Archive for the ‘Internal Controls’ Category

FCPA Compliance And The Important Role Of Gatekeepers

Thursday, July 17th, 2014

To best manage and minimize Foreign Corrupt Practices Act risk, it is important that a business organization not view FCPA compliance as strictly a legal function, but rather a function best achieved holistically throughout the organization.  This requires business managers, including finance and audit professionals in particular, to have the skill-set to recognize FCPA risk.

It is clear from recent FCPA enforcement actions that the enforcement agencies, and the SEC in particular, expect much from business managers when it comes to FCPA compliance including the ability of these gatekeepers to spot FCPA issues and display a high degree of intellectual curiosity as to many company transactions and expenditures.  (See enforcement actions here, here and here).

This free video (created in collaboration with Emtrain with whom I’ve created a global anti-bribery and corruption training course) has been created to help business organizations best mitigate FCPA risk.  Feel free to share the video with clients, in-house counsel and other compliance professionals, and business managers within your organization.

The First FCPA Enforcement Action Against A Foreign Issuer, Plus An Interesting Issue

Tuesday, May 13th, 2014

[This post is part of a periodic series regarding "old" FCPA enforcement actions]

In 1996, the SEC brought this civil complaint against Montedison, an Italian corporation with headquarters in Milan that had interests in the agro-industry, chemical, energy and engineering sectors.  The enforcement action was principally a financial fraud case as the SEC alleged that the company committed “financial fraud by falsifying documents to inflate artificially the company’s financial statements.”  (See here for the SEC’s release).

However, the enforcement action also included allegations that Montedison violated the FCPA’s books and records and internal control provisions based on allegations that the company concealed “hundreds of million of dollars of payments that, among other things, were used to bribe politicians in Italy and other persons.”

As described in the SEC’s complaint, Montedison wanted to enter into a joint venture with an Italian state energy agency and “determined to secure political backing” to change the terms of the underlying joint venture agreement as well as overturn a judge’s decision that had the effect of making the proposed transaction more difficult.  According to the complaint, “Montedison determined that to achieve these ends, the company would need to pay extensive bribes.”

The complaint then states:

“In an attempt to do so, Montedison management entered into an arrangement with a Rome real estate developer (the “Developer”), who was developing real estate complexes in Rome for Montedison at that time.  Under their agreement, Montedison, directly or through companies it controlled, effected numerous real estate purchases and sales at artificially high prices.  The artificial prices had the effect of transferring hundreds of million of dollars to the Developer.  On information and belief, the Developer used this money to bribe politicians in Italy and other persons on Montedison’s behalf.”

For example, the complaint alleges that Montedison, through a wholly-owned subsidiary, overpaid the Developer approximately $95 million and agreed to pay an additional $123 million “for properties that were either owned by, or had connections to, various politicians.

As noted in the SEC’s complaint, “despite these efforts, Montedison’s management was ultimately unsuccessful” in its bribery scheme.

According to the complaint:

“The fraudulent conduct … continued undetected for several years because of a seriously deficient internal control environment at Montedison.  In fact, Montedison’s internal controls were so deficient that, according to Montedison, neither the company itself, nor its auditors, have been able to reconstruct previously what occurred and who was responsible.”

The Montedison enforcement action was the first SEC Foreign Corrupt Practices Act enforcement action against a foreign issuer and was based on the company having American Depository Receipts ADRs listed on the New York Stock Exchange.

Montedison did not immediately resolve the SEC’s complaint as is the norm today.  Rather, the 1996 complaint was resolved in 2001.   As noted in the SEC’s release Montedison was ordered to pay a civil penalty of $300,000 and resolved the enforcement action without admitting nor denying liability for the allegations in the complaint.  According to the release, “the fraudulent conduct was disclosed only after new management was appointed when Montedison disclosed it was unable to service its bank debt.  Virtually all of the former senior management at Montedison responsible for the fraud were convicted by Italian criminal authorities and were sued by the company.”

The release notes as follows.

“Montedison was acquired by Compart, S.p.A., in late 2000 and its ADRs were delisted. Compart then changed its name to Montedison. No securities of Compart are listed for sale by U.S. stock exchanges. Compart, which agreed to the settlement on behalf of the former Montedison, was not a defendant in the Commission’s complaint.”

In original source media reports, Paul Gerlach (SEC Associate Enforcement Director at the time) stated:

“The case’s message is if you are a foreign company wanting to trade stock here, you are going to have to adhere to the same reporting, accounting and internal control standards followed by U.S. companies.”

Of interest, a 1996 Washington Post article about the enforcement action noted:

“The commission has been locked in debate with the NYSE for years over whether foreign companies that raise money from U.S. investors should be held to the same reporting standards as U.S. companies. SEC officials have argued that loosening the standards would hurt U.S. investors. The exchange has responded that overly stringent rules will discourage foreign companies from raising capital in the United States and erode the preeminent position of U.S. securities markets.”

