Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2019
May


2018
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: June, 2017
Jun 14, 2017

Mara Senn and a colleague, Michelle Albert, published in the FCPA Report, Volume 3, Number 1, entitled “Internal Investigations, How to Conduct an Anti-Corruption Investigation: Developing and Implementing the Investigation Plan”. I interviewed Senn on her thoughts about handling a cross-border investigation. 

  1. Offer Interview Translations           

While many people outside the US have various levels of capabilities in a non-native language, when you get into the very detailed questions in an interview, they may have enough English skills that you assume they understand everything, but in fact, they do not. You may ask a key question, for example, about expense reports, maybe they understand conversational English, but there's no reason for them to know expense reports. This makes it important to have someone present in the interview that speaks the witness’s native language, and just assume that there are going to be times where you’re going to need to call on that person. 

  1. Avoid Cultural Pitfalls

Cultural pitfalls are really truly pitfalls and, unfortunately, they can be big deep holes that you do not know anything about, but you can fall into pretty easily. She provided the issue of personal privacy as an example, where most countries have a different concept of privacy, particularly about whether your work area is your own versus what really belongs to the company. You should seek local counsel guidance to understand what needs to be done and also explain to you the best way to do it without offending people.       

  1. Observe Data Privacy Restrictions 

Most American lawyers are aware of different data privacy restrictions and requirements in countries governed by the European Union (EU) and the US. The point under this best practice is that your analysis and response must go much further to satisfy the US Department of Justice (DOJ) if you want to claim that you cannot get certain information out of a country because of data privacy restrictions. 

  1. Comply with Labor Requirements 

Similar to the long-standing Weingarten right of unionized employees in the US to have a representative present for interviews, in many countries outside the US there are Works Council and similar analogs in other countries, where, basically, the Works Council is responsible for the interactions between the employers and the employees. Moreover, employees have certain statutory or labor code based rights as employees, regardless of whether they are members of a labor union or not. These rights can drill down into the types of questions that you can ask or even prevent you from meeting with or interviewing certain employees. 

  1. Be Aware of Other Local Requirements 

Points three and four certainly lead into best practice No. 5. It is incumbent that you work with local counsel in the country you are performing the interviews to garner an understanding of the witnesses rights and your obligations during any investigation. She explained that many ways a US lawyer would think about doing an investigation could be problematic in other jurisdictions. She gave the examples of taking pictures or physically removing documents from a location, which could be issues that you might face. You certainly need advice and counsel on what is legal and what might not be going forward.

  1. Put Forms in Native Translations           

There are times that the only way an investigation can collect an employee’s personal information is to obtain affirmative assent. Such information might include work documents, work emails, or similar information. However she cautioned that in this situation it is even more important to put the consent form in the native language. You do not want the employee to later claim they did not understand the consent form or thought they were executing something different. It can be critical that you have informed consent, because if you do not have informed consent, that consent could well turn out to be void. 

  1. Preserve the Attorney Client Privilege 

The rules outside the US can be quite different and perhaps a little bewildering. In many European countries there is no privilege from an in-house counsel, so if a General Counsel (GC) of a company speaks to the President or Chief Executive Officer (CEO) there is absolutely no privilege under basically any circumstances in Europe. Senn then noted that other jurisdictions have other kinds of laws, each with a slightly different parameter, leading to different attorney-client expectations. 

  1. Prepare for Local Enforcement Actions 

Many countries are becoming more aggressive in their enforcement actions for bribery and corruption, sometimes based upon local and domestic anti-bribery laws. This means the information which one government knows, whichever government that is, you should expect and assume that multiple governments are cooperating in some way. This then makes it more likely that there could well be some sort of local enforcement action against your client while you are investigating matters around a FCPA claim or potential FCPA claim.

  1. Prepare for Security Risks 

This means personal security, physical and health safety. Simply consider the recent situation when Ebola was going around Western Africa or Central Africa. If you are conducting an investigation in such ravaged areas you should not send your employees to Liberia at that time to interview people. The same can be true in worn-turn areas like Syria or similar locales. 

The better plan would be to remove the people you are interviewing and bring them to you or to a local hub outside of the impacted areas. That avoids a whole host of issues, as you do not want to have to pay for extra security, for example you do not want your employees to have to walk around with loaded machine guns protecting them; you have to make a judgment call as to where and whether these potential threats need to be addressed in some way. 

  1. Protect Whistleblowers 

Here Senn had some very practical advice, which while it might seem counter-intuitive on the surface due to certain legal decisions, it might actually provide more protections for companies in the long run. Senn began by noting the 2nd Circuit Court of Appeals ruling in the Liu case, which essentially found that the Dodd-Frank retaliation provisions that protect whistleblowers in the US do not apply abroad, so in other words, a foreign whistleblower brought a case saying, “I was retaliated against and I bring a case under the retaliation provisions of Dodd-Frank,” and they said, “No way, you can't bring it.”           

Senn believes that companies that use the Liu decision as a basis to retaliate against whistleblowers outside the US are wrong for several reasons. First, is that the Securities and Exchange Commission (SEC) has announced they will still pay whistleblower outside the US, who come forward and meet the requirements, the Dodd-Frank bounty of up to 30% of the penalty. This means that even if courts determine that the Dodd-Frank provisions do not apply for retaliation for foreign nationals, the SEC can still honor the communication and compensate the foreign whistleblower. 

The second reason is the US Sentencing Guidelines make clear that part of an effective compliance and ethics program includes having a publicized system for employees or agents to report potential or actual criminal conduct without fear of retaliation. These Sentencing Guidelines apply to all US companies, both domestic and internationally. If your company retaliates against foreign whistleblowers, the US government can take that into account, which could be viewed in a negative way, meaning that you don’t have an effective compliance and ethics program.

Three Key Takeaways

  1. Use translators and translations of key documents in witness interviews.
  2. Use local counsel to facilitate the investigation and to help navigate any local anti-corruption investigation issues.
  3. Never, never, never retaliate. The SEC will pay whistleblower bounties for non-US citizens.

           

           

 

Jun 14, 2017

In this episode, Matt Kelly and I take a deep dive into the corporate governance fiasco which is Uber. We consider the revelations in the failures of corporate governance, culture and internal controls at the organization. The company provides a fascinating study of what happens when a tech start up raised in the fraternity culture is successful and how changes are required for it to act like a multi-billion organization. Both Matt and I have written on Uber. Our podcast comes out the same day the Holder Report to the Uber Board was released so we weave in the recommendations from Covington & Burling as well. 

For more on Uber see the following: 

Matt Kelly’s piece Car Crash Governance at Uber

Tom Fox’s pieces on Uber

 Will Culture Change at Uber Before its Too Late

CEOs and Win at All Costs-Where Does it Lead

Uber and Corporate Culture

 

For a copy of the Holder Report on corporate governance, cultural and internal controls failures at Uber and recommendations, click here.

Jun 13, 2017

Beginning with the Department of Justice’s (DOJ’s) Yates Memo, its Foreign Corrupt Practices Act (FCPA) Pilot Program and then the release of the Evaluation of Corporate Compliance Programs (Evaluation), I believe the DOJ has put even more pressure on every Chief Compliance Officer (CCO), and indeed every company, to get an investigation done quickly, efficiently and most importantly done right is even greater.   

