Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2019
May


2018
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: Category: compliance know-how
Jan 18, 2017

One of the more prescient authors I know is Ryan C. Hubbs, who in 2014, wrote an article for Fraud Magazine entitled “Shell Games”. Shell companies can come in different shapes and sizes. Shelf companies are those formed but not used for a long period of time. This provides the facade of appearing. Finally this type of fraud needs directors and nominees to fill out the package and provide the aura of legitimacy. The final area of concern is ‘hot spot’ or one location which is the home for multiple shell companies. 

In your basic research do not limit your search to the International Consortium of Investigative Journalist’s database of companies listed in the Panama Papers themselves. Initially this database is reported to only have listed 5-7% of the world’s shell companies. Some of the basic questions you should be looking at from your own data and information such as information mis-matches around address, phone, fax, ship to, bank, cell contact.  Also consider whether incoming/outgoing wire transfer documents to determine if payments are forwared to or received from an unrelated third party.

Some specific reviews and steps you can take in public source information includes the following: 

  1. Review web history. In this day and age, if a company or person does not have an active, up and running website, it should immediately raise a red flag.
  2. Review public records searches to identify owners and tracking to known associates. There is a variety of information, which a competent due diligence provider can search. Public records are an important source of information to link entities and individuals.
  3. Mapping the network. This is a key step as you must be able to document the linkage between all the information uncovered. You should map every scrap of information you uncover.
  4. Whois lookup’ for domain ownership, IP addresses. Using “Whois lookup” search engines, you can discover” such information as: domain ownership, IP addresses, the physical addresses of websites, the website administrators and their contact information and finally website creation dates.
  5. Evaluating online presences. Shell incorporators have difficulty fabricating an active and robust online presence because these companies technically do not exist. Some indicia of online authenticity include a properly designed website, which has other online content. There should be periodic and regular updates of information. Finally, there should be legitimate email addresses for contacting the company which are associated with a legitimate website address.

Three Key Takeaways 

  1. Do you have a mechanism to review your own vendors and agents for shell companies?
  2. Do not forget the open source tools available to you.
  3. Review your previously approved third parties in light of the Panama Papers.
Jan 17, 2017

Many compliance practitioners often inquire how to set up a data analysis program and how to use it to help monitor for a compliance program. I draw from Joe Oringel, co-founder of Visual Risk IQ for the firm’s five-step process for any analytics project. The steps are: (1) Brainstorming, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.

Step 1 - Brainstorming

It all begins with Step 1, brainstorming. Any data analysis project in a compliance setting, or any business context, begins by picking the business questions to answer with data. So in an initial meeting, you could ask one or more of the following opening questions: What do we expect to find if we do a detailed review of this data? What policies should have been followed? What would a mistake or even fraud look like? The data to be reviewed could be expense reports, accounts payable invoices, or sales contracts. The key to successful brainstorming is to identify the questions you want to ask and answer, and then identify the digital data sources that can best answer these questions. This process should be iterative, with questions being refined based on the available sources of digital data.

Step 2 - Acquire and Map the Data

Acquiring and mapping data can be a technical step, but most modern software can create files that can be easily read by basic data analysis software, such as Microsoft Excel, as well as more advanced tools. Mapping data is simply identifying, naming, and categorizing the data fields (e.g. text, dates, numbers) so that the software tool can best interpret the data for analysis. Once the data is loaded into the analysis tool, control totals should be compared to source systems for completeness and accuracy. Oringel recommends comparing record counts, grand totals, and even selected balances for a sample of records to make sure that nothing was lost in translation into the data analysis tool.

Step 3 - Writing the Queries

While writing queries surely sounds technical, it can be quite simple. Sorting data from oldest to newest or biggest to smallest is often only a few clicks of the mouse. Once sorted by several different columns, business insights can be quick. Writing queries is simply writing the business questions you laid out in the brainstorming session, and using software in a way that makes it easy to understand the answers.

Step 4 - Analyze and Report Results

You should summarize the results of data analysis into visual form, for example by showing color, size, and location in a graph, so that the compliance practioner can understand what has happened, quickly see the data and conclude whether the picture supports a decision of whether the transaction was or was not compliant and if required, an action step becomes apparent.

                        Step 5 - Refine and Sustain

That brings us to Step 5, which Oringel identified as refine and sustain. Part of this step is about about fixing the root cause of any problem identified through data analysis. I certainly believe one of the key functions for any compliance practitioner, and one of the first things you should do, is to make sure any violations of your policies and procedures do not move to an illegal conduct stage.

