Archive for the ‘Internal Controls’ Category

Issues To Consider From The Mead Johnson Enforcement Action

Monday, August 3rd, 2015

IssuesThis recent post highlighted the SEC FCPA enforcement action against Mead Johnson Nutrition Company.

This post continues the analysis by highlighting various issues to consider from the enforcement action. In sum, the short enforcement action contains several troubling issues that should cause alarm.

Imagine

Imagine a Foreign Corrupt Practices Act enforcement action without one single meaningful factual allegation against the corporate defendant resolving the action.

You don’t have to imagine. All you have to do is read the slim administrative cease and desist order against Mead Johnson.

The action was based on alleged conduct in China engaged in by Mead Johnson Nutrition (China) Co., Ltd. There was no finding, inference or suggestion in the SEC’s order that anyone associated with Mead Johnson, the issuer resolving the enforcement action, had knowledge of, participated in, or acquiesced in the improper conduct.

Rather, the order merely states the perfuctory finding that “Mead Johnson China’s books and records were consolidated into Mead Johnson’s books and records, thereby causing Mead Johnson’s consolidated books and records to be inaccurate” together with the conclusory legal finding that “Mead Johnson failed to devise and maintain an adequate system of internal accounting controls over Mead Johnson China’s operations sufficient to prevent and detect the improper payments that occurred over a period of years.”

Invoking a Standard That Does Not Even Exist In the FCPA

Relevant to the above conclusory legal finding, the SEC’s finding that issuers must devise and maintain internal controls “sufficient to prevent and detect” improper payments does not even exist in the FCPA.

As previously highlighted in this article ( “Why You Should Be Alarmed By the ADM FCPA Enforcement Action”)  and subsequently in connection with other recent SEC enforcement actions, invocation of a ‘‘failure to prevent or detect’’ internal controls standard is alarming because such a standard does not even exist in the FCPA and is inconsistent with actual legal authority. Just as important, such a standard is inconsistent with enforcement agency guidance relevant to the internal-controls provisions.

The internal-controls provisions are specifically qualified through concepts of reasonableness and good faith. This statutory standard is consistent with congressional intent in enacting the provisions. Relevant legislative history states: ”

“While management should observe every reasonable prudence in satisfying the objectives called for [in the books-and-records and internal-controls provisions], . . . management must necessarily estimate and evaluate the cost/benefit relationships to the steps to be taken in fulfillment of its responsibilities . . . . The size of the business, diversity of operations, degree of centralization of financial and operating management, amount of contact by top management with day-to-day operations, and numerous other circumstances are factors which management must consider in establishing and maintaining an internal accounting controls system.”

As highlighted here, the only judicial decision to directly address the substance of the internal-controls provisions states, in pertinent part, as follows:

“The definition of accounting controls does comprehend reasonable, but not absolute, assurances that the objectives expressed in it will be accomplished by the system. The concept of ‘‘reasonable assurances’’ contained in [the internal control provisions] recognizes that the costs of internal controls should not exceed the benefits expected to be derived. It does not appear that either the SEC or Congress, which adopted the SEC’s recommendations, intended that the statute should require that each affected issuer install a fail-safe accounting control system at all costs. It appears that Congress was fully cognizant of the cost-effective considerations which confront companies as they consider the institution of accounting controls and of the subjective elements which may lead reasonable individuals to arrive at different conclusions. Congress has demanded only that judgment be exercised in applying the standard of reasonableness.”

In addition, various courts have held—in the context of civil derivative actions in which shareholders seek to hold company directors liable for breach of fiduciary duties due to the company’s alleged FCPA violations— that just because improper conduct allegedly occurred somewhere within a corporate hierarchy does not mean that internal controls must have been deficient.

The ‘‘failure to prevent and detect’ standard is also alarming when measured against the enforcement agencies’ own guidance concerning the internal controls provisions.  As highlighted here, the SEC’s most extensive guidance on the internal controls provisions states, in pertinent part, as follows:

“The accounting provisions’ principal objective is to reaching knowing or reckless conduct.”

“Inherent in this concept [of reasonableness] is a toleration of deviations from the absolute. One measure of the reasonableness of a system relates to whether the expected benefits from improving it would be significantly greater than the anticipated costs of doing so. Thousands of dollars ordinarily should not be spent conserving hundreds. Further, not every procedure which may be individually cost-justifiable need be implemented; the Act allows a range of reasonable judgments.”

“The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company. But, an adequate system of internal controls means that, when such breaches do arise, they will be isolated rather than systemic, and they will be subject to a reasonable likelihood of being uncovered in a timely manner and then remedied promptly. Barring, of course, the participation or complicity of senior company officials in the deed, when discovery and correction expeditiously follow, no failing in the company’s internal accounting system would have existed. To the contrary, routine discovery and correction would evidence its effectiveness.”