Why, despite the SEC’s allegations, was Montedison not charged with FCPA anti-bribery violations?  Jurisdictional issues aside, according to a knowledgeable source at the SEC at the time, there was a belief that there were no “foreign” officials involved because Montedison, an Italian company, allegedly bribed Italian officials.

It’s an interesting question.

Does the “foreign” in official mean as it relates to the specific company at issue or as to the U.S.?

I believe that the legislative history supports the later, but will also add that Congress likely never understood that it was legislating as to foreign issuers when the FCPA was passed in 1977 because there were few foreign issuers.  Today, there are approximately 1,000 foreign issuers.  (See here and here).

In most FCPA enforcement actions against foreign issuers (Siemens, Daimler, Total, Technip, Alcatel-Lucent, etc.) the question is not relevant as, for example, German or French officials were not among the officials allegedly bribed.

Friday Roundup

Friday, May 9th, 2014

Is trust “reasonable,” Sigelman formally indicted, scrutiny alerts and updates, and for the reading stack.  It’s all here in the Friday roundup.

Is Trust “Reasonable”

This prior post asked:

Would FCPA compliance be better achieved if companies had fewer formal internal controls and instead devoted greater effort to fostering trust within a business organization?  Would such an approach even satisfy an issuer’s obligations under the FCPA’s internal controls provisions which require that issuers devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are properly authorized, recorded, and accounted for by the issuer?

The questions are posed once again after reading this New York Times article titled “Berkshire’s Radical Strategy: Trust.”  In the article, Charlie Munger, vice chairman of Berkshire Hathaway (arguably one of the most well-respected companies in America) “ruminates on the state of corporate governance, offering a counternarrative to the distrustful culture of most businesses: instead of filling your ranks with lawyers and compliance people, he argued, hire people that you actually trust and let them do their job.”

As highlighted in the article:

“Here’s a little-known fact: Berkshire Hathaway, the fifth-largest company in the United States, with some $162.5 billion in revenue and 300,000 employees worldwide, has no general counsel that oversees the holding company’s dozens of units. There is no human resources department, either.

If that sounds like a corporate utopia, that’s probably because it is. To some people in this day and age — given the daily onslaught of headlines about scandal and fraud in corporate America — that also may sound almost like corporate negligence.”

Sigelman Formally Indicted

In January 2014, the DOJ announced FCPA and related charges against former executives of PetroTiger Ltd., a British Virgin Islands oil and gas company with operations in Colombia and offices in New Jersey, “for their alleged participation in a scheme to pay bribes to foreign government officials in violation of the FCPA, to defraud PetroTiger, and to launder proceeds of those crimes.”  The individuals charged were former co-CEOs of PetroTiger Joseph Sigelman and Knut Hammarskjold and former general counsel Gregory Weisman.  (See this prior post for additional details).

In this criminal complaint, Sigelman was charged with conspiracy to violate the FCPA’s anti-bribery provisions as well as three substantive FCPA charges.  The FCPA charges were based on allegations that Sigelman and others made at least four transfers of money in the approximate amount of $333,500 to an account in Colombia of a “foreign government official in Colombia.”

In this release, the DOJ announced today that Sigelman was formally criminally indicted for the same conduct.  The release states that Sigelman “charged with conspiracy to violate the FCPA and to commit wire fraud, conspiracy to launder money, and substantive FCPA and money laundering violations.”

The DOJ release further states:  ”The case was brought to the attention of the department through a voluntary disclosure by PetroTiger, which cooperated with the department’s investigation.”

As previously noted, both Hammarskjold and Weisman have pleaded guilty.

Scrutiny Alerts

Key Energy Services

Key Energy Services disclosed in its recent SEC filing:

“The U.S. Securities and Exchange Commission has advised us that it is investigating possible violations of the U.S. Foreign Corrupt Practices Act involving business activities of Key’s operations in Russia. We take any such allegations very seriously and are conducting an investigation into the allegations. We are fully cooperating with and sharing the results of our investigation with the Commission. While the outcome of our investigation is currently not determinable, we do not expect that it will have a material adverse effect on our consolidated financial position, results of operations, or cash flows.”

Quanta Services

Quanta Services (an engineering, procurement and construction services company) disclosed in its recent SEC filing:

“On March 10, 2014, the SEC notified Quanta of an inquiry into certain aspects of Quanta’s activities in certain foreign jurisdictions, including South Africa and the United Arab Emirates. The SEC also requested that Quanta take necessary steps to preserve and retain categories of relevant documents, including those pertaining to Quanta’s U.S. Foreign Corrupt Practices Act compliance program. The SEC has not alleged any violations of law by Quanta or its employees. Quanta has complied with the preservation request and is cooperating with the SEC.”

PTC Inc.

