Where to begin?
That is the question when analyzing last week’s $108 million Foreign Corrupt Practices Act enforcement action against HP and related entities. (See here).
Should the title of this post have been “The FCPA’s Free-For-All Continues”?
Should the title have been “HP = Hocus Pocus” (as in look what the enforcement agencies pulled out their hats this time)?
Should the title have been “Warning In-House and Compliance Professionals: This Post Will Induce Mental Anguish”?
Unable to arrive at the best specific title for this post, I simply picked the generic “Where to Begin?”
In short, if the HP enforcement action does not leave you troubled as to various aspects of FCPA enforcement you: (i) may not be well-versed in actual FCPA legal authority; (ii) don’t care about the rule of law; or (iii) somehow derive satisfaction from government required transfers of shareholder money to the U.S. treasury regardless of theory.
Least there be any misunderstanding, let me begin this post by stating that the enforcement actions against HP Poland, HP Russia and HP Mexico allege bad conduct by certain individuals – a “small fraction of HP’s global workforce” to use the exact words of the DOJ. As to that “small fraction,” those individuals should be held accountable for their actions by relevant law enforcement authorities.
However, as to the actual defendants charged in the enforcement actions – HP Russia, HP Poland and HP Mexico in the DOJ actions – and HP in the SEC administrative proceeding – there are actual legal elements that must be met and there is also prior enforcement agency guidance that ought to be followed. The entire credibility and legitimacy of the DOJ and SEC’s FCPA enforcement programs depend on these two basics points.
For instance, in what is believed to be an FCPA first, the DOJ charged two non-issuers (HP-Russia and HP-Poland) with substantive violations of the FCPA’s books and records and internal controls provisions – provisions which only apply to issuers. This is concerning in and of itself.
Yet the resulting landscape from the HP enforcement action is of more concern and it should induce mental anguish for many for the following reasons.
Issuers have an obligation under the FCPA to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that,” among other things, transactions are executed in accordance with management’s general or specific authorization. Failure to adopt such internal controls is a violation of law.
Conversely, and here is where the “hocus pocus” part comes in, if an issuer does adopt such internal controls and a “small fraction” of employees at certain foreign subsidiaries engage in covert means to willfully circumvent those internal controls, well, that is a violation of law as well in the eyes of the enforcement agencies.
The DOJ’s and SEC’s own allegations paint a picture of HP establishing, particularly given the time periods relevant to the enforcement actions, a system of internal accounting controls sufficient to provide reasonable assurances as to the conduct at issue. yet being a victim of the willful and deceptive conduct of a “small fraction” of employees who designed covert means to circumvent HP’s internal controls.
For instance, as to HP Poland, the criminal information alleges, in pertinent part as to the relevant time period (2006 to 2010):
“At all times relevant to this Information, HP policies prohibited corruption, self-dealing, and other misconduct. HP’s Standards of Business Conduct (“SBC”) in effect during the relevant time period specified company rules and regulations governing legal and ethical practices, preparation of accurate books and records, contracting, and approvals and engagements of third parties. The SBC applied to all HP Co. business divisions and subsidiaries, including HP Poland. HP Poland employees, including HP Poland Executive, received mandatory SBC training annually, among other training.”
“The SBC manuals specifically referenced the FCPA, and prohibited, among other items, bribes, corrupt practices, ‘side letter,’ ‘off-the-books’ arrangements,’ and ‘other express or implied agreements outside standard HP contracting processes.’ The SBC manuals in effect during this period further instructed employees of HP that they were not to ‘commit [the relevant HP business] to undertake any performance, payment or other obligation unless [the employee was] authorized under the appropriate HP [business] delegation of authority policies,’ and further required accurate accounting records and proper finance practices.”
Notwithstanding these controls, the information alleges that an HP Poland Executive caused falsification of HP’s books and records and circumvented HP existing internal controls. Among other things, the information alleges that the gifts to the Polish Official ”violated HP internal controls relating to gift-giving, and were not properly reflected in HP’s books and records.” The information alleges that the HP Poland Executive ”willfully circumvented HP’s internal controls, and falsified corporate books and records relied on by HP’s officers and external auditors to authorize transactions and prepare HP’s consolidated financial statements.” The information alleges that HP Poland Executive devised covert means – such as communicating through anonymous e-mail accounts and prepaid mobile telephones – in connection with his bribery scheme. The information even alleges that the HP Poland Executive and the Polish Official drove around in vehicles in “remote locations” and “would type messages in a text file, passing the computer between themselves.” According to the information, “communications were made in this fashion to avoid possible audio recording of the discussions by hidden devices, and to circumvent HP’s internal controls.”