Internal Controls – Which Is It?

Another trouble featuring of the Mead Johnson enforcement action is that the SEC makes contradictory findings regarding Mead Johnson’s internal controls.

On the one hand, the SEC finds:

“Mead Johnson has established internal policies to comport with the FCPA and local laws, and to prevent related illegal and unethical conduct. Mead Johnson’s internal policies include prohibitions against providing improper payments and gifts to HCPs that would influence their recommendation of Mead Johnson’s products.”
[...]
The use of the Distributor Allowance to improperly compensate HCPs was contrary to management’s authorization and Mead Johnson’s internal policies.”

Yet on the other hand, the SEC order contains the following conclusory legal finding:

“Mead Johnson failed to devise and maintain an adequate system of internal accounting controls over Mead Johnson China’s operations sufficient to prevent and detect the improper payments that occurred over a period of years.”

The Simplicity of But For

Numerous prior posts (see here along with embedded posts therein) have examined the simplicity of but for allegations or findings in FCPA enforcement actions (i.e. but for the alleged improper payments, the company would not have obtained or retained the alleged business at issue).

The Mead Johnson enforcement action contains such a simplistic finding as the SEC stated that Mead Johnson China “made improper payments to certain health care professionals (“HCPs”) at state-owned hospitals in China to recommend Mead Johnson’s nutrition products to, and provide information about, expectant and new mothers.” (emphasis added).

The but for inference is that without the alleged improper payments, the HCP’s would not have recommended Mead Johnson’s nutrition products.

Such a finding is fanciful.

Mead Johnson’s products (and those of other Western companies) are market leaders in China for the simple fact that “foreign infant formula became preferred by Chinese consumers after a milk scandal in 2008 in which domestic [Chinese] manufacturers mixed melamine with their infant formula products.  Six infants died of severe kidney damage and an estimated 300,000 babies suffered painful kidney stones, causing Chinese customers to lose confidence in domestic [Chinese] infant formula products.” (See here and here).

Alarming Language from the SEC

As troubling as the above issues are, the most alarming aspect of the short Mead Johnson enforcement action is the seeming suggestion by the SEC that issuers have an obligation to self-report internal investigation results that do not find evidence of FCPA violations.

By way of background, the SEC’s order states that in 2011 “Mead Johnson received an allegation of possible violations of the FCPA in connection with the Distributor Allowance in China. In response, Mead Johnson conducted an internal investigation, but failed to find evidence that Distributor Allowance funds were being used to make improper payments to HCPs. Thereafter, Mead Johnson China discontinued Distributor Allowance funding to reduce the likelihood of improper payments to HCPs, and discontinued all practices related to compensating HCPs by 2013.” (Emphasis Added).

Even though the SEC noted that Mead Johnson’s internal investigation failed to find evidence of FCPA violations, the SEC’s order next states: “Mead Johnson did not initially self-report the 2011 allegation of potential FCPA violations and did not thereafter promptly disclose the existence of this allegation in response to the Commission’s inquiry into this matter.” Subsequently, the SEC’s order similarly states: “Despite not self-reporting the 2011 allegation of potential FCPA violations or promptly disclosing the existence of this allegation in response to the Commission’s inquiry into this matter, Mead Johnson subsequently provided extensive and thorough cooperation.”

Perhaps it was merely inartful language, but if the SEC’s position is that issuers have an obligation to self-report internal investigation results that do not find evidence of FCPA violations, then such a position is truly alarming and without any legal support.

Timeline

Contrary to this report, Mead Johnson did not first disclose its FCPA scrutiny “early last year” but rather in October 2013 (see this prior post).

Nevertheless, the time between public disclosure and the enforcement action was less than two years, an unusually speedy resolution given that the norm in FCPA inquiries is often 2-4 years with several examples in the 5-7 year range.

 

The SEC Frequently Alleges Or Finds Only Books And Records And Internal Controls Violations In FCPA Enforcement Actions

Thursday, June 11th, 2015

SECThis recent post highlighted critical commentary regarding the recent BHP Billiton enforcement action.

One theme from much of the commentary was that the BHP action was somehow unique in charging (or finding as the case may be since it was an SEC administrative action) books and records and internal controls violations in the absence of anti-bribery violations.

More broadly, some FCPA commentators have suggested (here and here) that the SEC is placing a new emphasis on internal controls in the absence of anti-bribery violations.

However, the enforcement approach in BHP Billiton was hardly unique and more broadly the SEC has long charged or found books and records and internal controls violation in the absence of anti-bribery violations or findings.