PTC Inc. (formerly known as Parametric Technology) first disclosed its FCPA scrutiny in August 2011 and recently disclosed in this  SEC filing:

China Investigation
We have been cooperating to provide information to the U.S. Securities and Exchange Commission and the Department of Justice concerning payments and expenses by certain of our business partners in China and/or by employees of our Chinese subsidiary that raise questions concerning compliance with laws, including the U.S. Foreign Corrupt Practices Act. Our internal review is ongoing and now includes periods earlier than those previously examined. We continue to respond to requests for information from these agencies, including a subpoena issued to the company by the SEC. We cannot predict when or how this matter may be resolved. Resolution of this matter could include fines and penalties; however we are unable to estimate an amount that could be associated with any resolution and, accordingly, we have not recorded a liability for this matter. If resolution of this matter includes substantial fines or penalties, this could materially impact our results for the period in which the associated liability is recorded or such amounts are paid. Further, any settlement or other resolution of this matter could have collateral effects on our business in China, the United States and elsewhere.”
Fresenius Medical Care
Germany-based Fresenius Medical Care first disclosed FCPA scrutiny in August 2012 and stated as follows in its recent SEC filing:
“[The previously disclosed internal] review has identified conduct that raises concerns under the FCPA or other anti-bribery laws that may result in monetary penalties or other sanctions.  In addition, the Company’s ability to conduct business in certain jurisdictions could be negatively impacted.  The Company has recorded a non-material accrual for an identified matter.  Given the current status of the internal review, the Company cannot reasonably estimate the range of possible loss that may result from additional identified matters or from the final outcome of the continuing internal review.”
Financial Services Industry

In case you had not heard that numerous financial services companies were under FCPA scrutiny for alleged hiring practices, the Wall Street Journal reports:

“U.S. regulators have expanded their investigation into large banks’ hiring practices in Asia, seeking more information from at least five U.S. and European firms, according to people close to the probe.  The Securities and Exchange Commission in early March sent letters to a group of companies including Credit Suisse Group AG, Goldman Sachs Group Inc., Morgan Stanley, Citigroup Inc. and UBS AG seeking more information about their hiring in Asia, according to people.  [...]  The SEC late last year issued a round of letter to at least six banks, seeking information on their hiring practices, such as whether the firms had special programs dedicated to relatives of influential officials, according to people close to the inquiry.  The second round of requests reflects a deepening of the probe.  The agency is seeking more data on the banks’ recruiting in Asia, including lists of employees hired as a result of referrals from foreign officials and clients, added the people familiar with the investigation.”

As to the above, Goldman disclosed in its most recent SEC filing:

“Regulatory Investigations and Reviews and Related Litigation.

[The company] and certain of its affiliates are subject to a number of other investigations and reviews by, and in some cases have received subpoenas and requests for documents and information from, various governmental and regulatory bodies and self-regulatory organizations and litigation relating to various matters relating to the firm’s businesses and operations, including:

compliance with the U.S. Foreign Corrupt Practices Act, including with respect to the firm’s hiring practices …”

Reading Stack

No surprise that an individual who paid $174 million to post bail has hired an A-list legal team in defense of DOJ allegations that he violated, among other laws, the FCPA.  (See here for a recent New York Times article regarding Dmitry Firtash).

Sound advice from former DOJ FCPA Unit Chief Chuck Duross in this MoFo Tech article concerning FCPA risk and the technology industry:

“[T]echnology companies are also at risk from the distribution model that’s often used in the industry. Many companies sell their products to channel partners, which add some value to the product or service—such as other hardware, software, an installation, or a service plan—and then resell it at a higher price. That’s an entirely appropriate business model. But as with any third party, companies need to appreciate the potential risk if, for example, the distributor is simply reselling at a higher price without adding any legitimate value and using that profit as a slush fund to funnel bribes to government officials. It may seem to the company that it is not violating the FCPA. It has simply sold its product to another company. But if a company’s employees are aware that the distributor is paying (or just offering) bribes to government officials to help sell the product, the company and its employees could be criminally liable as conspirators and aiders and abettors.

What should tech companies be doing to avoid these issues?

One thing is to know the third parties they’re doing business with. It is also fundamental to understand the business reason for working with third parties. One of the first questions asked during a DOJ or SEC investigation will often be, “What was the business purpose behind working with X?” Having a clear answer will earn credibility with regulators and underscore the company’s commitment to compliance. Also, making sure employees—and third parties—understand company policies, are properly trained, execute FCPA certifications, and are subject to appropriate ongoing reviews can prevent violations and mitigate (or avoid altogether) penalties if a problem does occur. That is just good business. Corruption tends to occur at companies with loose control environments. While I was at DOJ, we routinely saw loose control environments leading to embezzlement, self-dealing, fraud, and even antitrust violations. When a company doesn’t know where its money is going, that’s bad business and negatively impacts shareholder value. When companies invest in a compliance program, they are investing in the health of the business.”