Nevertheless, the DOJ alleges:
“Although HP had certain anti-corruption policies and controls in place during the relevant time period, those policies and controls were not adequate to prevent the conduct described herein and were insufficiently implemented at HP Poland.”
As discussed in this prior post, what is the source for this dramatic conclusory allegation? Nothing more than ipse dixit and subjective say-so.
The same holds true for the DOJ’s allegations concerning HP Mexico. The non-prosecution agreement contains the same two substantive allegations concerning HP’s internal controls set forth above relevant to HP Poland, plus the following as to the relevant time period (2006 to 2009):
“HP’s policies permitted legitimate commission payments to channel partners. These policies required that the recipient of commissions enter into a written channel partner contract with an addendum permitting the payment of commissions be pre-approved, subjected to due diligence, and registered in HP’s partner system. HP Mexico’s policy also required channel partner commissions to follow an approval matrix, with commissions exceeding a particular percentage of the transaction’s total volume regarding additional approvals.”
Notwithstanding these controls, the information alleges that certain HP Mexico sales managers on one deal deceived HP. The NPA states:
“[The Consultant at issue] was not an approved HP Mexico channel partner and had not entered into a written channel partner agreement as required by HP’s internal controls and policies. In circumvention of these internal controls and policies, HP Mexico executives pursuing the BTO Deal arranged for another entity (“Intermediary”), which was already an approved HP Mexico channel partner, to join in the transaction. HP Mexico’s sales managers arranged for the Intermediary to receive commissions from HP Mexico and then pass those monies along to Consultant, after deducting a portion as a fee. Although Intermediary played no role in negotiating the BTO Deal, HP Mexico executives recorded Intermediary as the deal partner in its internal tracking system.”
“By arranging payments to be made through the Intermediary to Consultant, HP Mexico was able to circumvent HP’s policies requiring pre-approval of channel partners and written agreement for third-party payments. HP Mexico further circumvented HP’s controls by failing to identify the role of Intermediary in the BTO Deal … In addition, HP Mexico’s books and records falsely reflected that the Intermediary was the deal partner and principal recipient of the commission on the BTO Deal, which ultimately caused certain HP books and records to be falsified.”
Nevertheless, the DOJ alleges:
“Although HP had certain anti-corruption policies and controls in place during the relevant period, those policies and controls were not adequate to prevent the conduct described herein and were insufficiently implemented at HP Mexico. This allowed HP Mexico to circumvent HP’s internal accounting controls and falsify its books and records as described herein.”
What is the source for this dramatic conclusory allegation? Nothing more than ipse dixit and subjective say-so.
The same holds true for the DOJ’s allegations concerning HP Russia. The information contains the same two substantive allegations concerning HP’s internal controls set forth above relevant to HP Poland and HP Mexico, plus the following as to the relevant time period (2000 to 2007).
“HP’s policies placed restrictions and due diligence requirements on contracts with third parties, including ‘HP customers, channel partners, suppliers, other business partners or outside parties.’ They required credit checks and approvals for certain third parties, and required the preparation of ‘Subcontractor Qualification Worksheets’ and ‘Pre-Bid Risk Identification & Assessment Questionnaires’ that related to qualifications and financial capabilities of certain third parties. Among other due diligence requirements, the policies required telephonic interview of certain third parties regarding experience, references, checks to determine whether the third party had the capacity and geographic coverage for the project, and an overall evaluation of doubts, reservations, and ‘risks/weaknesses’ of the third party.”
“HP’s Solution Opportunity Approval and Review (‘SOAR’) process applies to all service-related projects valued at greater than $500,000 anywhere in the world, including Russia. Among other things, the SOAR process was designed to provide HP’s senior company management visibility into pricing, discounts, and profit margins for transactions. It required review of relationships with third parties, including scope of work, contract terms, qualifications, and necessity of services. Business, legal, finance, credit, tax, and other units participated in the SOAR review. No services-related transaction greater than $500,000 could proceed without SOAR approval.”