Jonathan Marks, a partner at Marcum LLP and a well-known internal investigation expert, provides some of his thoughts around what goes into a well-run investigation. His perspective is from someone who performs investigations outside your organization, either because the matter was so serious an outside expert was required; specific subject matter expertise (SME) was not available in your organization or due to the objectivity of the investigation. Today I want to consider who should be on your investigation team. 

As discussed previously data collection, retention and preservation are critical elements of any significant internal investigation so you will need to have the involvement of your IT function. IT can help put a litigation hold on email that can help with the preservation of data in other areas of the organization. Further, they can assist with certain other aspects as more facts and circumstances are known. 

HR is often an underutilized function for an internal investigator. HR can be very useful to provide context about employees’ work history. There may be notes in HR areas as diverse as training and exit interviews. HR can also be useful to give the investigator “some insight regarding the credibility of the individual that might be making the allegation. For example, are they a good and trusted employee? How long have they been there? What’s their general demeanor? What’s been the feedback on that particular individual?” 

Both the Board and senior management can provide different types of support for an investigation. Marks noted the Board has oversight responsibility and senior management is responsible for the day-to-day, tactical operations of the organization, including the internal controls. This means from the Board’s perspective, “we would want to make sure that our governance processes were in place and operating effectively when it comes to an investigation. So, my concern, or concern from a board member’s perspective, from an investigation, early on, is what’s the financial impact; what’s the legal impact, for a publicly traded organization? Are there potential issues here which we as a Board need to be concerned with going forward?” 

From the senior management’s perspective, Marks believes “the key thing there is if there is an issue and there was the ability to either override controls or controls weren’t in place or there was something that basically caused this, what do we need to do to assess that? What do we need to do to fix that? What was the root cause for this potential bad behavior? Like I said, how do we fix that or how do we put a plan together in order to fix that or shore that up?” He emphasized this is not the Board’s responsibility but that of senior management. Marks also pointed out that while an investigator would probably assume that the Board of Directors had been notified at this point about the issues being investigated, the investigators may want to make certain the Board has been made aware of the incident and investigation.           

Marks suggested outside consultants in the form of forensic accountants should be a part of your investigation team. Such a skilled set team member can bring an investigative mind that drives them to answer questions about what occurred, when and how it happened, and who was involved. However, most lawyers do not understand how forensic accounting is performed and how they can assist your compliance investigation going forward. 

Forensic auditing works to collect and analyze accounting and internal-controls evidence. They use this information to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of internal audit’s work can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Inquiries into accounting and internal controls raise a host of technical issues requiring specialized knowledge that forensic accountants are uniquely positioned to provide. This is a qualitative difference from internal audit, which more often looks at process to determine if it has been adhered to in a procedure. 

The objective of a forensic audit investigation team member is to collect, analyze and report on the evidence or facts surrounding an act that often has litigious, fraudulent or criminal implications. Auditors also collect and analyze evidence, but an independent auditor’s objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. However, a key role of the forensic accountant is to identify a concern and to notify company management about the issue or issues discovered. 

As with a decision on bringing in outside counsel to perform a compliance investigation, you will need to consider whether a forensic accountant should be retained as an outside consultant or hired as an employee. One critical reason to bring in an outside professional is so they will be not be governed by management or influenced by potential biases within a company. Lastly is the issue of privilege. If a forensic accountant is not assigned through your legal department or through outside counsel, you can kiss away even the chance of claiming privilege. 

Obviously, the GC would be involved to help protect the attorney client privilege if for no other reason. Further, an investigation needs to have the corporate compliance function involved, to understand what compliance program was in place at the time of the incident in question, what procedures the compliance function had and understand if this truly was a gap in the compliance function or “maybe there was an area within the compliance function that wasn’t operating as prescribed, or maybe it was a little bit weak.” 

Three Key Takeaways

  1. HR plays a key but often underused role in internal investigations.
  2. The Board of Directors and senior management have different roles.
  3. Use your legal department to protect the privilege.
Jun 12, 2017

 

In the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (Evaluation), under Prong 7 Confidential Reporting and Investigation asks the following: Properly Scoped Investigation by Qualified PersonnelHow has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented? These questions were clearly presaged by the DOJ’s Yates Memo and the Foreign Corrupt Practices Act (FCPA) Pilot Program. The pressure on every Chief Compliance Officer (CCO), and indeed company, to get an investigation done quickly, efficiently and most importantly done right is even greater now.   

Jonathan Marks, a partner at Marcum LLP and a well-known internal investigation expert, gave some of his thoughts around what goes into a well-run investigation. Marks began by cautioning that any CCO must be cognizant of the strictures laid out in the Evaluation. It all begins with who in-house is looking at the complaint and does the CCO, compliance practitioner or legal team have the skills and capabilities to handle the matter which has arisen? Obviously if there are esoteric accounting issues or significant internal control work-arounds and overrides, a CCO may not have those skills to really understand all the issues. Similarly, if the matter is a global FCPA or equivalent bribery and corruption matter, Marks related, these “come in different flavors, and because they come in different flavors you may not have the skills or capabilities to do an investigation that would take place in say Brazil or Russia or China or India.” 

All of this ties into how the government will view an investigation, particularly if the company does not have the skills and capabilities necessary to analyze the allegation, or if the allegation of fraud is serious enough where they believe that an independent investigation rather than an internal investigation really needs to be done.” Moreover, if allegations or the investigation are going to be subject to regulatory scrutiny, one of the benefits of having somebody come in from the outside is that there is independence, skepticism, the ability to work through things unlike you would with an internal investigation where an internal audit might be involved. Marks concluded by noted, “from an outsider’s perspective looking in, there is more credibility of having somebody come to conduct your investigation.” 

Marks believes the first thing that any investigator must do is understand the business environment and the extended business enterprise. He further stated, “what I mean is really understand the business you’re dealing with, the industry that it’s in, the potential risks, the pressures and motivations that might be at play here. Understanding that generally with most frauds there is some pressure to do something because of something else and there are some motivations.” Such an initial understanding can help you formulate a comprehension of the internal controls that might be in place or that were lacking that could either have not been designed properly or overridden.

 

The next step is to quickly and thoroughly analyze the initial underlying facts and circumstances when it comes to the issue or the issues at hand. For Marks, the number one issue is the credibility of the complaint, which is more than simply the credibility of the complainant. Marks said it was important to understand how the allegations of wrongdoing came to light and the seriousness of the issues involved. He went on to note that his initial inquiry would include such questions as, “What are people saying happened or what is an individual saying that happened? You know the background of the complaint, if known. How long have they been with the organization? Are they credible? Have they complained before? If in fact this was either a whistle blower or a tip.”           

At this early assessment, Marks believes you should also consider the possible legal and financial impact of the allegations. If you determine it is serious at this early juncture, you should always consider your internal crisis management team and if your organization does not have one, you should consider retaining such an expert. Marks explained, “Crisis management doesn’t necessarily mean that a crisis happened, it means that if in fact we are in crisis mode, how does that impact the company? So, thinking about those issues and then knowing what to do, if in fact you are in a crisis mode, I think is ultra-critical.” He went on to add, “I think crisis management is totally underplayed. I think that many organizations don’t have an appropriate crisis management plan. If something bad does happen, a lot of times I see organizations that are struggling to kind of put the pieces together.” 