This Kyiv Post article notes:

“Some of Ukraine’s underpaid cadre of civil servants might get bonuses from international finance institutions to reduce the temptation of taking bribes. According to Ukrainian Tax Service chief Ihor Bilous, the European Bank for Reconstruction and Development is exploring the idea of setting up a fund that would provide officials with additional pay. ‘Last week I had a meeting with EBRD representatives and they proposed to create a fund to pay money for people who serve the state in high positions,’ Bilous told the Kyiv Post. This idea was successfully implemented in Georgia, he adds, “we need to change the system, state salaries are very low and this situation creates some kind of temptation.”

*****

A good weekend to all, and to all mothers, Happy Mother’s Day!

HP Enforcement Action – Where To Begin?

Tuesday, April 15th, 2014

Where to begin?

That is the question when analyzing last week’s $108 million Foreign Corrupt Practices Act enforcement action against HP and related entities.  (See here).

Should the title of this post have been “The FCPA’s Free-For-All Continues”?

Should the title have been “HP = Hocus Pocus” (as in look what the enforcement agencies pulled out their hats this time)?

Should the title have been “Warning In-House and Compliance Professionals:  This Post Will Induce Mental Anguish”?

Unable to arrive at the best specific title for this post, I simply picked the generic “Where to Begin?”

In short, if the HP enforcement action does not leave you troubled as to various aspects of FCPA enforcement you: (i) may not be well-versed in actual FCPA legal authority; (ii) don’t care about the rule of law; or (iii) somehow derive satisfaction from government required transfers of shareholder money to the U.S. treasury regardless of theory.

Least there be any misunderstanding, let me begin this post by stating that the enforcement actions against HP Poland, HP Russia and HP Mexico allege bad conduct by certain individuals –  a “small fraction of HP’s global workforce” to use the exact words of the DOJ. As to that “small fraction,” those individuals should be held accountable for their actions by relevant law enforcement authorities.

However, as to the actual defendants charged in the enforcement actions – HP Russia, HP Poland and HP Mexico in the DOJ actions – and HP in the SEC administrative proceeding – there are actual legal elements that must be met and there is also prior enforcement agency guidance that ought to be followed.  The entire credibility and legitimacy of the DOJ and SEC’s FCPA enforcement programs depend on these two basics points.

For instance, in what is believed to be an FCPA first, the DOJ charged two non-issuers (HP-Russia and HP-Poland) with substantive violations of the FCPA’s books and records and internal controls provisions – provisions which only apply to issuers.   This is concerning in and of itself.

Yet the resulting landscape from the HP enforcement action is of more concern and it should induce mental anguish for many for the following reasons.

Issuers have an obligation under the FCPA to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that,” among other things, transactions are executed in accordance with management’s general or specific authorization.  Failure to adopt such internal controls is a violation of law.

Conversely, and here is where the “hocus pocus” part comes in, if an issuer does adopt such internal controls and a “small fraction” of employees at certain foreign subsidiaries engage in covert means to willfully circumvent those internal controls, well, that is a violation of law as well in the eyes of the enforcement agencies.

The DOJ’s and SEC’s own allegations paint a picture of HP establishing, particularly given the time periods relevant to the enforcement actions, a system of internal accounting controls sufficient to provide reasonable assurances as to the conduct at issue. yet being a victim of the willful and deceptive conduct of a “small fraction” of employees who designed covert means to circumvent HP’s internal controls.

For instance, as to HP Poland, the criminal information alleges, in pertinent part as to the relevant time period (2006 to 2010):

“At all times relevant to this Information, HP policies prohibited corruption, self-dealing, and other misconduct.  HP’s Standards of Business Conduct (“SBC”) in effect during the relevant time period specified company rules and regulations governing legal and ethical practices, preparation of accurate books and records, contracting, and approvals and engagements of third parties.  The SBC applied to all HP Co. business divisions and subsidiaries, including HP Poland.  HP Poland employees, including HP Poland Executive, received mandatory SBC training annually, among other training.”

“The SBC manuals specifically referenced the FCPA, and prohibited, among other items, bribes, corrupt practices, ‘side letter,’ ‘off-the-books’ arrangements,’ and ‘other express or implied agreements outside standard HP contracting processes.’  The SBC manuals in effect during this period further instructed employees of HP that they were not to ‘commit [the relevant HP business] to undertake any performance, payment or other obligation unless [the employee was] authorized under the appropriate HP [business] delegation of authority policies,’ and further required accurate accounting records and proper finance practices.”

Notwithstanding these controls, the information alleges that an HP Poland Executive caused falsification of HP’s books and records and circumvented HP existing internal controls.  Among other things, the information alleges that the gifts to the Polish Official ”violated HP internal controls relating to gift-giving, and were not properly reflected in HP’s books and records.”  The information alleges that the HP Poland Executive ”willfully circumvented HP’s internal controls, and falsified corporate books and records relied on by HP’s officers and external auditors to authorize transactions and prepare HP’s consolidated financial statements.”  The information alleges that HP Poland Executive devised covert means – such as communicating through anonymous e-mail accounts and prepaid mobile telephones – in connection with his bribery scheme.  The information even alleges that the HP Poland Executive and the Polish Official drove around in vehicles in “remote locations” and “would type messages in a text file, passing the computer between themselves.” According to the information, “communications were made in this fashion to avoid possible audio recording of the discussions by hidden devices, and to circumvent HP’s internal controls.”