Set forth below are numerous instances over the past five years in which the SEC has alleged or found only books and records and internal controls violations in Foreign Corrupt Practices Act enforcement actions.  (All actions can be found on the SEC’s FCPA website).

2014

Avon
Bruker
HP

In other words 3 of 7 (43%) corporate SEC FCPA enforcement actions in 2014 did not allege or find anti-bribery violations.

2013

ADM
Stryker
Philips Electronics

In other words, 3 of 8 (38%) corporate SEC FCPA enforcement actions did not allege or find anti-bribery violations.

2012

Allianz
Oracle
Pfizer
Orthofix

In other words, 4 of 8 (50%) corporate SEC FCPA enforcement actions did not allege of find anti-bribery violations.

2011

Aon
Watts Water
Diageo
Comverse
Rockwell Automation
Ball Corp
IBM
Tenaris

In other words 8 of 13 (62%) corporate SEC FCPA enforcement actions did not allege or find anti-bribery violations.

2010

Natco
Veraz Networks
General Electric

In other words, 3 of 19 (16%) corporate SEC FCPA enforcement actions did not allege or find anti-bribery violations.  (Note 2010 enforcement statistics are impacted by the 7 related Panalpina enforcement actions.  If one counts these related actions as one, 3 of 12 (25%) corporate SEC FCPA enforcement actions did not allege or find anti-bribery violations).

So prominent is SEC FCPA enforcement actions without anti-bribery violations or findings that the term non-bribery charged disgorgement has been part of the FCPA vocabulary for years.  (See here).

BHP Billiton Enforcement Action Generates Much Critical Commentary

Thursday, June 4th, 2015

Thumbs Down2FCPA Inc. is an active group of writers.

Thus it was no surprise that the recent BHP Billiton enforcement action generated much commentary.

The May 20th enforcement action was previously highlighted here and here and this post highlights other commentary regarding the BHP Billiton enforcement action.

Prior to highlighting the commentary – much of it is consistent with my prior criticisms of the enforcement action linked above –  a few observations.

While the BHP Billiton action is problematic on a number of levels, it does not dilute FCPA enforcement as much as the even more problematic 2012 Oracle enforcement action.

A general theme in much of the below commentary is that the enforcement action lacked anti-bribery charges because there was no quid pro quo relationship between the hospitality payments or offers of payments and BHP Billition’s business.

In the minds of some, this lack of quid pro quo is the reason for the lack of SEC anti-bribery charges.

I disagree.

For starters, as noted in certain of the commentary, the SEC did allege “payments to foreign officials to support their attendance at Olympic events at the very time BHPB had pending business before those officials or others over whom they may have had influence.”

More importantly, the lack of anti-bribery charges against BHP Billiton (a foreign issuer) would seem to be based on the fact that the required U.S. jurisdictional nexus for such charges was lacking.

Another general theme in much of the below commentary is that the BHP action is somehow unique in charging (or finding as the case may be since it was an SEC administrative action) books and records and internal controls violations in the absence of anti-bribery violations.

As will be highlighted in a future post, the enforcement approach in BHP Billiton was hardly unique.  The SEC often charges or finds books and records and internal controls violations in the absence of anti-bribery charges or findings.  Point taken that often the reasons are opaque, but the charges or findings in BHP are hardly unique.

To the commentary.

*****

The always informative Debevoise & Plimpton FCPA Update stated in pertinent part:

“Although the BHPB settlement involves a smaller penalty than some other recent resolutions, it may well turn out to be one of the more notable FCPA resolutions in several years. This is because the case addresses issues of recurring concern to multinational corporations that have long been sought out as sponsors of – or, at least, purchasers of hospitality packages for – marquee sporting events.

As good corporate citizens, these firms have come to view the purchase of tickets and hospitality packages as part of the collaboration with host entities managing such events, including national governments. This is an integral element of brand management and corporate strategy. In the course of such collaboration, these companies also receive due credit for making the event a successful interlude during which governments, business, and society at large, pause to celebrate the endeavor of sport. Yet the very process of supporting such an event leads to the inevitable question of “whom may we invite?” From there, the issue of anti-bribery compliance becomes a central issue for in-house compliance personnel.

The BHPB resolution likely will lead U.S. issuers choosing to provide hospitality of this kind to expend significant additional time, resources, and money devising and maintaining controls suggested by the resolution. Even though the settlement lacks the force of law, it will no doubt raise considerable pressure on companies to exercise even greater care if inviting foreign officials to such events, and may cause some firms subject to the books and records and internal controls provisions of the FCPA, i.e., those subject to SEC jurisdiction, to reconsider altogether this practice.