Three Key Takeaways

  1. What information to you want to look at?
  2. Once you analyze it, you must take appropriate remedial steps.
  3. Data analysis is a continuous feedback loop.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 17, 2017

In this episode, I visit with Matt Ellis, a partner at Miller & Chevalier. Ellis has recently published his first book The FCPA in Latin America. Ellis' discusses why he wrote the book, some of the key issues around FCPA compliance in Latin America and debunks the myth that Latin Americans desire bribery and corruption in their business dealing. 

Jan 16, 2017

What if you want to take you post-training analysis to a higher level and begin to consider the effectiveness through your return on investment (ROI)? Joel Smith, the founder of Inhouse Owl, a training services provider, advocates performing an assessment to determine ethics and compliance training ROI to demonstrate that by putting money and resources into training, a compliance professional can not only show the benefits of ethics and compliance training but also understand more about what employees are getting out of training (effectiveness). The goal is to create a measurable system that will identify the benefits of training, such as avoiding a non-compliance event such as a violation of the FCPA. Smith admits that calculating legal ROI is very difficult as ethical and compliance behavior is an end-goal and of itself - not necessarily one that everyone feels should be subject to a ROI calculation. 

Smith noted, “it is extremely difficult to isolate the training effect to calculate what costs you avoided due solely to your ethics and compliance training. Although each organization will have a unique ROI measurement due to unique training objectives, it is possible to use a general formula to calculate ethics and compliance training ROI.” 

Smith’s model uses four factors to help determine the ROI for your ethics and compliance training, which are: (1) Engagement, (2) Learning, (3) Application and Implementation, and (4) Business Impact. These four factors are answered through posing the following questions. 

  1. Figure out what you want to measure (i.e. what’s the “benefit”?) Before you ever train an employee, you should have a goal in mind. In the FCPA, you want them to avoid ethical and non-compliant actions that would lead to FCPA violations. 
  1. Were employees satisfied with the training? What is their engagement? The next step is to get a sense of whether employees feel that the training you provided is relevant and targeted to their job. 
  1. Did employees actually learn anything? If you want to understand the “benefit” of training employees, you must know whether they actually learned anything during training. 
  1. Are employees applying your training? You should determine employee application and their implementation of the training topics, with employee surveys to understand whether they ceased engaging in certain risky behaviors or better yet understand how to conduct themselves in certain risky situations.  
  1. What’s the quantitative business impact of your training? There are two parts to the business impact calculation: (1) the benefit calculation and (2) the isolation calculation. Determine with these 5 questions. 
  1. How often could a noncompliance event occur?
  2. How much revenue would be involved?
  3. What is the profit margin on the revenue?
  4. What are the other costs?
  5. What are the noncompliance hard costs? 

Now it is time to calculate the ROI. Here I turn to the formula as laid out on Smith’s company website: “Total FCPA Noncompliance Costs Avoided - Total FCPA Training Program Costs  ÷Total FCPA Training Program Costs ($20,000) x 100=ROI”. Smith concludes by noting, “Even though calculating training benefits is often difficult and imprecise, it’s incredibly important to make an attempt to quantify training ROI” to demonstrate not only effectiveness but also “so you can show business people the incredible effect that engaging training can have on the bottom line.” 

The importance of determining effectiveness and the evaluation of your ethics and compliance program is becoming something that is emphasized more by the Department of Justice (DOJ). Beginning last fall, we started to hear that the DOJ wants to see the effectiveness of your compliance program. This is something that many Chief Compliance Officers (CCOs) and compliance professionals struggle to determine. Both the simple guidelines suggested by the Biegelmans and the more robust assessment and calculation laid out by Smith provide you with formulae you can use going forward. 

Three Key Takeaways

  1. You need to know the effectiveness of your compliance training.
  2. What is the quantitative business impact of your compliance training?
  3. What is the qualitative business impact of your compliance training?

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 15, 2017

For compliance training to be effective its needs to risk-based in its focus. This means employees with highest risk of exposure to bribery and corruption need to receive the highest levels of training and refreshers. From there you can tailor your training down to an appropriate level for those less at risk.

The risk ranking of employees is usually considered in a tripartite structure of (1) high-risk, (2) medium risk and (3) low risk. High-risk employees can be defined as those employees whose roles in your company can significantly impact the company. Medium risk employees can be defined as those employees who face risk on regular basis or present a moderate level of negative impact to a company if they mishandle the risk. Low risk employees can be considered those employees with a low likelihood of facing the attendant risk. Through the risk ranking process, you have internalized the admonition that one size does not fit all in deciding the content and intensity of training needs for each role or individual. You should be now ready to design your compliance training.