Nevertheless, the DOJ alleges:

“Although HP had certain anti-corruption policies and controls in place during the relevant time period, those policies and controls were not adequate to prevent the conduct described herein and were insufficiently implemented at HP Poland.”

As discussed in this prior post, what is the source for this dramatic conclusory allegation?  Nothing more than ipse dixit and subjective say-so.

The same holds true for the DOJ’s allegations concerning HP Mexico.  The non-prosecution agreement contains the same two substantive allegations concerning HP’s internal controls set forth above relevant to HP Poland, plus the following as to the relevant time period (2006 to 2009):

“HP’s policies permitted legitimate commission payments to channel partners.  These policies required that the recipient of commissions enter into a written channel partner contract with an addendum permitting the payment of commissions be pre-approved, subjected to due diligence, and registered in HP’s partner system.  HP Mexico’s policy also required channel partner commissions to follow an approval matrix, with commissions exceeding a particular percentage of the transaction’s total volume regarding additional approvals.”

Notwithstanding these controls, the information alleges that certain HP Mexico sales managers on one deal deceived HP.  The NPA states:

“[The Consultant at issue] was not an approved HP Mexico channel partner and had not entered into a written channel partner agreement as required by HP’s internal controls and policies.  In circumvention of these internal controls and policies, HP Mexico executives pursuing the BTO Deal arranged for another entity (“Intermediary”), which was already an approved HP Mexico channel partner, to join in the transaction.  HP Mexico’s sales managers arranged for the Intermediary to receive commissions from HP Mexico and then pass those monies along to Consultant, after deducting a portion as a fee. Although Intermediary played no role in negotiating the BTO Deal, HP Mexico executives recorded Intermediary as the deal partner in its internal tracking system.”

“By arranging payments to be made through the Intermediary to Consultant, HP Mexico was able to circumvent HP’s policies requiring pre-approval of channel partners and written agreement for third-party payments.  HP Mexico further circumvented HP’s controls by failing to identify the role of Intermediary in the BTO Deal …  In addition, HP Mexico’s books and records falsely reflected that the Intermediary was the deal partner and principal recipient of the commission on the BTO Deal, which ultimately caused certain HP books and records to be falsified.”

Nevertheless, the DOJ alleges:

“Although HP had certain anti-corruption policies and controls in place during the relevant period, those policies and controls were not adequate to prevent the conduct described herein and were insufficiently implemented at HP Mexico.  This allowed HP Mexico to circumvent HP’s internal accounting controls and falsify its books and records as described herein.”

What is the source for this dramatic conclusory allegation?  Nothing more than ipse dixit and subjective say-so.

The same holds true for the DOJ’s allegations concerning HP Russia.  The information contains the same two substantive allegations concerning HP’s internal controls set forth above relevant to HP Poland and HP Mexico, plus the following as to the relevant time period (2000 to 2007).

“HP’s policies placed restrictions and due diligence requirements on contracts with third parties, including ‘HP customers, channel partners, suppliers, other business partners or outside parties.’  They required credit checks and approvals for certain third parties, and required the preparation of ‘Subcontractor Qualification Worksheets’ and ‘Pre-Bid Risk Identification & Assessment Questionnaires’ that related to qualifications and financial capabilities of certain third parties.  Among other due diligence requirements, the policies required telephonic interview of certain third parties regarding experience, references, checks to determine whether the third party had the capacity and geographic coverage for the project, and an overall evaluation of doubts, reservations, and ‘risks/weaknesses’ of the third party.”

“HP’s Solution Opportunity Approval and Review (‘SOAR’) process applies to all service-related projects valued at greater than $500,000 anywhere in the world, including Russia.  Among other things, the SOAR process was designed to provide HP’s senior company management visibility into pricing, discounts, and profit margins for transactions.  It required review of relationships with third parties, including scope of work, contract terms, qualifications, and necessity of services.  Business, legal, finance, credit, tax, and other units participated in the SOAR review.  No services-related transaction greater than $500,000 could proceed without SOAR approval.”

“Pursuant to the Sarbanes-Oxley Act of 2002, HP management was required to certify the accuracy of HP’s financial statements and the adequacy of its related internal controls to develop those statements.  In supporting these certifications, HP executive management required senior and regional management of HP’s business units to sign sub-certifications certifying that HP’s financial statements were accurate and that their internal controls provided assurances that transactions were properly authorized and recorded, and assets were safeguarded from improper use.”

Notwithstanding these controls, the information alleges that five HP Russia employees deceived HP.  For instance, the information specifically alleges that the individuals created a secret slush fund and to “execute and hide the scheme … willfully circumvented existing internal controls, and falsified corporate books and records relied upon by HP officers and external auditors to authorize the transaction and prepare HP’s consolidated financial statements.”