[...]

The bottom line for compliance professionals and in-house counsel is that – despite statements by enforcement officials that the issues of greatest concern to them are those arising out of the “big bribe” – travel, hospitality, and entertainment remain front and center in many cases and, particularly for the SEC, can provide the basis for substantial settlements.”

[...]

As in all settled FCPA matters, the terms of the BHPB resolution are the product of negotiation designed to serve the immediate interests of the parties in resolving a pending matter, and not the broader interest in definitively clarifying the law. And, at the end of the day, and after years of investigation, this particular resolution appeared to have yielded, at most, violations of lower severity than those that have led to larger settlements. It is notable that the Cease-and-Desist Order identified only four individuals out of 176 “foreign officials” invited to the Olympics who were involved with or in a position to influence pending matters involving BHPB. Of those four, only one official attended the Olympics. In these circumstances, it is no surprise that the DOJ did not take action.

But even for one of the smaller FCPA cases on its docket, the SEC could have provided more useful guidance in a compliance area where government officials and the courts alike (the latter at least in domestic bribery cases) have long stated that companies should have substantial leeway – provided that no quid pro quo arrangements inhere. Because of the ambiguities in the BHPB settlement, issuers will now inevitably need to exercise even greater caution when inviting “foreign officials” (including employees of state-owned enterprises) to events like this one.

The Cease-and-Desist Order may not have found this practice to violate the FCPA’s anti-bribery provisions. But the SEC has set a high bar for any company extending hospitality to foreign officials in terms of necessary internal controls, requiring independent review of almost every decision, potentially exacting accuracy and specificity for documentation, special training, and other procedures.”

*****

This Steptoe & Johnson publication is titled “Does SEC’s Enforcement Action Against BHP Billiton Take the FCPA’s Accounting Provisions To Far?” In pertinent part it states:

“This settlement … represents one of the most aggressive uses by the SEC to date of its accounting, and particularly its internal controls, authorities in an FCPA context.  Instead of being predicated on specific questionable payments, the factual basis of the charges was that the company recognized the risk that improper quid pro quo arrangements could develop in connection with the hospitality program, and that such risks were not appropriately managed by the company’s program, including through the manner in which they were documented in company compliance approval tracking forms.

This settlement raises significant questions regarding the manner in which SEC enforcement of the FCPA’s accounting provisions continues to evolve.  As regular consumers of SEC FCPA enforcement actions will know, in recent years, leadership of the SEC’s FCPA Unit has consistently asserted that it views an effective FCPA compliance program as essential to satisfying the FCPA’s legal requirement to “devise and maintain a system of internal accounting controls sufficient …” to ensure that “transactions are executed in accordance with management’s general or specific authorization”, and related tracking requirements.

The charges in this settlement take that position – which has not been litigated – a step further.  They appear to raise the prospect that companies could be charged with violations of the FCPA’s accounting provisions where their compliance programs do not maintain all elements of what the SEC would deem an effective compliance program – even where no underlying bribery (or at least payment arrangements suggesting some kind of improper quid pro quo, for example), has taken place.

The case also suggests that programs in the areas of hospitality and sponsorship – common and recurring areas of activity for many companies – may face enhanced scrutiny for systemic adequacy from a regulatory point of view, at least where larger amounts are involved.  Such a position – if the SEC indeed intends to pursue enforcement actions on this basis as a matter of enforcement policy – would significantly expand the scope of risks facing US issuers with appreciable FCPA/anti-corruption risks to their business.

[....]

This settlement represents one of the most expansive assertions of the SEC’s authority under the FCPA’s accounting provisions in its enforcement practice to date.  While the elements of both books-and-records and internal control violations do not require an underlying anti-bribery provision violation, as noted above, the SEC has typically brought books-and-records and internal controls charges against companies where there has been at least some suggestion of specific improper quid pro quo arrangements in connection with the payments in question. Consequently, the second-guessing of the adequacy of the company’s compliance procedures for BHP Billiton’s hospitality program is stunning: it imposes legal liability, a $25 million civil penalty, and ongoing compliance obligations on a company simply for the failure to address and manage risks in a way the SEC deems adequate. In addition to straying even further from the text of 15 U.S.C. 78m(b)(2)(A) and (B) than the SEC already had, this settlement represents some of the most prescriptive statements regarding specific compliance program practices SEC has made in the FCPA context.

