the compliance program is functioning as envisioned. Beyond this, regime-specific audit items can be created, which generally will focus on whether the company is adhering to its internal controls in a given area. They can be conducted by properly trained internal or external auditors.

The tendency at many companies is to conduct audits based upon the ease of conducting them, rather than their utility. This shows up, for example, when companies target their own foreign operations for compliance-related audits, but do not exercise their rights to audit agents or joint venture partners. It also arises when companies do not return to the lessons of their risk assessments to determine the high-risk areas that merit follow-up checks. Unlike financial audits, which tend to concentrate on areas with the highest revenue impact, compliance-based audits often need to focus on areas that may have a small revenue impact but a large compliance risk footprint. Operations in a developing country, for example, may be new and have still-small revenue, yet present an outsized compliance risk.

Agent and Distributor Controls

No compliance program, no matter how well conceived, can perform its job unless the risks posed by third parties are adequately addressed. This is because many enforcement settlements are premised on agency principles, i.e., a determination that parties outside the company were acting on behalf of the principal, thus creating legal liability for the principal.

Dealing with agents, distributors, and other third parties presents unique and interesting challenges. Often companies work with these third parties in foreign countries because they do not understand the business culture or ins-and-outs of doing business in a particular country. Agents help fill this knowledge gap by bringing knowledge of the business environment that the company cannot fill by itself.

But the greater the separation from corporate headquarters, the greater the risk. The dangers of third parties can arise in a host of areas, including for matters handled by customs brokers, distributors, sales agents, political consultants, lobbyists, and other third parties. The consistent use of third parties, even when justified from a business perspective, by itself can be considered a compliance red flag. The oversight of third parties accordingly should be considered in every aspect of the company’s risk assessment, including with regard to the establishment of the relationship (with appropriate contractual protections), training, accounting, ongoing certifications, and even audits.

Due diligence is also a key step when managing third-party risks. Due diligence is a potpourri of tasks that may include interviews, background checks, reviews of databases and publications, consulting third parties to provide reliable local information, using forensic accountants to review books and records to evaluate risk, visiting the office of agents, and other methods of confirming suitability, as the case may be. Once again, the application of risk-based principles will help determine how much due diligence is appropriate for various types of third parties.

At too many companies, third-party compliance oversight begins and ends with due diligence. In other words, the company conducts its third-party due diligence, places the resulting report in its file, and then moves on to conducting the business relationship without much more in the way of oversight. Ongoing review of the relationship, however, is the best way to proceed, including through periodic certifications, ensuring up-to-date training, monitoring any deviations of the relationship from the anticipated course, and the conduct of third-party audits. Due diligence is important, but it is only a limited snapshot of the past. As the relationship evolves, the company’s best source of information about the relationship becomes the data concerning its own relationship with the third party.