The first step is to define what you are trying to achieve in your compliance training. This certainly means more than simply ‘check-the-box’ training and when implementing compliance training you have put some significant time and thought into it. It should be well designed to the targeted group of employees who will receive it. Your compliance training can and should have several business-related goals, in addition to specifics of anti-bribery laws such as the FCPA. These include identifying the business objectives of engaging in commerce in a legally compliant manner; managing threats which may come to employees you have identified as high-risk and the business opportunities afforded if you have sufficient compliance systems in place to prevent bribery and corruption. Moreover, you can present tangible business benefits if you address these issues in a positive manner. Finally, such focused training can and should help to ensure integrity and the company’s reputation by strengthening your business culture and ethical conduct.

You are now ready to design your compliance training, with the above goals in mind. You should include the development of curriculum using a risk-based model and set uniform methods for acquiring content, maintaining records and reporting. This should be followed by the establishment of standards for selecting appropriate content, delivery methods, frequency, and assurance based on risk exposure. You can review any technological solutions for both e-learning delivery and documentation. Lastly, you will need to consider training content revision when requirements or risk analyses change.

 After the design of the training program, the next level is to design the specific training courses. Here you should establish your learning objectives and map the training to legal and competency requirements. You must always remember who your audience is and what their characteristics might be. For the high-risk employee, you will need focused training so that they will be able to act with confidence in a wide range of scenarios and conditions based on a strong understanding of the risks, requirements and penalties. For the medium risk employee, compliance training should include scenarios so that they know the risks, requirements and penalties and should be able to apply their knowledge to common scenarios using standards and tools given to them. For the low risk employee, they should be made aware of the risks, requirements and penalties as well as your entity’s expectations about how to address it. They should know relevant policies and procedures and where to get assistance in addressing a risk or making a behavior decision.

Now you need to determine the most appropriate mechanism to deliver the content of your compliance training. You can use a variety of methods for each of the designed risk based rankings. The delivery of compliance training for high-risk employees should be repeated frequently using several methods of delivery. You can include ongoing risk profiling of individuals through assessment of behavior choices in online courses or live simulation exercises. Additionally, you should work to determine the effectiveness of your compliance training to this group through testing and certification. For your medium risk employees, your compliance training should have content to make them proficient in the subject, be refreshed periodically, use a mix of modes of delivery, both live and online, and have methods to demonstrate evidence of understanding. To address the content required for low risk employees it can be done largely through online training, again you will need to make sure the material is reviewed and updated on an as needed basis.

Three Key Takeaways 

  1. Identify your goals.
  2. Risk rank your target audiences and risk base your training.
  3. Develop multiple forms of training delivery mechanisms.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 14, 2017

You should work to create an action plan to use your data. But never forget you need to get  your digital information right. That means several sources of data to help you choose the best course of action. Earlier this year, Deadspin reported on a joint investigation between BuzzFeed UK and the BBC, in an article entitled “The Tennis Racket”, which looked at what they believed was suspicious betting in professional tennis matches. They used a transactional analysis to come up with the players involved and matches they allegedly fixed at the behest of gamblers. This use of data analysis pointed to this key lesson, data analysis is only the starting point in any investigation. You need to review other data to make an action plan. Other sources of information might include interviewing witnesses, reviewing documents, looking at injury factors that might have influenced the outcome of tennis matches. It is not simply enough to identify suspicious activities, you need to determine the facts behind the numbers and then analyze both the numbers and the facts. If warranted, remedial action would then be appropriate. Any best practices program should prevent, detect, and remediate.

Another important point is the integration of compliance data into your overall business strategy. One area that compliance is often criticized is that it does not support an overall business goal. By determining a way to use compliance analysis from your data in a manner that supports the business unit going forward, compliance can become an input into business strategy. An example might be in your sales models. Does your business use employees, commissioned sales representatives or entities such as distributors to sell? All of these present not only different types of compliance risks but different types of compliance solutions. By building relationships with all levels throughout the company, you will have the opportunity to move into the trusted business partner realm.

This also means looking outside the compliance discipline for inspiration and innovation. Design thinking can be a key way for you avoid getting stuck in a specific paradigm inside your own organization. Think about what your internal or external clients will need to be able to do business in compliance, with the top risk management in place to allow them to move forward. Finally, practice transparency. Remember you are not the legal department, keeping information close to your vest. The compliance mandate is different. If a problem arises, the first job of the CCO is to fix the problem.

 Key Takeaways 

  1. You must get the data right by looking at several sources before coming to any conclusion.
  2. Data can assist the compliance function to aid the business unit to make quantitative and qualitative decisions.
  3. Look outside the compliance function for innovation and inspiration.
Jan 13, 2017

You should work to create a culture of data in your compliance program. This comes from an understanding that data is a product, which you can consume internally in the compliance function. Your data is a corporate asset so why not use it. That is a key point that you should recognize. Yet data is not simply big or even scary. It is information that you can use in helping you make better decisions. The CCO needs to find a way to deliver compliance analytics in a manner that is timely within your company’s everyday decision-making calculus.