As a result, many companies will understandably be very uneasy about the direction of the SEC’s enforcement program after this settlement and the sufficiency of their efforts to meet it.   Very few companies’ compliance programs comprehensively address all anti-corruption risks that a company faces, and most companies’ programs will have process or procedure gaps of which they may or may not be aware.  This settlement thus raises the question whether simply the existence of FCPA risks not effectively eliminated by a company’s compliance program – but not necessarily resulting in anti-bribery provision violations either – may nevertheless be subject to enforcement action.  Specific to the sponsorship, hospitality and gifts and entertainment area, it also raises the question of whether business entertainment for the purposes of relationship building – a necessary activity in most, if not all businesses – will raise enforcement risks when it nevertheless does not rise to the level of a specific, prohibited quid pro quo arrangement and is not undertaken in connection with other business activities.  Companies that engage in event sponsorships for other than purely altruistic reasons may be particularly challenged to manage these “group events” – even those that treat state enterprises and government officials on the same footing as private customers – in a way that meets enforcement expectations.  But if significant benefits are involved, then the message from this settlement is clearly that such differential risk management is expected.

As with many SEC resolutions, the settlement documents provide no insight into how the fine was calculated.  The settlement also continues a recent trend of the SEC to require post-settlement compliance reporting on the part of the company.

Whether this settlement represents the beginning of a trend, or an isolated occurrence representing a negotiated resolution in connection with difficult facts, remains to be seen.  This settlement highlights in particular, however, that companies should consider whether their compliance programs effectively address their most significant risks and review their associated processes and procedures accordingly.”

*****

This Paul Weiss alert states in pertinent part:

“In addition to the record-setting civil fine, BHPB is notable as a significant expansion of the SEC’s use of the FCPA’s accounting provisions in cases where the SEC believes an issuer’s compliance program creates the potential for bribery, even if bribery has not actually occurred or cannot be established. BHPB raises the very real prospect that issuers may face charges under the FCPA’s accounting provisions—even when there is no evidence of a quid pro quo, corrupt intent, or any improperly awarded business or government action—if the SEC is not satisfied that the issuer’s internal accounting controls and anti-corruption compliance program are sufficient to adequately manage corruption risks.”

[...]

“The SEC’s enforcement action against BHPB is significant for at least four reasons.

First, this settlement represents a rare example of the SEC bringing internal accounting controls and books and records charges in a case where it neither alleges actual bribery of a foreign official, nor suggests that such bribery took place but could not be charged for jurisdictional or other reasons.

Historically, the SEC has tended to charge issuers with violating the accounting provisions of the FCPA as a supplement to—rather than a substitute for—a bribery charge. In the exceptional cases where the accounting provisions alone have been charged, there is ordinarily some indication that improper payments were offered in exchange for a business benefit—in other words, that bribery had in fact occurred even if not charged. SEC precedent for bringing charges under the accounting provisions without an indication of actual underlying bribery seems to have its roots in a 2012 settled enforcement action against Oracle Corporation (“Oracle”). In Oracle, the SEC alleged that employees of an Oracle subsidiary in India secretly “parked” proceeds from sales to the Indian government for potential future use. The SEC did not claim that the Oracle subsidiary made corrupt payments to government officials, but did allege that the parked proceeds created “the potential for bribery or embezzlement,” and that Oracle lacked proper internal controls in light of that potential.

Here, it appears that the SEC was unable to show that BHPB’s business hospitality entertainment program was accompanied by any corrupt motive or involved a quid pro quo. This outcome is consistent with the proposition—well established in the domestic bribery context—that giving things of value to government officials for the purpose of building relationships or buying generalized goodwill is permissible. The BHPB enforcement action thus suggests that the Oracle case may not be an outlier in charging FCPA violations in the absence of an allegation of actual bribery, as some expert commentators have suggested, but perhaps the beginning of a new frontier in FCPA enforcement.

Second, even if it is tenable as a general legal matter to charge a standalone internal accounting controls violation based solely on the SEC’s subjective assessment of the adequacy of an issuer’s anti-corruption compliance program, the BHPB settlement represents an expansive application of the accounting provisions.6 Indeed, the SEC’s Order acknowledges that BHPB devised and maintained multiple internal controls to prevent corruption. For example, BHPB adopted a written Guide to Business Conduct; the President of each business line was given responsibility for ensuring compliance with that Guide; all business line Presidents certified annually that they had read and understood the Guide, confirmed that their direct reports did the same, and discussed compliance with their direct reports; BHPB established a Global Ethics Panel whose remit involved advising business leaders on compliance with the Guide and other business ethics issues; and BHPB’s compliance was overseen by a centralized Legal Department. In addition, BHPB instituted internal controls intended to address the particular corruption risks arising from the Olympics Hospitality Program, including creating detailed internal application forms aimed at addressing corruption risk, a senior business manager approval process, and a role for the Global Ethics Panel in assessing the invitation process that included reviewing a sample of the hospitality application forms.