“Pursuant to the Sarbanes-Oxley Act of 2002, HP management was required to certify the accuracy of HP’s financial statements and the adequacy of its related internal controls to develop those statements. In supporting these certifications, HP executive management required senior and regional management of HP’s business units to sign sub-certifications certifying that HP’s financial statements were accurate and that their internal controls provided assurances that transactions were properly authorized and recorded, and assets were safeguarded from improper use.”
Notwithstanding these controls, the information alleges that five HP Russia employees deceived HP. For instance, the information specifically alleges that the individuals created a secret slush fund and to “execute and hide the scheme … willfully circumvented existing internal controls, and falsified corporate books and records relied upon by HP officers and external auditors to authorize the transaction and prepare HP’s consolidated financial statements.”
According to the information, the slush fund “was concealed in the project’s financials” and “HP Russia maintained two sets of project pricing records: off-the-books versions, known only to the conspirators, which identified slush fund recipients, and sanitized versions of the same documents which were provided to HP credit, finance, and legal officers outside of HP Russia.”
According to the information, “one example of an off-the-books document was an encrypted, password-protected spreadsheet” which contained different information than the “on-the-books version.” According to the information, a Pricing Worksheet “provided to management outside of HP Russia omit[ed] all references to the slush fund payments, instead inflating hardware prices to create margin for the payments.”
In addition, the information alleges “concealment of [the] slush fund during SOAR Review.” According to the information, “in early August 2003, HP management in Europe pressed HP Russia to begin the SOAR process for the GPO contract so that it could be executed. In circumvention of company policy, however, HP Russia Executive 1 had already [signed the relevant contract and executed it] with no authorization and no power of attorney.”
According to the information, “the HP credit officer assigned to the SOAR review initially denied credit approval to proceed with the contract …”. The information then alleges that the HP Russia Manager provided false information to the HP Credit Officer. The information further alleges that when the HP Credit Officer asked other questions regarding the relevant transaction, the HP Russia Manager provided other false information.
Regarding an actual SOAR meeting in 2003, the information alleges that the day before this meeting, the HP Russia Manager emailed relevant management with false information and thereafter provided additional false information to the HP Credit Officer in connection with relevant transaction.
According to the information, when it came time for the HP Russia Executive to certify the accuracy of the company’s financial statements and adequacy of internal controls pursuant to SOX, the HP Russia Executive falsely certified the requested information and that such certification was relied upon by other HP managers.
According to the information, members of the Russian conspiracy ”structured bribe payments to individuals associated with [the Russian government] through a “off-the-books contract” and specifically alleges as follows:
“In circumvention of HP internal controls, including third party due diligence requirements and prohibitions against ‘side letters,’ ‘off-the-books’ arrangements, or other express or implied agreements outside standard HP contracting process,’ HP Russia never disclosed the existence of the [off-the-books contract] to internal or external auditors or management outside of HP Russia, and conduct no due diligence of [the relevant entity]“
The information alleges that the purpose of the conspiracy was to “conceal and disguise the payments by falsifying HP Russia’s and HP’s books and records; and evading and failing to implement internal controls meant to detect and deter such payments.” Specifically, the information alleges:
“HP Russia, through its executives and employees, together with others, knowingly and deliberately failed to implement internal accounting controls and circumvented existing internal accounting controls designed to detect and prevent such improper conduct. HP Russia entered into off-the-books contracts, maintained two sets of accounting records, failed to conduct appropriate due diligence of third parties, concealed the existence of third-party relationship from HP management, executed contracts without authorization, and made misrepresentations to HP audit, compliance, credit and legal officers.”
Among other things, the information alleges that HP Russia employees ”avoided controls over third-party vendors and off-the-books contracts,” “created and used certain mechanisms for making and concealing payments to third parties,” and “secretly executed certain contracts without proper authority.”
Nevertheless, the DOJ alleges:
“While the SBC prohibited corrupt payments, required due diligence of third-parties, and included other control requirements to maintain accountability for assets, the policies were not adequate to detect and prevent the misconduct described herein, and in practice certain HP business divisions and subsidiaries failed to implement and enforce the policies consistently, and on occasion circumvented or disregard the policies entirely.”