According to the information, the slush fund “was concealed in the project’s financials” and “HP Russia maintained two sets of project pricing records:  off-the-books versions, known only to the conspirators, which identified slush fund recipients, and sanitized versions of the same documents which were provided to HP credit, finance, and legal officers outside of HP Russia.”

According to the information, “one example of an off-the-books document was an encrypted, password-protected spreadsheet” which contained different information than the “on-the-books version.”  According to the information, a Pricing Worksheet “provided to management outside of HP Russia omit[ed] all references to the slush fund payments, instead inflating hardware prices to create margin for the payments.”

In addition, the information alleges “concealment of [the] slush fund during SOAR Review.”  According to the information, “in early August 2003, HP management in Europe pressed HP Russia to begin the SOAR process for the GPO contract so that it could be executed.  In circumvention of company policy, however, HP Russia Executive 1 had already [signed the relevant contract and executed it] with no authorization and no power of attorney.”

According to the information, “the HP credit officer assigned to the SOAR review initially denied credit approval to proceed with the contract …”.  The information then alleges that the HP Russia Manager provided false information to the HP Credit Officer. The information further alleges that when the HP Credit Officer asked other questions regarding the relevant transaction, the HP Russia Manager provided other false information.

Regarding an actual SOAR meeting in 2003, the information alleges that the day before this meeting, the HP Russia Manager emailed relevant management with false information and thereafter provided additional false information to the HP Credit Officer in connection with relevant transaction.

According to the information, when it came time for the HP Russia Executive to certify the accuracy of the company’s financial statements and adequacy of internal controls pursuant to SOX, the HP Russia Executive falsely certified the requested information and that such certification was relied upon by other HP managers.

According to the information, members of the Russian conspiracy ”structured bribe payments to individuals associated with [the Russian government] through a “off-the-books contract” and specifically alleges as follows:

“In circumvention of HP internal controls, including third party due diligence requirements and prohibitions against ‘side letters,’ ‘off-the-books’ arrangements, or other express or implied agreements outside standard HP contracting process,’ HP Russia never disclosed the existence of the [off-the-books contract] to internal or external auditors or management outside of HP Russia, and conduct no due diligence of [the relevant entity]“

The information alleges that the purpose of the conspiracy was to “conceal[] and disguise[] the payments by falsifying HP Russia’s and HP’s books and records; and evading and failing to implement internal controls meant to detect and deter such payments.”  Specifically, the information alleges:

“HP Russia, through its executives and employees, together with others, knowingly and deliberately failed to implement internal accounting controls and circumvented existing internal accounting controls designed to detect and prevent such improper conduct.  HP Russia entered into off-the-books contracts, maintained two sets of accounting records, failed to conduct appropriate due diligence of third parties, concealed the existence of third-party relationship from HP management, executed contracts without authorization, and made misrepresentations to HP audit, compliance, credit and legal officers.”

Among other things, the information alleges that HP Russia employees  ”avoided controls over third-party vendors and off-the-books contracts,” “created and used certain mechanisms for making and concealing payments to third parties,” and “secretly executed certain contracts without proper authority.”

Nevertheless, the DOJ alleges:

“While the SBC prohibited corrupt payments, required due diligence of third-parties, and included other control requirements to maintain accountability for assets, the policies were not adequate to detect and prevent the misconduct described herein, and in practice certain HP business divisions and subsidiaries failed to implement and enforce the policies consistently, and on occasion circumvented or disregard the policies entirely.”

What is the source for this dramatic conclusory allegation?  Nothing more than ipse dixit and subjective say-so.

Unlike the DOJ enforcement actions (in which HP was not an actual defendant but merely guaranteed payment of fine and penalty amounts and had compliance obligations imposed upon it), in the SEC’s enforcement action HP is the sole defendant (technically a respondent since the enforcement action was an administrative proceeding not subjected to one ounce of judicial scrutiny).  The SEC’s action is based on the same HP Poland, HP Russia, and HP Mexico conduct alleged in the DOJ enforcement actions.

Prior to the stating the SEC’s conclusory statement as it relates to HP itself, it is useful to review the DOJ’s allegations HP-specific allegations because there is little logical consistency between those allegations and the SEC’s conclusory statement.

Again, the DOJ alleged that HP:

  • Had existing FCPA and related policies and procedures in place and that all relevant employees received training on the policies;
  • Had existing policies and procedures in place related to commission payments to channel partners, due diligence of channel partners, and other tracking policies regarding channel partners;
  • Had an existing approval process in place that applied to all service-related projects valued at greater than $500,000 anywhere in the world and as part of that process HP managers questioned relevant subsidiary employees at questionable information;
  • Had an existing SOX certification and sub-certification process in place as relevant to the referenced subsidiaries.