Marks also noted that both communication and collaboration are critical even at this early stage. He advocated that the company ask a series of questions such as what issues are “on the table” and who is impacted by these issues within the company; is it the company auditors or some other corporate function? He also advocated considering third parties and contracted entities in this calculus by inquiring if there were key suppliers impacted by the investigation. On the one hand, “a key supplier that might get wind of this and might not want to do business with us anymore?” Yet, conversely, such a key supplier could be a sole source supplier so you may need think about alternative arrangements. You should begin to consider these issues early on and continue to think about them as you are going through and doing and investigation. 

Document preservation is always a critical issue and Marks believes this is one which government regulators will pay particular attention to both at this initial phase and throughout the investigation. You need to take steps to ensure all data is locked down. This means getting into the weeds on such issues as where are all your company’s servers located; what is your back-up situation; do you have hand-held devices secured and are the organization’s instant and text messaging tied down. If you do not take such steps you could well find yourself in a situation where either information is lost or there's a possibility or suspicion that information is lost. Unfortunately, that is the situation that leads to a prosecutor’s imagination going wild. Basically, you need to have the information locked down so that if the government wants to come in and perform an independent review or test your hypothesis, you can provide them with the required information. 

Three Key Takeaways

  1. Always remember your ultimate audience may be the government.
  2. You must understand both the business environment and extended business enterprise.
  3. Communication and collaboration in any investigation are critical so you should begin early and continue to do so throughout the investigation.

 

 

Jun 12, 2017

Today I am joined again by Professor Samuel Buell, from Duke University School of Law to discuss a recent paper he co-authored with Rachel Brewster entitled, "The Market for Global AntiCorruption Enforcement". In the paper and in this podcast Professor Buell discusses the internal structural changes which took place in the 1980s and 1990s which set the stage for the explosive growth in FCPA enforcement. He then relates the changes on the domestic scene which facilitated its explosive growth. He ends by exposing the myth of the revolving door. 

 

Jun 10, 2017

Show Notes for Episode 56, for the week ending June 9, the Who’s On First Edition 

This week, Jay and I have a wide-ranging discussion on some of the week’s top compliance related stories. We discuss: 

  1. The Kokesh case at the US Supreme Court is significant for SEC enforcement of the FCPA around profit disgorgement. For what it means to the compliance practitioner, see Tom’s piece in the FCPA Compliance & Ethics Blog. For a legal review of the decision, see Miller & Chevalier client alert authored by Saskia Zandieh. Marc Bohn considered the cased in the FCPA Blog. Marc and I discuss the case on the FCPA Compliance Report, Episode 332.
  2. Trevor McFadden to leave the DOJ for federal bench. See article by Matt Kelly in Radical Compliance. Hui Chen’s contract not to be renewed, her position is posted for job applicants. Apply for the position here. Andrew Weissman leaves as head of the Fraud Section to go Special Prosecutor’s staff.
  3. Former PetroTiger General Counsel Gregory Weismann is banned from SEC practice. See article in the FCPA Blog
  4. Matthew Stephenson considers what a Wal-Mart settlement might look like. See his article in the Global Anti-Corruption Blog.
  5. The federal judge who sentenced Samuel Mebiame, the bag man for Och-Ziff; criticized the DOJ for its lack of prosecution of any individuals from the company. See article by Sam Rubenfeld in WSJ Risk and Compliance Report.
  6. Jay previews his weekend report.
  7. Tom continues to talk about the release of his new book 2016 – The Year in Corporate FCPA Enforcement. For more information and to purchase, click here.

 Jay Rosen can be reached:

 Mobile (310) 729-6746

Toll Free (866)-201-0903

JRosen@affiliatedmonitors.com

 Tom Fox can be reached:

       Phone: 832-744-0264

       Email: tfox@tfoxlaw.com

 

 

 

Jun 9, 2017

 

There is nothing like an internal whistleblower report about a FCPA violation, the finding of such an issue or (even worse) a subpoena from the DOJ to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However it may well be the time for a very serious reality check. 

The DOJ Evaluation of Corporate Compliance Programs focuses this question in Prong 7 with the following: Response to InvestigationsWhat has been the process for responding to investigative findings? You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to begin to talk about remediation going forward and begin to explain why money must be budgeted for the remediation process. 

One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. Russ Berland, the Chief Compliance Officer at Dematic Inc. has noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “a tricky place, because you get your fifteen minutes to really get everyone’s full attention, and then from then on, you’re fighting with everybody else for their attention, just like the normal things in business life. It’s, they’re coming in and saying, “Okay, here’s the situation as we know it now, there is an investigation path, and corresponding to that, here’s what we think is the remediation path and some outlines of what it’s going to take,” often with some dollar signs attached to it.” 

You need to explain the costs to the Board and senior management. As Berland said, you need to be upfront and candid in firmly stating, “For us to get to this place, this is what it’s going to cost.” Moreover, you need to be able to show how some companies paid very large amounts, not just in the eventual fine and penalty but also in other costs. Berland went on to say, “We want to show you how people have lost money by having to write big checks, because they didn’t take this seriously, and saved money, because they didn’t have to write as big a check, because they took this very seriously, and your return on investment here is going to be very high if you do this well.” This is easier with the information that was provided in the 2016 DOJ Pilot Program around FCPA enforcement as it demonstrated how much discount a company can receive below the minimum range of the Sentencing Guidelines for remediation.  

One of the most difficult parts is that the investigation is often done in a way in which the investigators want to maintain as tight a control over the information and privilege as they possibly can. The remediation really requires output from the investigation to understand where the risk points are and where the gaps are, both in the compliance program and the internal controls. There’s a tension there, and it needs to be structured in a way that information can be shared with those who are designing the remediation without fear of compromising the investigation. 

Dan Chapman, CCO at Vimpelcom and formerly CCO at Parker Drilling,  also believes that costs must be adequately discussed to set proper expectations. These include both direct costs and, even more importantly, a discussion of indirect costs to the company. He noted that “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “kind of everything stops to focus on the investigation.” This indirect cost comes through largely the time commitment of senior management. He further explained, “if senior management has to commit 20% of their time, that’s 20% that’s not going towards revenue generating, shareholder value protecting activities.” 

Yet, how can you communicate that to somebody who has not gone through a full blown internal investigation then coupled with a federal investigation with the DOJ and Federal Bureau of Investigation (FBI) involved? Understanding that the all-encompassing nature of such an event is difficult to articulate, Chapman goes through some of his past experiences as touch points. He said, “I talk about past experiences. One example would be at a past company, my first week on the job, they had a worldwide conference for all the senior managers from around the world. At that meeting, I asked all the senior executives, you know, C-level executives. I said, “Over the last few years, have you spent 5% of your time on the matter? They’d raise their hands. Then I kept escalating it: 10%, 15%. Hands didn’t go down until about 20%. Then I explained to them, to the audience, I said, “So if you got 5%, 10%, 15% more than your senior management, where would this company be?” I think that’s helpful, but there’s not great way to quantify it. It’s kind of like quantifying compliance generally. How do you quantify the absence of non-compliance? How do you quantify what could have been? How do you quantify the opportunity costs of managements time?” 