 One of the biggest misunderstandings about using data is that compliance practitioners tend to be myopic. They only look at individual data when it is more useful to know what a population of people are doing. As a CCO how many times have you heard something along the lines of “If we look we might find something”. This defensive attitude can keep you from making use of some of the most useful information to you, your own data. The more transparency there was involving data, the less they thought of it as a liability.

 A key insight for the compliance function the democratization of data access has allowed companies to become much more data oriented in decision making. So do not hoard your data. This means more than simply using it but also making it available to the business folks to help them to make their decisions more in compliance. This transparency will not only improve the quality of your decision making but it should also allow you to bring more robust compliance analysis into the fabric of your organization.

 Innovation in compliance is really nothing new. Best practices compliance programs have evolved from as far back as the Metcalf and Eddy enforcement action, through Opinion Release 04-02, to the current Ten Hallmarks of an Effective Compliance Program as set out in the FCPA Guidance. Even within these frameworks there has always been evolution of compliance. This is to be embraced because the consequences of not doing so are too catastrophic.

 All of this means that compliance should use data to help establish a culture of innovation in the compliance function. Every CCO should be looking beyond today. Arnold & Porter LLP partner Stephen Martin has long advocated a one, three and five year compliance program outlook that you should regularly review and update. From the data perspective you should consider what this might mean from a technological perspective and how you can enable that transformation going forward.

 Key Takeaways 

  1. Look at aggregations of data to spot trends.
  2. The more transparency you have in data the less potential there is for liability going forward.
  3. Data is a product and compliance should consume data.
Jan 12, 2017

You should employ a 6-step process to revising your Code of Conduct.

  1. Get buy-in from decision makers at the highest level of the company

Your company’s highest level must give the mandate for a revision to a Code of Conduct. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort.

  1. Establish a core revision committee

You should create a cross-functional working group should head up your effort to revise your Code of Conduct. It can include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally, there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

  1. Conduct a thorough technology assessment

The foundation of the revision process is how your company captures, collaborates and preserves the decisions during the revision. Use should utilize the technology available to you to do so. This is also important in your distribution plan, particularly if the Code will only be available in hard copy.

  1. Determine translations and localizations

The DOJ and SEC require a local language component. You need to use  translations experts and know what they are doing when it comes to translations. Everyone must have the same understanding of the company’s Code-no matter the language.

  1. Develop a plan to communicate the Code of Conduct

You should use the full panoply of tools available to it to publicize your new or revised Code of Conduct at roll-out. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide Code of Conduct meeting where the new or revised Code is rolled out across the company all in one day. Also remember, you must document that each employee receives it.

  1. Stay on Target

If you set realistic expectations you should be able to stay on deadline and stay within your budget. Do not be distracted by other issues that might arise during the process.

Key Takeaways

  1. When did you last revise your Code of Conduct?
  2. You must have senior management buy-in to successfully revise your Code of Conduct.
  3. Keep your eye on the ball.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

 

Jan 11, 2017

A company that does not perform adequate due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps, most commonly, inadequate due diligence can allow a course of bribery to continue - with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target. Equally important is that if a company engages in the suggested actions, they will go a long way towards insulating, or at least lessening, the risk of FCPA liability going forward.

Pre-Acquisition Risk Assessment

It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.

The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus. 

It is also important that after the due diligence is completed, and if the transaction moves forward, the acquiring company should attempt to protect itself through the most robust contract provisions that it can obtain, these would include indemnification against possible FCPA violations, including both payment of all investigative costs and any assessed penalties. An acquiring company should also include reps and warranties in the final sales agreement that the entire target company uses for participation in transactions as permitted under local law; that there is an absence of government owners in company; and that the target company has made no corrupt payments to foreign officials. Lastly, there must be a rep that all the books and records presented to the acquiring company for review were complete and accurate.

 Post-Acquisition Integration 

There are generally three things a company must do in the M&A context, post-acquisition. They are immediately train high-risk employees of the newly acquired entity, perform a FCPA forensic audit and integrate the newly acquired company into the purchaser’s compliance program. One other factor is that if the purchaser uncovers FCPA violations they must be stopped at once and reported to the DOJ. It is critical to remember that once an acquired entity is folded into your organization, it is not committing FCPA violations on its own, your company is now the FCPA-violator. However, even if the prior entity did engage in FCPA violations and your investigation uncovered them and you stopped them and then you reported them to the DOJ, your company will not receive any springing FCPA liability.

All of this must be done in fairly strict time frames. You basically have 12 months to complete your training and integrating the acquired entity into your compliance program. You have 18 months to complete your forensic audit and then self-disclose the results to regulators if you discover a legal violation. The clock is ticking and you need to be prepared to move forward expeditiously. 