What is the source for this dramatic conclusory allegation? Nothing more than ipse dixit and subjective say-so.
Unlike the DOJ enforcement actions (in which HP was not an actual defendant but merely guaranteed payment of fine and penalty amounts and had compliance obligations imposed upon it), in the SEC’s enforcement action HP is the sole defendant (technically a respondent since the enforcement action was an administrative proceeding not subjected to one ounce of judicial scrutiny). The SEC’s action is based on the same HP Poland, HP Russia, and HP Mexico conduct alleged in the DOJ enforcement actions.
Prior to the stating the SEC’s conclusory statement as it relates to HP itself, it is useful to review the DOJ’s allegations HP-specific allegations because there is little logical consistency between those allegations and the SEC’s conclusory statement.
Again, the DOJ alleged that HP:
- Had existing FCPA and related policies and procedures in place and that all relevant employees received training on the policies;
- Had existing policies and procedures in place related to commission payments to channel partners, due diligence of channel partners, and other tracking policies regarding channel partners;
- Had an existing approval process in place that applied to all service-related projects valued at greater than $500,000 anywhere in the world and as part of that process HP managers questioned relevant subsidiary employees at questionable information;
- Had an existing SOX certification and sub-certification process in place as relevant to the referenced subsidiaries.
Yet, and here comes the “hocus pocus” moment, the SEC states against the backdrop of the same covert means, concealment, and misrepresentations and deception alleged in the DOJ actions that:
“[A]lthough HP had certain anti-corruption policies and controls in place during the relevant time period, those policies and controls were insufficiently implemented on the regional or country level. Further, HP failed to devise and maintain an adequate system of internal accounting controls sufficient to provide reasonable assurance that (i) access to assets was permitted only in accordance with management’s authorization; (2) transactions were recorded as necessary to maintain accountability of assets; and (3) transactions were executed in accordance with management’s authorization.”
It is difficult to reconcile the SEC’s HP allegations against actual legal authority in that the internal-controls provisions are specifically qualified through concepts of reasonableness and good faith. The only judicial decision to directly address the substance of the internal-controls provisions states, in pertinent part, as follows:
“It does not appear that either the SEC or Congress, which adopted the SEC’s recommendations, intended that the statute should require that each affected issuer install a fail-safe accounting control system at all costs.”
In addition, various courts have held—in the context of civil derivative actions in which shareholders seek to hold company directors liable for breach of fiduciary duties due to the company’s alleged FCPA violations— that just because improper conduct allegedly occurred somewhere within a corporate hierarchy does not mean that internal controls must have been deficient.
The SEC’s allegations against HP are further difficult to reconcile with SEC guidance concerning the internal controls provisions. This guidance states, among other things:
“Inherent in this concept [of reasonableness] is a toleration of deviations from the absolute.”
“The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company.”
The critical point in assessing an issuer’s internal controls is at the time of the alleged conduct and whether – at that time – the issuer had internal controls sufficient to provide various reasonable assurances. In other words, the critical point is not 5 or 10 years later and the issue is not – with the benefit of perfect hindsight – whether the issuer could have done more.
Further problematic in the SEC’s enforcement action against HP is that it is yet another example of “non-charged bribery disgorgment” and among the most vocal critics of this SEC theory is a former high-ranking SEC enforcement attorney (see here).
Whether the proper title should have been “The FCPA’s Free-For-All Continues,” “HP = Hocus Pocus” or how the HP enforcement action, with reason, should induce mental anguish among many, there is much to analyze and critique in the DOJ’s and SEC’s enforcement actions against HP and related entities.
The same applies to much recent FCPA enforcement activity.
To recap, since December 2013 the FCPA enforcement agencies have extracted approximately $546 million against risk averse corporations:
- (i) based on enforcement agency allegations that the parent company issuer was a victim of deceptive conduct and actions by a “small fraction” of its global workforce;
- (ii) based on enforcement agency allegations that the corporate entities were victims of a corrupt Ukraine government that refused to pay VAT refunds that the companies were legitimately owed (see here); and
- (iii) in a case concerning alleged conduct (approximately 10 to 15 years ago) by a consultant who was criminally charged by another law enforcement agency, put the law enforcement agency to its burden of proof at trial, and the law enforcement agency dismissed the case because there was no ”realistic prospect of conviction” (see here).