You can explain the upside of compliance and do that in a manner that juxtaposes the cost. Chapman said you could mention things such as, “If you have clear policies and people know what to do, think how much easier your life would be. Instead of having to make calls and figure it out on your own every single time, you had clear policy.” The same types of arguments come into play in areas generally considered the purview of HR, i.e. recruiting and retention. 

About recruiting Chapman posed the following for consideration, “Think about recruiting. Where do your new hires out of college come from? Where do they get their information about your company? If they Google your company, what’s one of the first things they see if you’ve been in trouble? They Google it, and they’ll get a penalty, or they’ll get some news article about the wrongdoings.” He also points out retention of current employees by asking, “How you would feel if everybody at this company felt good about working here, and no one felt embarrassed by what happened. Would that help retention?” 

Yet even more than these types of points about employees in the organization, Chapman believes it is important to make it personal to the highest level of the organization and try to make it as real and personal to your audience as possible. He says he asks the Board and senior management “What about you? How do you feel about being involved in it? Rather than being something that’s out there, the company, what about you? How do you feel about being here?” 

Obviously, the investigation will be critical for you to help understand what remediation your compliance program will need going forward. As Berland said, “Somebody found a way to get around your system. Maybe they colluded to overcome the internal controls. Maybe there was a group that simply wasn’t well trained, didn’t understand, or there was a group that was extremely well trained, and decided to do it anyway. But somehow, there are issues in your system, and by system, the overall system of the executive tone, the governance, the compliance program, the internal controls, all at a meta level.”           

It is axiomatic that you cannot finds gaps in your compliance system until you stress test it. Viewed in this light, your compliance failures can be viewed as such a stress test. Berland said, “Well, guess what, you just got handed a stress test, and this is where the system broke down. Now you know there’s a gap. Well, absent the investigation, as painful and difficult as that is, that gap would have just been sitting there.” The investigation will raise information to you about the failures of your compliance program that you may not have known existed previously. 

While there will be a desire by some folks to not give out any information about the investigation until it is completed and there is a final report, you must resist this at all costs. If the results of the investigation are not made available to you as the CCO or the compliance professional charged with remediating the compliance program, any such remediation will be extremely difficult, because, as Berland noted, “you’re just going off suppositions and guesses.” 

He advocates there be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed. 

Such an approach can also be a recipe for disaster. First, and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the FCPA Pilot Program. Moreover, the executive attention will have dissipated, or, as Berland said, “When you’ve got the energy, use it.” 

What about the always-dreaded ‘Where Else’ question in any FCPA investigation? Berland believes the key is “anticipating the question is going to come up, and having an answer ready, which is, “We are going to do a comprehensive risk assessment of the remainder of the company. We are not going to go out and look under every leaf and every, you know, check every tree, but we are going to do a very extensive risk assessment, and we’ll be able to come back and tell you that we don’t think there is a likelihood of other issues in other places.””           

However, the answer could be equally something along the lines that ““we have found a high likelihood and we’re going to continue to take deeper and deeper considers that section until we know if something happened or not.” That was an acceptable answer. It was, you know, “here's the slice of the pie where we know something is happening, and here’s the process to look at the rest, given it really is kind of a risk assessment plus going forward.”” 

Three Key Takeaways

  1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.
  2. Be aware of how your investigation can impact and even inform your remediation efforts.
  3. How do you deal with the dreaded ‘where else’ question?

 

Jun 8, 2017

In an article in the Corporate Board magazine, entitled “Successful Board Investigations” by David Bayless and Tammy Albarrán, partners in the law firm of Covington & Burling LLP posited seven considerations to facilitate a successful board investigation.

  1. Consider whether you need independent outside counsel 

The appearance of partiality undermines the objectivity and credibility of an investigation. That means you should not use your regular counsel. The authors cite to the Securities and Exchange Commission (SEC) analysis of how independent board members truly are to explain the need for independent counsel. They state, “the SEC considers the following criteria when determining whether (and how much) to credit self-policing, self-reporting, remediation and cooperation” which will consist of the following factors:

  • Did management, the board or committees consisting solely of outside directors oversee the review?
  • Did company employees or outside persons perform the review?
  • If outside persons, have they done other work for the company?
  • If the review was conducted by outside counsel, had management previously engaged such counsel?
  • How long ago was the firm’s last representation of the company?
  • How often has the law firm represented the company?
  • How much in legal fees has the company paid the firm? 
  1. Consider hiring an experienced “investigator” to lead the internal investigation 

Jim McGrath has written and spoken about the need to utilize specialized counsel in any serious investigation. If a board is leading an investigation, I would submit by definition it is serious. Your investigation needs to lead by a lawyer with significant experience in conducting internal investigations; a strong background in criminal or SEC enforcement; and has substantive experience in the particular area of law at issue. 

  1. Consider the need to retain outside experts 

In any FCPA or other anti-corruption investigation, there will be the need for a wider variety of subject matter experts (SME’s) than a compliance professional. If there are accounting issues, forensic accountants might be needed. In this day and age, an electronic discovery consultant is often required, and can be a cost effective option for gathering and processing electronic data for review. 

  1. Analyze potential conflicts of interest at the outset and during the investigation 

There are two types of conflicts of interest that may come to light during an investigation. First is the one which comes up when the law firm or lawyers conducting the inves­tigation are those whose prior legal advice has some bearing on the matters being investigated because a company’s regular outside lawyers represent the company. During an internal investigation, however, the lawyers may be hired by, and represent, the board or its committee. The second occurs when a lawyer or law firm jointly represents the board and employees at the company as regulators have become increasingly concerned with joint representations. The trickier question is what to do when there simply is a risk that representing one client could limit the lawyers’ duties to the other. So in these situations, joint representation may not be appropriate. 

  1. Carefully evaluate Whistleblower allegations 

Whistleblowers have become more important and taking their allegations seriously is paramount. This does not mean trying to find out who the whistleblowers might be to punish or stifle them, even if they are located outside the United States and therefore do not have protections under these laws. They can still get hefty bounties. Regulators are very wary of boards that do not satisfactorily evaluate a whistleblower’s complaint based on a perception of the whistleblower himself, as opposed to the substance of the complaint. 

  1. Request regular updates from outside counsel, without limiting the investigation 

These types of investigations are long and very costly. They can easily spin out of cost control. But, by trying to manage these costs, a board might be perceived as placing improper limits on the investigation. The “goal is to strike the right balance between the cost of the investigation and its thoroughness and credibility.” To do so, flexibility is an important ingredient. The scope of what to investigate is not a static, one-time decision. It can, and usually does, evolve. 

  1. Consider whether an oral report at the conclusion of the investigation is sufficient

While there may be instances in which, due to complexity and the nature of allegations involved, a written report is necessary, there may be times when an oral report delivered to a board is better than a written report for “a written report may be easier to follow and appear to be the logical conclusion to an investigation, it is an expensive and time-consuming endeavor, and it comes with great risk.” The authors indicate three reasons for this position. 

The authors conclude their piece by stating, “By keeping in mind the issues addressed above, the board will be better prepared for the investigation and readily able to exercise good judgment throughout the review. A well-conducted investigation by the board may spare the company further disruption and costs associated with follow-on investigations by the regulators, or at the very least minimize the company’s exposure.” 

Three Key Takeaways

  1. Retain the right counsel. Consider conflicts and appearance.
  2. Carefully evaluate all whistleblower allegations and reject retaliation.
  3. Consider receiving oral reports on an ongoing basis and one lengthy oral report at the end of the investigation.