Key Takeaways 

  1. When did you last revise your Code of Conduct?
  2. You must have senior management buy-in to revise your Code of Conduct.
  3. Use all tools available to distribute your Code of Conduct.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 10, 2017

No area has become more challenging in compliance than continuous improvement. The FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its custom­ers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” 

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

 One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue. 

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local Finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.

What should you do with this information? I would suggest that you have a strategic plan in place ready to implement your findings of continuous improvement, by using the following: 

  • Review the Goals of the Strategic Plan.
  • Design an Execution Plan.
  • Put Accountabilities in Place.
  • Schedule the Next Review of the Plan.

Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. The FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improve­ment and sustainability.” 

Key Takeaways 

  1. Where has your compliance program been, where is your compliance progam now and where is your compliance program going.
  2. Determine what technological improvements might help improve your compliance program.
  3. You should have a one, three and five year compliance plan that you update regularly.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

 

 

 

 

 

 

 

 

 

 

 

Jan 9, 2017

The FCPA Guidance has about as clear, concise and short a statement about hotlines than any other Tenet of an Effective Compliance Program. It states, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.” But more than simply hotlines, companies have to make real efforts to listen to employees. But you must spend time working on this issue. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.

 The reason is that its own employees are a company’s best source of information about what is going on in the company. It is certainly a best practice for a company to listen to its own employees, particularly to help improve its processes and procedures. But more than listening to its employees, a company should provide a safe and secure route for employees to escalate their concerns. This is the underlying rationale behind an anonymous reporting system within any organization. Both the US Sentencing Guidelines and the Organization of Economic Cooperation and Development (OECD) Good Practices list as one of their components an anonymous reporting mechanism by which employees can report compliance and ethics violations. Of course, the Dodd-Frank Whistleblower provisions also give heed to the implementation of a hotline.

 What are some of the best practices for a hotline? I would suggest that you start with at least the following:

  1. Availability.
  2. Anonymity.
  3. Escalation.
  4. Follow-Up.
  5. Oversight.

 In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

 I would emphasize, yet again, that after your investigation is complete, the Fair Process Doctrine demands that any discipline must not only be administered fairly but it must be administered uniformly across the company for a violation of any compliance policy. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

 What is your FCPA Investigation Protocol?

 With the advent of the Securities and Exchange (SEC) Whistleblower Program, courtesy of Dodd-Frank, it is imperative that a company quickly and efficiently investigate all hotline reports. This means you need an investigation protocol in place so that the entire compliance function is on the same page and knows what to do. The following is a suggested starting point. 

Step 1: Opening and Categorizing the Case.

Step 2: Planning the Investigation.

Step 3: Executing the Investigation Plan. 

Step 4: Determining Appropriate Follow-Up. 

Step 5: Closing the Case.

Three Key Takeaways

1.Pre-taliation is becoming a more important SEC enforcement tool.

2. Test your hotline on a regular basis to make sure it is working.

3. Utilize social media for both tips and reports and to spot trends.

 

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 8, 2017

There are five steps in the life cycle of third party management.

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing. 

 Step 1 - Business Justification 

The first step breaks down into two parts: 

  1. Business Sponsor
  2. Business Justification 

The purpose of the Business Justification is to document the satisfactoriness of the business case to retain a third party. The Business Justification should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third party relationship is renewed.  

Step 2 - Questionnaire 

The term ‘questionnaire’ is mentioned several times in the FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. I believe that this requirement is not only a key step but also a mandatory step for any third party that desires to do work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk but run away from doing business with such a party.

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses.

 Step 3 - Due Diligence 

Most compliance practitioners understand the need for a robust due diligence program to investigation third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence required under the FCPA. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner.

 

Our British compliance cousins of course are subject to the UK Bribery Act. In its Six Principles of an Adequate Procedures compliance program, the UK MOJ stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of this principle is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique.

 Step 4 - The Contract 

You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, which have appeared, these Red Flags must be cleared or you must demonstrate how you will manage the risks identified. In others words you must Document, Document and Document that you have read, synthesized and evaluated the information garnered in Steps 1-3. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a ‘Check-the-Box’ exercise.

 After you have completed Steps 1-3 and then evaluated and documented your evaluation, you are ready to move onto to Step 4 - the contract. In the area of compliance terms and conditions, the FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

 Step 5 - Management of the Relationship

 I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins and that work is found in Step 5– the Management of the Relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship. Here we will explore some of the tools which you can use to help make sure that all the work you have done in Steps 1-4 will not be for naught and that you will have a compliant anti-corruption relationship with your third party going forward.