To be sure, the SEC’s Order notes the absence of a centralized compliance group, and BHPB confirmed that it had “no independent compliance function” in its release announcing the end of the U.S. government investigations. However, more than any objective deficiency with BHPB’s compliance structure, the SEC’s internal accounting controls charge appears to rest on highly specific criticisms of the internal forms used to evaluate individual hospitality applications and the related compliance process. While giving things of value for purposes of relationship building is permissible and does not constitute bribery, it appears that the SEC may intend to use the FCPA’s internal accounting controls provisions to penalize any perceived shortcomings in companies’ efforts to scrutinize such activities.

Third, the SEC’s books and records charge reflects an aggressive, but not necessarily new, interpretation of Section 13(b)(2)(A), which requires issuers to make and keep books and records that “accurately and fairly reflect the transactions and dispositions of the assets of the issuer.” The SEC’s position raises important questions of statutory interpretation and public policy. There is nothing in the language of the books and records provision to suggest that it encompasses purely internal application forms completed for the purpose of approving gifts and entertainment expenditures. If the SEC can charge a books and records violation for any alleged inaccuracy in any internal paperwork, it will impose an enormous compliance burden that even the most sophisticated and well-resourced companies may struggle to satisfy.

Finally, the imposition of a $25 million civil fine and year of compliance reporting to the SEC is remarkable for a case in which there was no actual bribery, much less a bribery charge, no allegation of any quid pro quo or improper business benefit, and complete cooperation and full remediation. It is also noteworthy that the SEC has consistently reaffirmed its authority to seek disgorgement in enforcement actions brought under the internal controls or books and records provisions, but did not seek any disgorgement here. And despite the record-setting fine against BHPB, the SEC’s Order sheds no light on how such a fine was calculated. Moreover, although the SEC’s press release acknowledged the assistance of the Department of Justice’s Fraud Section, the Federal Bureau of Investigation, and the Australian Federal Police, no criminal charges to date have been brought.”

*****

This Willkie Farr alert states in pertinent part:

“The BHPB settlement represents an aggressive stance by U.S. regulators with regard to providing entertainment and hospitality to government officials. As part of BHPB’s 2008 Summer Olympic Games sponsorship activities, the company invited people from all around the world. BHPB recognized the anticorruption risks potentially associated with such entertainment and tried to take precautions in advance of inviting government officials to the Summer Games by using a specifically designed “Olympic-specific internal approval process” to vet the company’s invitations. However, the SEC determined BHPB’s efforts fell short. In particular, the SEC noted that (1) BHPB did not require an independent legal or compliance review of hospitality applications; (2) some hospitality applications were not accurate or complete; (3) although BHPB had an annual Guide to Business Conduct review and certification process, as well as general compliance training, it did not have specific training on how to fill out the hospitality forms for the Olympic entertainment or evaluate applications under the company’s existing policies; (4) BHPB did not institute a process to update or reassess the appropriateness of invitations if conditions changed; and (5) the review process did not coordinate or assess whether an invitee from one CSG was involved in the business dealings of other CSGs. The SEC order does not allege that BHBP provided entertainment as part of a quid pro quo arrangement or allege a violation of the FCPA’s antibribery provisions. The order does not state how the SEC arrived at the civil monetary penalty of $25 million, a seemingly harsh penalty based on the facts alleged in the order.”

 

Issues To Consider From The FLIR Systems Enforcement Action

Monday, April 13th, 2015

IssuesThis recent post highlighted the SEC FCPA enforcement action against FLIR Systems.

This post continues the analysis by highlighting various issues to consider associated with the enforcement action.

 

Was the Enforcement Action “Just”

In the minds of some, “rogue employees” are mere figments in the imagination of corporate apologists.

Yet, the FLIR Systems enforcement action was based on the conduct of two individuals:  Stephen Timms (Head of FLIR’s Middle East Office) and Yasser Ramahi who reported to Timms.

What did these two individuals do?

In the words of the SEC, the individuals “concealed” the extent and nature of the travel and gifts to “foreign officials” which gave rise to the enforcement action.

In the words of the SEC, after Timms’ manager asked certain questions about the travel, “Ramahi and Timms later claimed that the … ‘world tour’ had been a mistake” and that the foreign officials “used FLIR’s travel agent in Dubai to book their own travel and that it had been mistakenly charged to FLIR.  They then used FLIR’s third-party agent to give the appearance that the MOI paid for their travel.  Timms also oversaw the preparation of false and misleading documentation of the MOI travel expenses that was submitted to FLIR finance as the ‘correct’ travel document.”