 

 

Jun 8, 2017

 

The dog days of summer are on the horizon and the Houston Astros lead the major leagues in winning percentage. Coincidence that the US pulls out of the Paris Climate Accords the same week the Astros are playing .700 baseball? The top four commentators in compliance return to talk about what is one their summer radar for consideration. This episode concludes with the panelists’ rants. 

  1. Matt Kelly opens with a discussion of the revisions to the COSO ERM Framework, which were based on comments by practitioners. Matt considers the integration of the COSO ERM Framework into functional business units moving to operationalize ERM in organizations and we consider how the ERM Framework differs yet is complimentary to the COSO Internal Controls Framework. 

For Matt Kelly’s posts on the COSO ERM Framework, see the following:

More Details on COSO ERM Framework

Update to COSO ERM Framework Update

ERM Framework: Govt. Calls for Unity

More Clues on Draft ERM Framework

Draft ERM Framework is Here: How to Get Started 

  1. Mike Volkov examines the FinCen enforcement action involving Thomas Haider, the former CCO at MoneyGram. Mike considers the implications for CCOs and whether the case even matters for CCOs. 

For Mike Volkov’s post see on the Haidar enforcement action, see the following: 

            MoneyGram CCO Pays Civil Penalty

  1. Jonathan Armstrong reviews the recently released information that both Wood Group/AMEC are under the SFO concerning its Unaoil investigation. He explores some of the following questions: What should companies be doing around Unaoil? What happens if you discover a merger candidate is under investigation or in the case of AMEC, self-disclose they are under investigation. What does it mean if the acquiring entity rather than the target is under investigation? Finally, Armstrong handicaps the upcoming UK election and what it might mean for compliance. 

For Cordery Compliance's Client Alert see the following: 

        Bribery Due Diligence

  1. Jay Rosen brings his Mr. Monitorship hat and former Mr. Translations eye to the question of operationalizing your compliance program. He considers how the compliance function can work with other corporate functions to embed compliance into the fabric of an organization, concluding with by doing so a compliance function could become a competitive advantage for a business. 

For Jay Rosen’s posts see the following: 

 Compliance as a Competitive Advantage

For Tom Fox’s posts on operationalization of compliance see the following: 

Operationalizing Compliance, starting with Pizza

Operationalizing Compliance by Overcoming Obstacles

Operationalizing Compliance through Human Resources

Operationalizing Compliance through the Controller’s Office

Operationalizing Compliance through Internal Audit

 

The members of the Everything Compliance panel include:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com
Jun 7, 2017

Many companies have an investigation protocol in place when a potential Foreign Corruption Practices Act (FCPA) or other legal issue arises? However, many Boards of Directors do not have the same rigor when it comes to an investigation, which should be conducted or led by the Board itself. The consequences of this lack of foresight can be problematic, because if a Board of Directors does not get an investigation which it handles right, the consequences to the company, its reputation and value can all be quite severe. The SEC considers a variety of factors around corporate investigations including: Did management, the board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they done other work for the company?

There is also role of the Sarbanes-Oxley Act (SOX) in internal investigations, most particularly for audit committees. Section 301 establishes certain requirements for Audit Committees, including: (1) Procedures for receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; (2) Procedures regarding the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters; (3) Authority to engage independent counsel and other advisers, as it determines necessary to carry out its duties; and (4) Funding to engage advisors as it deems appropriate. 

In an article in the Corporate Board magazine, entitled “Successful Board Investigations” by David Bayless and Tammy Albarrán, partners in the law firm of Covington & Burling LLP write about five key goals that any investigation led by a Board of Directors must meet. They are: 

  • Thoroughness - The authors believe that one of the key, and most critical, questions that any regulator might pose is just how thorough is an investigation; to test whether they can rely on the facts discovered without hav­ing to repeat the investigation themselves. Regulators tend to be skeptical of investigations where limits are placed (expressly or otherwise) on the investigators, in terms of what is investigated, or how the investigation is conducted. This question can be an initial deal-killer particularly if the regulator involved views an investigation insuf­ficiently thorough, its credibility is undermined. And, of course, it can lead to the dreaded ‘Where else’ question.
  • Objectivity - Here the authors write that any “investigation must follow the facts wherever they lead, regardless of the conse­quences. This includes how the findings may impact senior management or other company employees. An investigation seen as lacking objectivity will be viewed by outsiders as inadequate or deficient.” I would add that in addition to the objectivity requirement in the investigation, the same must be had with the investigators themselves. If a company uses its regular outside counsel, it may be viewed with some askance, particularly if the client is a high volume client of the law firm involved, either in dollar amounts or in number of matters handled by the firm.
  • Accuracy - As in any part of a best practices anti-corruption compliance program, the three most important things are Document, Document and Document. This means that the factual findings of an investiga­tion must be well supported. For if the developed facts are not well supported, the authors believe that the investigation is “open to collateral attack by skeptical prosecutors and regulators. If that happens, the time and money spent on the internal investigation will have been wasted, because the government will end up conducting its own investigation of the same issues.” This is never good and your company may well lose what little credibility and good will that it may have engendered by self-reporting or self-investigating.
  • Timeliness - Certainly in the world of FCPA enforcement, an internal investigation should be done quickly. This has become even more necessary with the tight deadlines set under the Dodd-Frank Act Whistleblower provisions. But there are other considerations for a public company such as an impending Securities and Exchange Commission (SEC) quarterly or annual report that may need to be deferred absent as a timely resolution of the matter. Lastly, the Department of Justice (DOJ) or SEC may view delaying an investigation as simply a part of document spoliation. So timeliness is crucial.
  • Credibility - One of the realities of any FCPA investigation is that a Board of Directors led investigation is reviewed after the fact by not only skeptical third parties but also sometimes years after the initial events and investigation. So not only is there the opportunity for Monday-Morning Quarterbacking but quite a bit of post event analysis. So the authors believe that any Board of Directors led investigation “must be (and must be perceived as) credible as to what was done, how it was done, and who did it. Otherwise, the board’s work will have been for naught.” 

Dan Chapman, Chief Compliance Officer at Vimpelcom, has said this is the time for a very frank conversation with your Board about what such an investigation will entail. Costs must be adequately discussed to set proper expectations. These include both direct costs and, what Chapman believes may be even more important, a discussion of indirect costs to the company. He noted that “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “kind of everything stops to focus on the investigation.” This indirect cost comes through largely the time commitment of senior management. He further explained, “if senior management has to commit 20% of their time, that’s 20% that’s not going towards revenue generating, shareholder value protecting activities.” 

Finally Jonathan Marks, a partner at Marcum LLC has noted after notification of serious allegations, Boards should take the following steps:

  • Consider creating a Special Committee to conduct the investigation;
  • Establish a committee charter;
  • Preserve the electronic and hardcopy documentation environment;
  • Communicate with external auditors; and
  • Plan potential communication with the SEC, DOJ, and the relevant stock exchange. 

Marks also notes that while a special committee might be necessary in certain rare circumstances, the board should try to avoid forming a special investigative committee to oversee the investigation if its audit committee is composed of independent and disinterested directors that are suited for the task. A special committee must be disbanded at some point (usually once the investigation is completed and before the restatement process begins), and the disbanding could become a complicated news item.  Conversely, if the audit committee oversees the investigation, then, once the investigation is complete, the audit committee can pivot back to its normal role, which would include overseeing the actual restatement process. Investigations overseen by the audit committee also benefit from the positive relationship that the audit committee chair usually has with the audit partner of the company’s external auditor.  