 Final Thoughts

I continually give my Mantra of FCPA compliance, which is Document, Document, and Document. Each of the steps you take in the management of your third parties must be documented. Not only must they be documented but they must be stored and managed in a manner that you can retrieve them with relative ease. The management of third parties is absolutely critical in any best practices compliance program. As you sit at your desk pondering whether this assignment given to you by the CCO is a career-ending dead-end; you should take heart because there is clear and substantive guidance out there which you can draw upon.

 Three Key Takeaways

  1. Use the full 5-step process for 3rd party management.
  2. Make sure you have BD involvement and buy-in.
  3. Utilize continuous due diligence going forward.

 For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

 

 

 

 

Jan 7, 2017

The FCPA Guidance states, that “In addition to evaluating the design and implementa­tion of a compliance program throughout an organization, enforcement of that program is fundamental to its effec­tiveness. A compliance program should apply from the board room to the supply room—no one should be beyond its reach. DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropri­ate and clear disciplinary procedures, whether those proce­dures are applied reliably and promptly, and whether they are commensurate with the violation. Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences.”

 This means you need to have recognized incentives for doing business under your Code of Conduct and in fulfillment of your compliance policy and procedures. Incentives can be immediate such as cash bonuses or other awards or more long term, such as promotion within an organization. Conversely, if someone violates your Code of Conduct, there needs to be consequences for such violation.

Incentives 

There are some general ideas around incentive, which you can implement as compliance incentives do not have to be extravagant or groundbreaking. Even rather plain vanilla incentives can work if you deliver it consistently, if you make the rewards visible, as the FCPA Guidance states, “Beyond financial incentives, some companies have highlighted compliance within their organizations by recognizing compliance professionals and internal audit staff. Others have made working in the company’s compliance organization a way to advance an employee’s career.” Lastly, make certain that your compliance incentives can be implemented on all levels within your organization.

 Promotions 

Another important part is around promotion of employees up to senior management. Human Resources (HR) could help you in compliance lead the effort to promote only employees who demonstrate a commitment to doing business in compliance. Once again the Fair Process Doctrine is critical here as a part of ongoing employee evaluations and promotions. If your company is seen to advance and only reward employees who achieve their numbers by whatever means necessary, other employees will certainly take note and it will be understood what management evaluates, and rewards, employees upon. I have often heard the tale about some Far East Region Manager which goes along the following lines “If I violated the Code of Conduct I may or may not get caught. If I get caught I may or may not be disciplined. If I miss my numbers for two quarters, I will be fired”. If this is what other employees believe about how they are evaluated and the basis for promotion, you have lost the compliance battle.

 Discipline

The types of discipline within a company are fairly standard. Most generally it is any negative consequence, up to and including termination. However, I believe that the key to discipline is procedural fairness and this will help to bring bring credibility to your compliance program. Procedural fairness also goes by the moniker of the Fair Process Doctrine and this Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in processes involving rights.

 Discipline must not only be administered fairly but it must be administered uniformly across the company for the violation of any compliance policy. Simply put if you are going to fire employees in South America for lying on their expense reports, you have to fire them in North America for the same offense. It cannot matter that the North American employee is a friend of yours or worse yet a ‘high producer’. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

Three Takeaways

  1. Always remember and employ the Fair Process Doctrine.
  2. Discipline must be administered fairly throughout your organization and across the globe.
  3. Consider the compliance angle in promotions.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

 

Jan 6, 2017

Welcome to Day 5 of 30 Days to a Better Compliance Program. Today, I focus on training, ongoing communications and the use of social media in a best practices compliance program. 

Training

The communication of your anti-corruption compliance program is something that must be done on a regular basis to ensure its effectiveness. The FCPA Guidance explains, “Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been com­municated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.”

 One of the key goals of any FCPA compliance program is to train company employees in awareness and understanding of the FCPA; your specific company compliance program; and to create and foster a culture of compliance. Beginning in the fall of 2015 through the announcement of the FCPA enforcement Pilot Program, the Justice Department began to talk about whether you have determined the effectiveness of your training. 

Communication and Use of Social Media

Next you need to consider the messaging of compliance inside of your corporation and how it is distributed. This means that you will need to work to hone your message but also continue to plug away to send that message out. I think the Morgan Stanley Declination will always be instructional as one of the stated reasons the Department of Justice (DOJ) did not prosecute the company as they sent out 35 compliance reminders to its workforce, over 7 years. Social media can be used in the same cost effective way, to not only get the message of compliance out but also to receive information and communications back from your customer base, the company employees. 

In a compliance program, your consumers/customers are your employees. Social media presents some excellent mechanisms to communicate the message of compliance going forward. Many of the applications that we use in our personal communication are free or available at very low cost. So why not take advantage of them and use those same communication tools in your internal compliance marketing efforts going forward. 