Yet, and here comes the “hocus pocus” moment, the SEC states against the backdrop of the same covert means, concealment, and misrepresentations and deception alleged in the DOJ actions that:

“[A]lthough HP had certain anti-corruption policies and controls in place during the relevant time period, those policies and controls were insufficiently implemented on the regional or country level.  Further, HP failed to devise and maintain an adequate system of internal accounting controls sufficient to provide reasonable assurance that (i) access to assets was permitted only in accordance with management’s authorization; (2) transactions were recorded as necessary to maintain accountability of assets; and (3) transactions were executed in accordance with management’s authorization.”

It is difficult to reconcile the SEC’s HP allegations against actual legal authority in that the internal-controls provisions are specifically qualified through concepts of reasonableness and good faith.  The only judicial decision to directly address the substance of the internal-controls provisions states, in pertinent part, as follows:

“It does not appear that either the SEC or Congress, which adopted the SEC’s recommendations, intended that the statute should require that each affected issuer install a fail-safe accounting control system at all costs.”

In addition, various courts have held—in the context of civil derivative actions in which shareholders seek to hold company directors liable for breach of fiduciary duties due to the company’s alleged FCPA violations— that just because improper conduct allegedly occurred somewhere within a corporate hierarchy does not mean that internal controls must have been deficient.

The SEC’s allegations against HP are further difficult to reconcile with SEC guidance concerning the internal controls provisions. This guidance states, among other things:

“Inherent in this concept [of reasonableness] is a toleration of deviations from the absolute.”

“The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company.”

The critical point in assessing an issuer’s internal controls is at the time of the alleged conduct and whether – at that time – the issuer had internal controls sufficient to provide various reasonable assurances.   In other words, the critical point is not 5 or 10 years later and the issue is not – with the benefit of perfect hindsight – whether the issuer could have done more.

Further problematic in the SEC’s enforcement action against HP is that it is yet another example of “non-charged bribery disgorgment” and among the most vocal critics of this SEC theory is a former high-ranking SEC enforcement attorney (see here).

Whether the proper title should have been “The FCPA’s Free-For-All Continues,” “HP = Hocus Pocus” or how the HP enforcement action, with reason, should induce mental anguish among many, there is much to analyze and critique in the DOJ’s and SEC’s enforcement actions against HP and related entities.

The same applies to much recent FCPA enforcement activity.

To recap, since December 2013 the FCPA enforcement agencies have extracted approximately $546 million against risk averse corporations:

  • (i) based on enforcement agency allegations that the parent company issuer was a victim of deceptive conduct and actions by a “small fraction” of its global workforce;
  • (ii) based on enforcement agency allegations that the corporate entities were victims of a corrupt Ukraine government that refused to pay VAT refunds that the companies were legitimately owed (see here); and
  • (iii) in a case concerning alleged conduct (approximately 10 to 15 years ago) by a consultant who was criminally charged by another law enforcement agency, put the law enforcement agency to its burden of proof at trial, and the law enforcement agency dismissed the case because there was no ”realistic prospect of conviction” (see here).

Ipse Dixit

Tuesday, April 8th, 2014

This post last week highlighted the recent activity in SEC v. Mark Jackson & James Ruehlen (a Foreign Corrupt Practices Act enforcement action scheduled for trial this summer).  As noted in the post, among other things, the SEC is seeking to exclude various defense expert witnesses on a variety of issues including internal controls issues.

If you read the SEC’s motions (see here – condensed into one document) you will see that a primary basis for exclusion is the SEC’s argument that the experts are merely offering their own naked ipse dixit.

I must confess – arcane latin phrases not being in my strike zone – I had to look up the meaning of ipse dixit.

Ipse Dixit – Latin for He himself said it – an unsupported statement that rests solely on the authority of the individual who makes it.

The term ipse dixit appears approximately 30 times in the SEC’s motions – and related to it – is the SEC’s argument that the experts’ internal controls opinions should be excluded because the experts fail to define certain terms and/or there is no discernible methodology underlying their opinions.

For instance, in seeking to exclude Alan Bell (CPA – regarding, among other things, internal controls) the SEC states:

“Bell could not define what constitutes a “circumvention” of an internal control.”

“Bell concedes that there are no written standards to evaluate what constitutes, in his view, a “circumvention” of an internal control.”

“Bell’s opinions are not the product of a reliable methodology applied to the facts of this case. In fact, Bell employed no methodology at all; instead, his opinions are “based on [his] 40 years of experience.”

In seeking to exclude Gary Goolsby (CPA – regarding, among other things, internal controls issues) the SEC states:

“There is also no discernible methodology underlying his opinion on Jackson’s purported reliance [on Noble's internal controls], other than Goolsby’s own naked ipse dixit. Goolsby’s methodology reduces to the proposition that “I know what I’m looking at.” Yet, in deposition, he could not explain what his opinion means, as a practical matter, with reference to the conduct at issue in this case. Goolsby’s testimony thus confirms what is apparent from his report – his factual findings are based on nothing more than his subjective say-so.”