Three Key Takeaways

  1. The Board should have a written protocol for investigations prepared in advance.
  2. Any Board led investigation must be both credible and objective.
  3. The investigation must be thorough but the Board can be cost effective.

 

 

Jun 7, 2017

In the case of Kokesh v. SEC, the US Supreme Court held the profit disgorgements operate as a penalty under the Securities and Exchange Act of 1934, as amended. As such “any claim for disgorgement in an SEC enforcement action must be commenced within five years of the date the claim accrued.” The position of the Securities and Exchange Commission (SEC) at the Supreme Court and in all other matters involving this issue was that profit disgorgement were not punitive, hence not a penalty but rather remedial in nature so the SEC could clawback all monies generated as a result of the illegal action. 

The decision, authored by Justice Sotomayor, was a 9-0 opinion which in the rarified world of Supreme Court decisions is about as clear a message as one can get. The Court first determined that profit disgorgement met the definition of a “penalty” under two basis, “First, whether a sanction represents a penalty turns in part on “whether the wrong sought to be redressed is a wrong to the public, or a wrong to the individual.” Second, a pecuniary sanction operates as a penalty if it is sought “for the purpose of punishment, and to deter others from offending in like manner” rather than to compensate victims.” [citations omitted] Thus, if a statute provided a compensatory remedy for a private wrong, it should not be characterized as penalty.

Jun 6, 2017

One of the things that I learned from the television series M*A*S*H was the need for triage. In the hospital setting, triage is the process of determining the priority of patients’ treatments based on the severity of their condition. This is considered in different language in the Justice Department’s (DOJ) Evaluation of Corporate Compliance Programs (Evaluation), which under Prong 7 reads, in part, Properly Scoped Investigation by Qualified PersonnelHow has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented? Tying all of together is short but succinct statement found in the 2012 FCPA Guidance, “once an allegation is made, companies should have in place an efficient, reliable,  and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” 

Given the number of ways that information about violations or potential violations can be communicated to the government regulators,  having a robust triage system is an important way that a company can separate the wheat from the chaff and bring the right number of resources to bear on a compliance problem. One of the things that this is important in making an initial determination of whether to bring in outside counsel to head up an investigation. It is also important in a determination of the resources that you may want or need to commit to a problem. You literally need to “kick the tires” of any allegations or information so that you know the circumstances in front of you before you make the decision going forward. You can do this through a robust triage process. 

Jonathan Marks, a partner at Marcum LLP has suggested a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, what will be the types of evidence you will need to consider going forward. Finally, before selecting a triage solution you should understand what tools are available, including both forensic and human, to complete the investigation. Marks’ five-stage process includes the following: 

Stage 1.  These consist of allegations have a low threat level and do not suggest a breakdown of internal controls. Tips that get grouped into this stage do not have a financial or reputational impact. 

Stage 2. These allegations are more serious in nature, and often indicate some deficiency in the design of internal controls. Examples include business rule violations such as recurring employee theft or patterns of falsifying expense reports. 

Stage 3. These allegations are serious in nature, generally involve an override of internal controls, and thus are at a minimum a serious deficiency. But they have only a minimal impact on the financial statements or the company’s reputation. More serious allegations in this category include fraud, embezzlement, and bribery involving employees or mid-level management. 

Stage 4. These are serious allegations that could have an impact on the completeness and accuracy of the audited financial statements, and that could indicate a material weakness in internal controls. They do not, however, appear to involve any member of the senior management team. 

Stage 5. These are serious allegations that involve one or more members of the senior management team, or are serious enough to damage the company’s reputation. The receipt of allegations in this stage usually place the company into crisis management mode, and could result in the restatement of audited financial statements or added regulatory scrutiny. 

By using such an approach, you will be able to respond more quickly and efficiently to any allegations which arise. Of course, as more information is developed during the course of an investigation, the matter can be moved up or down this scale. Such an approach is also important for a company’s outside investigative counsel to partner more with the entity as a way to help hold down costs. Outside counsel can work to build confidence that the company’s investigators could handle a large or wide-ranging investigation. This confidence would help outside counsel in any discussions they might have with the DOJ during the pendency of a FCPA investigation.

Such an approach also has the effective of keeping your investigative costs below the ridiculous level. This is because beyond the tactical need to initially scope any FCPA allegation which may arise through a company’s internal reporting mechanism, it allows you to move to the next step of developing a reasonable investigation plan. This can be particularly important if you self-disclose to the DOJ. You will need to go into the DOJ and present your investigation plan so an early discussion with the government on the scope of the investigation is critical. 

You should engage the DOJ to show not only the scope of your investigation but that it can be limited so that you do not face the dreaded ‘where else’ question. You should develop a logical plan with the nexus to the facts. But it is critical that you and your investigation plan must have credibility with the government that not only will your investigation will be robust but that facts you have determined in your initial triage are a reasonable interpretation. 

Appropriate triage of allegations has several different impacts for any matter which comes to the attention of the compliance function. Obviously, it will help you to initially determine the seriousness of the matter. From there you can allocate an appropriate level of resources. It will also aid in your discussion with the DOJ if you have to go that route. Finally, in the situation where facts come in, it gives you evidence a documented process was followed with which you can show the government that a claim was properly scope as required under the Evaluation. But the key is to be prepared, not only in terms of having your investigation and notification protocols in place before an allegation comes in but also doing the proper triage so that you have an initial understanding of what you may be facing. 

Three Key Takeaways

  1. Compliance can learn from M*A*S*H about the need for triage.
  2. Initial triage allows you to separate the wheat of serious allegations from the chaff of more inconsequential allegations.
  3. A robust triage process allows for greater credibility with government regulators.
Jun 6, 2017

In this episode, I visit with Chris Morton, the SVP, Marketing and Corporate Development for Navex, about the firm's new resource for the Compliance Community, ComplianceNext.com. It is a free, compliance community driven learning platform designed to offer real-world education and skill enhancement for the compliance professional. Morton discusses its launch, the partners involved, highlights some of the content and discusses the user experience. Best of all, this resource is FREE. For more information, check out the site ComplianceNext.com.

Jun 5, 2017

Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hot-line, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties once an allegation is made. This allows the Compliance Department to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter. 

Indeed the SEC considers a variety of factors around giving credit to corporate investigations including: Did management, the board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm? 

In a presentation by Jay Martin, Vice President, Chief Compliance Officer (CCO) and the Senior Deputy Counsel for Baker Hughes Incorporated and Jacki Trevino, Senior Consultant, Advisory Services at SAI Global entitled, “FCPA Compliance Best Practices: Success Stories of Robust and Effective Anti-Corruption Compliance Programs in High Risk Markets” they presented the specifics of an investigation protocol.

The five steps were: (1) Opening and Categorizing the Case; (2) Planning the Investigation; (3) Executing the Investigation Plan; (4) Determining Appropriate Follow-Up; and (5) Closing the Case. If you follow this basic protocol, you should be able to work through most investigations, in a clear, concise and cost effective manner. Furthermore you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to document, document, and document, not only the steps you took but why and the outcome obtained. 