Three Key Takeaways

  1. You need to demonstrate the effectiveness of your compliance training.
  2. Ongoing communications from compliance is an often overlooked tool in compliance.
  3. Utilize innovative social media techniques to communicate and train.

 For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 5, 2017

Welcome to Day 4 of 30 Days to a Better Compliance Program. Today we tackle risk assessments. One cannot really say enough about risk assessments in the context of anti-corruption programs. The FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.

 What Should You Assess?

What risks should you assess? There are a number of ways you can slice and dice your basic inquiry. The FCPA Guidance states, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” Another way is to break the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Industry-Sector Risk, (4) Transaction Risk and (5) Third-Party Risk.

 How Should You Assess Your Risks?

Risk assessments can be performed in a variety of ways. You can use some basic tools such as personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices. Another level might be a deeper dive into high risk countries, high risk business areas an more detailed review of your third party representatives.

How do You Evaluate a Risk Assessment?

Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan. You should prepare a risk matrix detailing the specific risks you can relative remediation requirements identified and relevant mitigating controls.

Three Key Takeaways

  1. Assess the risks relevant to your company.
  2. Document your risk assessment protocol and results.
  3. The evaluation of your risks and remediation therefrom.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 4, 2017

Welcome to Day 3 of 30 Days to a Better Compliance Program. Today I want to consider the Chief Compliance Officer (CCO) in your organization, through three prisms: access, resources and opportunities.

 Access

What access does your CCO have to the top decision makers in your organization? While it really does not matter whether the CCO reports to the CEO, Board or GC; it does matter that the CCO have direct access to corporate decision maker.

Resources

This means both head count of personnel to operate your compliance function and the money available to implement the appropriate technology to sustain an effective compliance program. If your compliance team is run on a shoestring, you will likely be downgraded for your overall commitment to doing business in compliance with the FCPA. Put another way, if you spend more on paper clips than on your compliance program, your compliance program may well be under-funded.

 CCO Pay, Opportunity and Expertise 

In the Pilot Program, the DOJ laid out another important element for every compliance program, which is expertise of your CCO and compliance function. I think the clear implication is that the DOJ will even look at salaries. Once again if a company tries to get by on the cheap, it may certainly come back to bite them in the end. Finally the DOJ has made clear that compliance is part of the corporate family by even requiring that the CCO have opportunities for advancement with the corporation at the senior management level and that the compliance function shall be afforded similar opportunities. 

Three Key Takeaways

  1. The CCO must have access to the highest levels of your organization.
  2. The CCO must have adequate money and personnel resources to perform the function.
  3. The CCO must be qualified, appropriately compensated and have opportunity for advancement within the organization.

 For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Jan 3, 2017

Welcome to Day 2 of 30 Days to a Better Compliance Program. Today I consider written protocols, which are the foundation upon which an effective compliance program is built. Written protocols consist of a Code of Conduct, policies and procedures and internal controls.”

 Code of Conduct 

The substance of your Code of Conduct should be tailored to your company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

 Policies, Procedures and Controls 

The written policies and procedures required for a best practices compliance program are well known and long established. You should include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.

 Internal Controls

They are an interrelated set of compliance control mechanisms, designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records, the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.” 

Three Key Takeaways

  1. The United Airlines domestic corruption enforcement action makes a Code of Conduct an internal control.
  2. Translate your Code of Conduct and key policies into local languages.
  3. Document, Document, Document

For more information check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, by clicking here.

Jan 2, 2017

Welcome to Day 1 of 30 days to a better compliance program. Together with a podcast each day, I will be giving you tip to help you create a best practices compliance program in 2017. At the end of January, you will not only have a good summary of the basics of a best practices compliance program but information that you can incorporate into your compliance regime. Today I consider the various Tones in an organization. Any compliance program starts at the top and flows down throughout the company, which set the proper character for each level of your organization.

 At The Top 

Tone at the Top has become a phrase inculcated in the compliance world. The reason it is so important to any compliance program is because it does actually matter. So how can a company overcome these employee attitudes and set, or re-set, its “Tone at the Top”? I once had a Chief Executive Officer (CEO) of a client who described his role at the company as “the ambassador for compliance.” I can think of no better description of the role of a CEO for a best practices compliance program.

 In the Middle 

A company must have more than simply a good ‘Tone-at-the-Top’; it must move it down through the organization from senior management to middle management and into its lower ranks. This means that one of the tasks of any company, including its compliance organization, is to get middle management to respect the stated ethics and values of a company, because if they do so, this will be communicated down through the organization.

At the Bottom 

Even with a great ‘Tone-at-the-Top’ and in the middle, you cannot stop. One of the greatest challenges for a compliance practitioner is how to affect the ‘tone at the bottom’. To do so, you must work to engage those at the front lines, including training, communication and the tools to accomplish these tasks. A key question is how to tap into this belief system? The answer is to engage employees in a manner which allows you to not only find out what the employees think about the company compliance program but use their collective experience to help design a better and more effective compliance program. 