Was the conduct of the two individuals, who concealed and lied, inconsistent with FLIR’s existing FCPA-related policies and internal controls?

Yes.

In the words of the SEC:

“During the relevant time, FLIR had a code of conduct, as well as a specific anti-bribery policy, which prohibited FLIR employees from violating the FCPA. FLIR’s policies required employees to record information “accurately and honestly” in FLIR’s books and records, with “no materiality requirement or threshold for a violation.” FLIR employees, including Timms and Ramahi, received training on their obligations under the FCPA and FLIR’s policy, although the company did not ensure that all employees, including Ramahi, completed the required training.”

Against this backdrop of SEC allegations, was it truly “just” for the SEC to find that FLIR Systems violated the FCPA’s anti-bribery provisions?

The same question can even apply to the SEC’s finding that FLIR Systems also violated the FCPA’s books and records and internal controls provisions.

In the words of the SEC:

“FLIR had few internal controls over travel in its foreign sales offices at the time. Although FLIR had policies and procedures over travel for its domestic operations, there were no controls or policies in place governing the use of foreign travel agencies. Instead, FLIR foreign sales employees worked directly with FLIR’s foreign travel agencies to arrange travel for themselves and others. Sales managers, such as Timms, were solely responsible for expense approvals for their sales staff. Timms’ manager was responsible for approving travel-related expenses for all non-U.S.-based senior sales employees (such as Timms) and approving the payment of large invoices to the foreign travel agencies.

FLIR also had few controls over the giving of gifts to customers, including foreign government officials. Sales staff and managers were responsible for all expense approvals for gifts and accounts payable was not trained to flag expenses that were potentially problematic.”

As a matter of law, the FCPA’s internal control provisions do not specify which type of internal controls provisions an issuer must have.  Rather, the law states than issuer must have internal controls sufficient to provide reasonable assurances as to four general categories.  The FCPA specifically defines ”reasonable assurances” and “reasonable detail” as follows: a “level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”

The only substantive judicial decision on the internal controls provisions states:

“The concept of ‘‘reasonable assurances’’ contained in [the internal control provisions] recognizes that the costs of internal controls should not exceed the benefits expected to be derived. It does not appear that either the SEC or Congress, which adopted the SEC’s recommendations, intended that the statute should require that each affected issuer install a fail-safe accounting control system at all costs.”

The SEC’s most extensive guidance on the internal controls provisions states, in pertinent part, as follows:

“The Act does not mandate any particular kind of internal controls system. The test is whether a system, taken as a whole, reasonably meets the statute’s specified objectives. ‘‘Reasonableness,’’ a familiar legal concept, depends on an evaluation of all the facts and circumstances.

Private sector decisions implementing these statutory objectives are business decisions. And, reasonable business decisions should be afforded deference. This means that the issuer need not always select the best or the most effective control measure.”

Against this backdrop, it would seem relevant to the SEC’s internal controls finding regarding foreign travel that during the time period relevant to the enforcement action FLIR had approximately 2,100 employees, with approximately 1,400 located in the U.S.

Are the Post-Enforcement Action Reporting Obligations “Just”?

Against the backdrop of the SEC’s allegations, as well as the fact that FLIR Systems voluntarily disclosed and cooperated in the SEC’s investigation and undertook “significant remedial efforts,” was it “just” that the SEC required FLIR Systems, for a two year period, to report “periodically, at no less than nine months intervals” concerning the “status of its compliance review of its overseas operations and the status of its remediation and implementation of compliance measures?”

Or was the SEC’s condition of settlement yet another example of a government required transfer of shareholder wealth to FCPA Inc. (See here for the prior post).

Is the Disgorgement “Just”?

The bulk of the $9.5 million settlement ($8.5 million to exact) consisted of disgorgement and prejudgment interest.

The simplistic position that the SEC took (and often takes in FCPA enforcement actions) is that FLIR Systems would not have secured the business at issue with the Saudi Arabia Ministry of Interior (“MOI”) but for the alleged travel (which the SEC did acknowledge contained a core, legitimate business but morphed) and wrist-watches provided to the “foreign officials”.

Because FLIR System did obtain or retain such business, the theory goes, FLIR Systems was unjustly enriched and thus should disgorge its profits from the sales to the MOI.

This is so simplistic as to fail the basic smell test (see here, here, here and here for prior posts discussing the same general topic).

For instance, FLIR’s major customer base is governments around the world – including the U.S. government.  Indeed, as noted in its most recent annual report:

“We derive significant revenue from contracts or subcontracts funded by United States government agencies. A significant reduction in the purchase of our products by these agencies or contractors for these agencies would have an adverse effect on our business. For the fiscal years ended December 31, 2014, 2013 and 2012 approximately 20 percent, 24 percent and 27 percent, respectively, of our revenues were derived directly or indirectly from sales to the United States government and its agencies.”