Step 1: Opening and Categorizing the Case. This is the triage step and this first step, to categorize a compliance violation. You should notify the relevant individuals, including those on your investigation team and any senior management members under your notification protocols. After notification, you should assemble your investigation team for preliminary meetings and assessments. This Step 1 should be accomplished in one to three days after the allegation comes into compliance, either through your reporting structure or other means.

Given the number of ways that information about violations or potential violations of the Foreign Corrupt Practices Act (FCPA) can be communicated to the Department of Justice (DOJ) having a robust triage system is an important way that a company can separate the wheat from the chaff and bring the right number of resources to bear on a FCPA problem. A key consideration is making an initial determination of whether to bring in outside counsel to head up an investigation and a determination of the of the resources that you may want or need to commit to a problem. 

Step 2: Planning the Investigation. After assembling your investigation team, determine the required investigation tasks. These would include document review and interviews. If hard drives need to be copied or documents put on hold or sequestered in any way, or relationships need to be analyzed through relationship software programs or key word search programs, this should also be planned out at this time. These tasks should be integrated into a written investigation or work plan so that the entire process going forward is documented. Also, if there is a variation from the written investigation plan, such variation should be documented and an explanation provided as to why there was such a variation. Lastly, if international travel is involved this should also be considered and planned for at this step. Step 2 should be accomplished with another one to three days.

 

Step 3: Executing the Investigation Plan. Under this step, the investigation should be completed. I would urge that the interviews not be effected until all documents are reviewed and ready for use in any interviews. Care should be taken to ensure that an appropriate Upjohn warning is issued and that the interviewee clearly understands that whoever is performing the interview represents the company and not the person being interviewed, whether they are the target of the investigation or not. The appropriate steps should also be taken to preserve the attorney-client privilege and attorney work product assertions. This Step 3 should be accomplished in one to two weeks.  

Step 4: Determining Appropriate Follow-Up. At this step, the preliminary investigation should be completed and you are ready to move into the final phases. In some investigations, it is relatively easy to determine when the work is essentially complete. For example, if the allegation is both specific and narrow, and the investigation reveals a compelling and benign explanation for the conduct alleged, then the investigation typically is complete and you are ready to convene the investigation team and the relevant business unit representatives. This group would decide on the appropriate disciplinary steps or other actions to take. This Step 4 should be completed in one day to one week. 

It must be cautioned that at this step, if there are findings of specific or discrete allegations of corruption and bribery, a decision must be made as how to handle such findings going forward. 

Step 5: Closing the Case. Under this final step, communicate the investigation results to the stakeholders and complete the case report. Everything done in the above steps should be documented and stored, either electronically or in hard copy form together. The case report should be completed. This Step 5 should be completed in one day to one week. 

Three Key Takeaways

  1. A written protocol, created before an investigation is a key starting point.
  2. Create specific steps to follow so there will be full transparency and documentation going forward.
  3. Consistency in approach is critical.
Jun 5, 2017

In this episode, I visit with Robyn Bew, the Director of Strategic Content Development for the National Association of Corporate Directors (NACD) and Henry Stoever, the Chief Marketing Officer for the NACD. They discuss what is the NACD, who are its members and why directors or those desiring to be directors should join. We review some of the highlights from the 2017 NACD Directors Compensation Reports, the types of trainings offered by the NACD and the NACD’s advocacy for the director profession. You can find out more about the NACD by checking out their website, NACDonline.org.

Jun 2, 2017

This week, Jay and I have a wide-ranging discussion on some of the week’s top compliance related stories. We discuss: 

  1. Brazilian meatpacker JBS agrees to the largest fine ever for fine for bribery and corruption, $3.2bn in Brazil. See article in the Wall Street Journal.
  2. Samuel Mebiame, sentenced to two years behind bars for paying bribes to help Och-Ziff with lucrative mining deals in Africa. See article by Sam Rubenfeld in WSJ Risk and Compliance Journal. Judge asks why no one else was criminally prosecuted. See article in Bloomberg.
  3. Both acquirer and target are under SFO investigation in Wood Group/AMEC merger for their use of Unaoil. See articles in This is Moneyand The Telegraph
  4. Compliance is making its way into Boards of Directors. See article by Ben DiPietro in the WSJ Risk and Compliance Journal.
  5. Did Jared Kushner violate the FCPA? Matthew Stephenson explores this question on the Global Anti-Corruption Blog.
  6. Jay previews his weekend report.
  7. Tom continues to talk about the release of his new book 2016 – The Year in Corporate FCPA Enforcement. For more information and to purchase, click here.
Jun 2, 2017

In an article in the Compliance and Ethics Professional Magazine, entitled “Foxes and henhouses: The importance of independent counsel, Dan Dunne discussed what he termed a “critical element” in any investigation, which he denominated as “fair and objective evaluation.” Dunne wrote that a key component of this fair and objective evaluation is the WHO question; that is, who should supervise the investigation and who should handle the investigation? Dunne’s clear conclusion is that independent counsel should handle any serious investigation. 

There are three reasons for a company to retain independent counsel for internal investigations of serious whistleblower complaints. First, André Agassi was right, perception is reality. This means that for any corporate ethics and compliance program to be effective, it must be perceived to be fair. If your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Further, those involved must have confidence that any internal investigation is treated seriously and objectively. 

Secondly, if regular outside counsel investigates their own prior legal work or legal advice, a very large and potentially messy numbe of loyalty and privilege issues can arise in the internal investigation. It is a rare legal investigation, where the lawyer or law firm which provided the legal advice and then investigates anything having to do with said legal advice, finds anything wrong with its legal advice. Dunne also notes that if the law firm which performs the internal investigation has to waive attorney client privilege, it may also have to do the same for all its legal work for the company. 

The third reasons is the relationship of the regular outside counsel or law firm with regulatory authorities. If a company’s regular outside counsel performs the internal investigation and the results turn out favorably for the company, the regulators may ask if the investigation was a whitewash or at the very least, less than robust. If the Securities and Exchange Commission (SEC) or Department of Justice (DOJ) cannot rely on a company’s own internal investigation, it may perform the investigation all over again with its own personnel. Further, these regulators may believe that the company, and its law firm, has engaged in a cover-up. This is certainly not the way to buy credibility. 

Mara Senn has explained that it is the lawyer or law firm representing the company that can go a long way towards establishing credibility, noting, “For those of us who regularly appear before the government, we already have credibility, and they understand that the client may or may not agree with recommendations we make, and they know that we’ll be a straight shooter once we’re in front of them, however we get in front of them.” But is more than the lawyer or law firm that brings credibility; it is actions of the company as well. Of course this means the steps the company has taken and its cooperation with the government during the pendency of any FCPA investigation. 

Despite the fact that using specialized investigation counsel is a best practice that is worth the money, one of the more difficult things is convincing decision-makers of this advantage. This is particularly so when speaking with mid- or small-sized companies that are part of larger supply chains.  While general counsels and compliance officers may be up to speed on outsourcing critical inquiries, managers in business segments often are not and frequently reply that they “got someone” in the company who “takes care of that stuff.” However, it is clear that such an approach will be more costly to a company in the long run. 