Three Key Takeaways

 

  1. What is your tone at the top?
  2. What is your tone in the middle?
  3. What is your tone at the bottom?

For more information, check out my book Anti-Bribery Leadership, which is available through Amazon.com by clicking here.

Dec 21, 2016

In this episode I visit with Juliet Lui as we discuss how to best handle small and medium investigations in an efficient and cost effective manner. We discuss how such matters often slip through the cracks as they are not perceived as high profile yet can cause significant problems if allowed to fester. We discuss methodology, costs and deliverables. Lui details two case studies to emphasize how important small and medium investigations can be as they often uncover larger and more critical problems and issues. 

Nov 29, 2016

Show Notes

  1. Introduction
    1. What is the FAR
    2. What’s the differences with DFARs
    3. What types of companies should be concerned
    4. What are some examples of covered with these regs (eg. Ozone depleting substances, child labor, sanctions/debarment)
  2. Reporting requirements
  3. What sort of resources are available to help demonstrate compliance

  What is the Federal Acquisition Regulation (FAR)

  • The purpose of the FAR is to provide uniform policies and procedures for acquisition of goods supplied to the US federal government. Among its guiding principles is to have an acquisition system that satisfies customer's needs in terms of cost, quality, and timeliness; minimize administrative operating costs; conduct business with integrity, fairness, and openness; and fulfill other public policy objectives
  • At over 1,800 pages in its entirety, is a substantial and complex set of rules governing the procurement of all goods and services required by the U.S. Government
  • When a federal government agency issues a contract, it will specify the applicable FAR provisions, which may be numerous. In order to be awarded a contract, a company must either comply with the provisions, demonstrate that it will be able to comply with them once awarded, or claim an exemption from them (eg. Small business exemption)
  • All government issued contracts include any number of the FAR and/or DFARS clauses either in full text or by reference requiring the company issued the contract to demonstrate compliance to the requirements
  • Failure to comply with the requirements of FAR and DFARS may result in loss of contract or monetary fines

 What’s the differences with DFARs?

  • Updated in July of this year the DFARS is one of the best-known examples of an agency supplement to the FAR addressing further reporting requirements put forth by the Department of Defense
  • This supplement covers contracts with the office of the secretary of defense, branches of the military, and other defense agencies
  • In order to be in the running for one of these highly lucrative defense contracts, companies need to stay on top of the latest changes to DFARS and ensure their contracts, systems and processes reflect these requirements

 What types of companies should be concerned?

  • Companies that conduct their business with agencies of the US govt including defense contractors
  • Additionally those companies selling to organizations which conduct business with agencies of the US govt. will likely be asked to supply certain documentation to support their customer’s ability to demonstrate compliance
  • Winning a federal or defense contract means complying with laws and regulations unique to those doing business with the government. Many new contractors as well as their suppliers, are often unprepared for the rules and regulations they must follow and demonstrate, which can lead to costly errors and potential legal problems

 Why should they be concerned? 

  • Depending on the type of end product provided to government agencies, different types of concerns or risk becomes a focus in such situations

Reporting Requirements

  • In many cases sufficient screening, policy reviews and certification collection and validation will allow reporting companies to demonstrate compliance. But the issue isn’t necessarily what you have to collect to demonstrate compliance to meet FAR requirements (or report to customers which are obligated to) it’s how you do it.  Having a platform which can automate the data collection process as well as act as a repository is where most struggle…
  • What sort of resources are available to help me demonstrate compliance with these regs
    • We’ve created workflows to meet 48 of the specific FARs/DFARS supplier reviews and data collection processes
Sep 10, 2016

In this episode I welcome back Red Flag Group CEO Scott Lane. We discuss the evolution of regulator thinking around what constitutes a best practices compliance program. 

Sep 10, 2016

In this episode, Red Flag Group CEO Scott Lane and myself discuss the evolution of regulators when evaluating compliance programs for effectiveness.

Sep 10, 2016

In this episode I review Hallmark 10-Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration under the FCPA.

To read more, check out my blog post series on Hallmark 10.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

Sep 10, 2016

In this episode I review Hallmark 9 - Continuous Improvement: Periodic Testing and Review. This podcast series is produced in a 10 article series.

To read more, check out my blog post series on Hallmark 9.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

 

Sep 9, 2016

In this episode I review Hallmark 8-onfidential reporting and investigations. This podcast series is produced in conjunction with a 10 article series.

To read more, check out my blog post series on Hallmark 8.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

1 « Previous 13 14 15 16 17 18 19 Next » 19