In seeking to exclude Lowell Brown (regarding various FCPA compliance issues) the SEC states:

“There is no discernible analysis or methodology underlying Brown’s opinion as to Jackson’s purported reliance, other than Brown’s own naked ipse dixit – a manifestly improper basis for expert testimony.”

In seeking to exclude Professor Ronald Gilson (regarding, among other things, internal controls issues) the SEC states:

“There is no genuine methodology here, other than Gilson’s own ipse dixit based on his subjective interpretation of the evidence

In the final analysis, Gilson is an advocate for the defense who proffers nothing but his ipse dixit in the place of rigorous analytical connection between his deficient methodology (reading deposition transcripts and exhibits) and his expert conclusion (the inference that if Ruehlen told others at Noble what he was doing, he lacked the corrupt intent to violate the FCPA, as opposed to simply colluding to bribe foreign officials).”

The irony of course is that while attacking the defendants’ experts for their own ipse dixit, many of the SEC’s FCPA internal controls enforcement theories are nothing more than ipse dixit.

For instance, as noted in this prior post, the SEC alleged that Oracle violated the FCPA’s internal control provisions. The only allegations against Oracle itself is that it failed to audit distributor margins against end user prices and that it failed to audit third party payments made by distributors.  The SEC did not allege any red flags to suggest why Oracle should have done this.  Thus, how did Oracle violate the FCPA’s internal controls provisions?  What was the methodology the SEC used?

Ipse dixit.

Indeed, in a pointed critique of the SEC’s Oracle enforcement theory, the former Assistant Chief of the DOJ’s FCPA unit stated:

“Oracle is the latest example of the SEC’s expansive enforcement of the FCPA’s internal controls provision, and it potentially paints a bleak picture—one in which the provision is essentially enforced as a strict liability statute that means whatever the SEC says it means (after the fact).”  (See here for the prior post).

In many SEC FCPA enforcement actions, the SEC merely makes conclusory statements for why the company allegedly violated the FCPA’s internal controls provisions.  For instance, in the Philips enforcement action (see here for the prior post) the SEC states:

“Philips failed to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions were properly recorded by Philips in its books and records. Philips also failed to implement an FCPA compliance and training program commensurate with the extent of its international operations. Accordingly, Philips violated [the internal control provisions].”

Source?  Methodology?

Ipse dixit.

As noted in my recent article “Why You Should Be Alarmed by the ADM FCPA Enforcement Action” one reason, among others, why you should be alarmed by the action is because of the “failure to prevent” standard invoked by the SEC for why ADM violated the FCPA’s internal controls provisions.  As noted in the article, this standard  does not even exist in the FCPA and is inconsistent with actual legal authority.  (See here for the previous post regarding SEC v. World-Wide Coin – the only judicial decision to directly address the FCPA’s internal controls provisions).

Moreover, as noted in the article, the “failure to prevent standard” is inconsistent with SEC guidance relevant to the internal-controls provisions.  (See also this prior post).  The SEC’s most extensive guidance on the internal controls provisions states, in pertinent part, as follows:

“The Act does not mandate any particular kind of internal controls system. The test is whether a system, taken as a whole, reasonably meets the statute’s specified objectives. ‘‘Reasonableness,’’ a familiar legal concept, depends on an evaluation of all the facts and circumstances.

Private sector decisions implementing these statutory objectives are business decisions. And, reasonable business decisions should be afforded deference. This means that the issuer need not always select the best or the most effective control measure. However, the one selected must be reasonable under all the circumstances.

Inherent in this concept [of reasonableness] is a toleration of deviations from the absolute. One measure of the reasonableness of a system relates to whether the expected benefits from improving it would be significantly greater than the anticipated costs of doing so. Thousands of dollars ordinarily should not be spent conserving hundreds. Further, not every procedure which may be individually cost-justifiable need be implemented; the Act allows a range of reasonable judgments.

The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company. But, an adequate system of internal controls means that, when such breaches do arise, they will be isolated rather than systemic, and they will be subject to a reasonable likelihood of being uncovered in a timely manner and then remedied promptly.”

What is the source for the “failure to prevent” standard in ADM?  What is the methodology?

Ipse dixit.

In short, while attacking the defendants’ experts for their lack of defined methodology regarding internal controls issues, the SEC itself has long recognized that the FCPA’s internal controls lack a defined methodology.

As noted in this post, in a 2013 speech SEC Chair Mary Jo White reminded us why trials are important.  Among other things, White stated that “trials allow for more thoughtful and nuanced interpretations of the law in a way that settlements and summary judgments cannot.”

The SEC’s enforcement action against Jackson and Ruehlen represents an extremely rare instance in which the SEC is being forced to articulate its FCPA positions in the context of an adversary proceeding.

The SEC’s motions seeking to exclude defendants’ experts – while primarily based on ipse dixit – reminds us that a large portion of the SEC’s (and DOJ’s) FCPA enforcement program is nothing more than ipse dixit – and subjective say so.