Moreover, if there are serious allegations made concerning your company’s employees engaging in criminal conduct, a serious response is required. Your company needs to hire some seriously good lawyers to handle any internal investigation. These lawyers need to have independence from the company so do not call your regular corporate counsel. Hire some seriously good investigative lawyers. This may well mean you need specialized outside counsel. 

James McGrath and David Hildebrandt wrote about the use of specialized outside counsel to lead an independent internal investigation as compliance and ethics best practices in an article entitled, “Risks and Rewards of an Independent Investigation”.  This is based upon the US Sentencing Guidelines, under which a scoring system is utilized to determine what a final sentence should be for a criminal act. Factors taken into account include the type of offense involved and the severity of the offense, as well as the harm produced. Additional points are either added or subtracted for mitigating factors. One of the mitigating factors can be whether an organization had an effective compliance and ethics program. McGrath and Hildebrandt argue that a company must have a robust internal investigation. 

The authors suggest that in such a situation, a company should engage specialized counsel to perform the investigation. There were three reasons for this suggestion of the utilization of specialized counsel. The first is that the Department of Justice would look towards the independence and impartiality of such investigations as one of its factors in favor of declining or deferring enforcement. If in-house counsel were headed up the investigation, the DOJ might well deem the investigative results “less than trustworthy”. 

A second reason came from the company perspective. Many companies have sought protection of investigations behind the shield of the attorney-client privilege and attorney work-product doctrine. If an in-house attorney is utilized, many courts are skeptical of a company asserting the privileges because of the mixed responsibilities of counsel in a corporation; that of legal and business work. Additionally, obstructionist attempts by corporations to improperly assert the privilege have led courts to refuse to allow the privilege to be asserted. However a company will usually not face these arguments if outside counsel is utilized. 

Even if the company is willing to waive its attorney-client privilege, McGrath and Hildebrandt offer a third reason for the use of specialized outside counsel to handle an investigation. If a company’s regular outside counsel were retained to conduct the investigation, the DOJ might feel the results had less than full credibility due to the fact that the law firm knew “who buttered its bread” and that the law firm would not want to bring bad news to client and endanger the ongoing business relationship between the law firm and the client. The authors end by concluding that by employing specialized counsel comports with the expectations under the US Sentencing Guidelines, gives a company the protections of the attorney-client privilege and the work-product doctrine and finally “assures the government of the integrity of the internal investigation.” 

Three Key Takeaways

  1. Serious allegations demand a serious response, with seriously good lawyers leading the investigation.
  2. The biggest thing that any person or company brings to the table when sitting across from the DOJ or SEC is credibility.
  3. Use of regular corporate counsel can negatively impact your investigation because of the issues of loyalty and privilege.
Jun 1, 2017

The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a Foreign Corrupt Practices Act (FCPA) issue for your company. As the Chief Compliance Officer (CCO), it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward. This month’s podcast series will provide to you all the steps you will need to consider going forward.

This scenario was driven home in a FCPA enforcement action brought by the Securities and Exchange Commission (SEC) in July 2015 involving Mead Johnson Nutrition Company (Mead Johnson). In that case, the company performed two internal investigations into allegations that its Chinese business unit was engaged in conduct which violated the FCPA. Unfortunately the first investigation, performed in 2011 did not turn up any evidence of FCPA violations. It was not until 2013, when the SEC made an inquiry to the company that it performed an adequate internal investigation which uncovered FCPA violations. 

Similarly, consider Zimmer Biomet, which (when it was only Biomet) resolved an FCPA violation in 2012 for nearly $23MM and entered into a Deferred Prosecution Agreement (DPA). Within the year, Biomet notified its Monitor that it has found evidence of additional FCPA violations, which in turn violated the terms and conditions of the DPA. However these additional violations by the company (now Zimmer Biomet) turned out to have been actions which occurred in 2010, well before the initial DPA but were not uncovered in the company’s worldwide investigation which led to the first settlement. Zimmer Biomet paid an additional $13MM for this oversight and extended out both the DPA and the Monitorship, all because the company had failed to fully investigate itself thoroughly.

The 2012 FCPA Guidance states the following on investigations, “Moreover, once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” That is simply it. This simple introduction was expanded upon in the Justice Department’s Evaluation of Corporate Compliance Programs (Evaluation) released in February. Prong 7 in the makes the following inquiries:

Effectiveness of the Reporting MechanismHow has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?  

Properly Scoped Investigation by Qualified PersonnelHow has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented?  

Response to InvestigationsHas the company’s investigation been used to identify root causes, system vulnerabilities, and accountability lapses, including among supervisory manager and senior executives? What has been the process for responding to investigative findings? How high up in the company do investigative findings go?  

The Mead Johnson and Zimmer Biomet matters are but two examples which make clear the need to have robust, integrated investigations. Marc Bohn, writing in the FCPA Blog, said about the Mead Johnson matter, “Investigations that lack sufficient depth, resources, or forethought can pose significant risk because they increase the likelihood that something critical will be overlooked, potentially permitting misconduct to continue unabated.” Both Mead Johnson and Zimmer Biomet point to the critical nature of FCPA investigations and why the government takes this requirement so rigorously. But more than protecting a company from liability under the FCPA, in the internationalized world of global compliance investigations are becoming more important. Bio-Rad recently announced that its FCPA settlement was a “risk-factor” which required public disclosure under US securities law. 

In the domestic arena, internal investigations can go a long way towards helping a company move past a public relations debacle or perhaps abate negative publicity. One need only consider the recently released internal investigation report commissioned by the Wells Fargo Board of Directors around the bank’s fraudulent accounts scandal. The report was merciless in its criticism of certain structural and cultural failures at the bank. It named names of culpable former senior executives at the company. However one thing it did not address were allegations from multiple whistleblowers who claimed to have reported the fraudulent conduct and were ignored or actively retaliated against. If the internal investigation turns out to have white washed these whistleblowers, the financial penalty and negative public reaction could be both swift and severe.

Corrupt investigations are never a good thing for a company as they can disrupt business relationships and future opportunities. Yet today they are even more important. In the month of June I will be exploring how you can create, design and implement a robust investigation protocol for an internal investigation and when you should bring in outside counsel for an independent investigation. I will consider the Board of Director’s role in investigations and other corporate functions such as internal audit, IT and legal in any investigation. I will review special issues such as privilege, Upjohn and Miranda warnings and data privacy.

 As Hallmark Seven of the Ten Elements of an Effective Compliance program states, in part, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation” and Prong 7 of the Evaluation also deals with reporting; I will consider hotlines. Both their implementation and use in a best practices compliance program. I will feature several compliance practitioners, both lawyers and non-lawyers, who will relate how they developed their investigative strategies and navigated various stakeholders to obtain positive results for their clients. 

Three Key Takeaways

  1. Failure to thoroughly and properly investigations allegations of corruption can be costly.
  2. The internationalization of global anti-corruption enforcement makes performing robust investigations even more important.
  3. Use the month of June to learn about key aspects of investigations and internal reporting mechanisms.
Jun 1, 2017

In this episode, Roy and I consider Sgt. Pepper's at 50; Artificial Intelligence in Compliance and how ComTech will change the face of compliance going forward. 

For additional reading on these topics see:

Compliance Lessons from Sgt. Pepper's 

AI and Compliance Going Forward: Welcome to ComTech

AI for Risk Management in Compliance 

« Previous 1 2