Yet, in the SEC’s mind, FLIR was unjustly enriched when the Saudi MOI purchased its products because a few of its officials happened to go to, among other places, New York City in connection with a legitimate factory inspection tour or were provided with wrist-watches.

The Foolish of Obey the Law Injunctions

As noted in the SEC’s administrative order resolving the FCPA enforcement:

“On September 30, 2002, in connection with a settled accounting fraud case, the Commission ordered FLIR to cease and desist from violations of the anti-fraud and related provisions of the federal securities laws.”

As highlighted in the SEC’s order, the 2002 action focused on general revenue recognition and financial reporting issues.  Yet, given the generic nature of the FCPA’s books and records and internal controls provisions, the SEC did find violations of those provisions in the 2002.

This is another reminder of the foolishness of the SEC’s so-called “obey the law injunctions” – which as explored in this guest post – have been found invalid because the injunction is so broad as to mean next to nothing.

No Disclosure

The vast majority of issuers under FCPA scrutiny disclose the scrutiny in SEC filings, notwithstanding the fact that in most instances there is no legal obligation to do so.

FLIR Systems was a unique example of a company not disclosing its FCPA scrutiny.  The first the public learned about FLIR’s scrutiny was logically when the SEC brought the related enforcement against the former employees in November 2014.

Duke’s Season Of Failures

Wednesday, April 8th, 2015

DukeEarlier this week, Duke won the national championship basketball game to cap off a successful season.  By one measure, Duke was thus the most successful team in college basketball this year.

However, it is undisputed that Duke failed many times this year.

For starters, Duke ended the season 35-4 which means that Duke lost 10% of its games.  Duke failed to win the regular season ACC conference championship and also failed to win the ACC tournament conference championship.  The second week of January was a complete failure for Duke as they lost to both unranked North Carolina State and unranked Miami.

Duke’s season statistics also evidence less than perfection in several fundamental categories.  For the year, Duke’s defense ranked 110th in points per game allowed; 53rd in rebounds per game; 134th in blocks per game; and 68th in steals per game.  In short, there were countless teams that performed better than Duke in the above categories.

More generally Duke’s season witnessed several missed easy shots, numerous dumb fouls, and countless unforced turnovers.

So pronounced were Duke’s failures this past season that in January the team dismissed a key player because he ”repeatedly struggled to meet the necessary obligations” expected of players in the program.

Despite Duke’s many failures this past season, the beauty of sports is that success is viewed holistically and not through a narrow segment of time, a discrete statistical category, the specifics of a certain possession, or the actions of just one player.

Yet the point of this post is to contemplate what would have happened to Duke this season if it was a business organization subject to various criminal or civil laws such as the Foreign Corrupt Practices Act.

The short answer is that Duke would have been prosecuted and criticized (by the DOJ and numerous FCPA commentators) for its complete lack of internal controls.  The enforcement theories / comments would have been along the following lines.  That Duke lost 10% of its games is evidence of ineffective internal controls; team that losses twice in one week to unranked teams does not have effective internal controls;  given the key player’s dismissal, Duke surely failed to detect and prevent improper conduct.

After all, FCPA enforcement actions are often based on the enforcement agencies wearing  rose-colored glasses and viewing a multinational business organization with thousands of employees through the prism of just a 1% fail rate, through the prism of just one business transaction, or through the prism of just an incredibly small group of employees.

An interesting clause in most corporate FCPA enforcement actions is that the company conducted a thorough review of its business operations in a number of jurisdictions other than the locus of the alleged FCPA violation.  Yet, in most cases no other improper conduct is alleged in the enforcement action.  This alone is suggestive of effective internal controls regardless of the discrete conduct alleged in the enforcement action.

The holistic view of internal controls is consistent with legal authority, legislative history and enforcement agency guidance.

The FCPA’s internal control provisions are specifically qualified through concepts of reasonableness.

Legislative history instructs that the internal controls provisions standard does not equate to an “unrealistic degree of exactitude or precision.”

The only judicial decision to substantively address the internal controls provisions states:

“It does not appear that either the SEC or Congress, which adopted the SEC’s recommendations, intended that the statute should require that each affected issuer install a fail-safe accounting control system at all costs.”

And even the SEC has stated in internal controls guidance as follows.

“Inherent in this concept [of reasonableness] is a toleration of deviations from the absolute.”

“The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company.”

Sports analogies are often useful in other contexts.

The sports analogy in this post demonstrates just how wayward FCPA enforcement has become in many instances.