Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2018
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: Category: compliance know-how
May 21, 2018

360 Degrees of Compliance Communications 

A 360-degree view of compliance is an effort to incorporate your compliance identity into a holistic approach so that compliance is in touch with and visible to your employees at all times. It is about creating a distinctive brand philosophy of compliance which is centered on your consumers. In other words, it helps a compliance practitioner to anticipate all the aspects of your employees needs around compliance your employees, who are the customers of your compliance program. This is especially true when compliance is either perceived as something that comes out of the home office or is perceived as the Land of No, largely inhabited by Dr. No. A 360-degree view of compliance gives you the opportunity to build a new brand image for your compliance program. 

The Use of Social Media in Compliance 

What is the message of compliance inside of a corporation and how it is distributed? In a compliance program, the largest portion of your consumers/customers are your employees. Social media presents some excellent mechanisms to communicate the message of compliance going forward. Many of the applications that we use in our personal communication are free or available at very low cost. Why not take advantage of them and use those same communication tools in your internal compliance marketing efforts going forward? 

What is Effective Compliance Training? 

Also raised in the Evaluation was the focus of your training programs, where the DOJ inquired into whether your training was “tailored” for the audience. The Evaluation, In Prong 6, Training and Communication, asked, in part: Risk-Based TrainingWhat training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred? What analysis has the company undertaken to determine who should be trained and on what subjects?  

The key going forward is that you have thoughtfully created your compliance training program. Not only in the design but who receives it, all coupled with backend determination of effectiveness. Finally, all of this must be documented. In Prong 6, Training and Communication, of the Evaluation it read, in part: 

Form/Content/Effectiveness of Training– Has the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training? 

  1. Figure out what you want to measure. Before you ever train an employee, you should have a goal in mind. What actions do you want employees to take? What risks do you want them to avoid? In compliance training, you want them to avoid non-ethical and non-compliant actions that would lead to potential violations. Your goal is to train employees to follow your Code of Conduct and your compliance program policies and procedures so you avoid liability related to actions.
  2. Were employees satisfied with the training? What is their engagement? The next step is to get a sense of whether employees feel that the training you provided is relevant and targeted to their job. If it’s not targeted, employees will likely not be committed to changing risky behavior. One way to obtain such data is through a post-training survey. This should give you insight into determining if employees thought the training was beneficial and effective in answering their questions and concerns.
  3. Did employees actually learn anything? A critical part of any employee training is the assessment. You must know whether they actually learned anything during training. You can collect this data in a number of ways, but for compliance training, the best way is to measure pre- and post-training understanding over time. Basically, each time you train an employee, measure comprehension both before and after training.
  4. Are employees applying your training? A survey should be used to determine employee application and their implementation of the training topics. To do so, you must conduct surveys to understand whether they ceased engaging in certain risky behaviors or better yet understand how to conduct themselves in certain risky situations. These surveys can provide a good sense of whether the training has been effective.

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.

May 7, 2018

Over the next five podcasts, I will visit with Don Stern, Managing Director, Corporate Monitors and Consulting Services at Affiliated Monitors, Inc. on working with monitors. Over this series we will consider, in Part I-Fears and Concerns in Working with Monitors; in Part II-the Impact Monitors Can Have for an Organization; in Part III-How Monitors Do Their Jobs; in Part IV-Regulators Using Monitors; and in Part V-Attorneys Using Monitors. At the end of this series you will have a much broader appreciation on the benefits of an independent monitor, how monitors work and how the different types of monitorships can benefit a wide variety of businesses, transactions and business relationships.

There can be a wide variety of concerns for those considering or being required to work with a monitor, both from the corporate perspective and individual employees. From the corporate perspective, the concerns can include the costs of a monitorship and that impact on the bottom line; opening up books the books to an outsider and interference with business operations. These are acerbated by a fear the monitor does not understand the business of the organization or even how business in done in the real world. Things that tend to bring more fear are that the monitor will engage in slow but sure mission creep and exceed the boundary of the charge. Many see monitors as an extension of the government and believe that monitors are  junior G-men and investigators, tasked by the by the government to investigations ongoing. Employees tend to be more afraid the monitor will come in dictatorial powers and exercise them. Employees are usually more concerned with the company’s reputation and business credibility with employees and subcontractors.

Stern believes some of the fears and concerns are understandable, particularly if a company, does not have experience with the positives of the use of an independent monitor and a monitor’s assisting a company in improving the compliance program. While some of it may have to do with the unknown, one area is simply the extra costs associated with a monitor. If the monitor is a part of a government settlement or resolution, there can be the fear, sometimes driven by war stories, that monitors will have mission creep and continue the investigation, even after a resolution. A company may fear that a monitor will come in and look under every nook and cranny. This feeds into both concerns of cost and mission creep.

Another concern is that many monitors are former prosecutors and still retain a prosecutorial mindset. This can lead many companies and their employees to fear a ‘got-cha’ mentality of a monitor who is looking for items to run back to the government or regulators with through their monitorship investigations.

Stern believes that all of these concerns can be handled if not fully alleviated, through thorough discussions with monitor candidates. . Stern noted that one of the areas a company needs to be asking during the monitor selection process is what is “the approach that the monitor is going to take? What's the approach in a meeting or an interview with a mid-level employee in a branch office. Is that person going to feel as if they're under attack or are they brought in a to explain all the good things and all the bad things that are going on so that the monitor can basically make some helpful recommendations.”

In addition to the monitor interview process, companies should understand that the terms of any monitorship are set in the resolution agreement. This is why it is important not only to address these issues during settlement discussions but also take care in the drafting of such agreements to try and remove as many ambiguities as possible. At times, the parties may not want to address what they believe are sensitive issues head on as part of the negotiation process, other times there is not a full understanding of how monitors works. Stern has been brought in as the parties have negotiating to simply educate people as to what monitors do and how they operate and, to demonstrate how the monitorship can be more successful for both sides, for the government side and the company. In drafting the resolution agreement, the key is to lay out the scope, properly and tightly designed. When there are ambiguities which come up in the process of the monitors work, the monitors should work with both sides, as a facilitator to have both parties basically come together and to resolve those issues.

The key is for companies to have a thorough understanding of the monitorship process, whether it is a post-resolution monitorship where the monitor is focused on the company’s compliance with its agreement in the resolution document, Deferred Prosecution Agreement, Non-Prosecution Agreement or other; or a pro-active monitorship. This understanding comes from discussions, reviewing and negotiating the scope of the agreement and hiring experienced monitors who understand their role and more importantly what is not their role going forward.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

May 7, 2018

I continue my five-podcast exploration of working with monitors. I am joined by Don Stern, Managing Director, Corporate Monitors and Consulting Services at Affiliated Monitors, Inc. (the sponsor of this five-part series) on working with monitors. Today we take up the impact using a monitor can have on an organization.

Interestingly many of the benefits of a company in working with a monitor come from answering the employees fears and concerns. Many employees are intimidated by attorneys and some even fell guilty about themselves and their work even though they have done nothing wrong. Often employees do not feel like them can trust the company, particularly if the company does not employ the Fair Process Doctrine or institutional justice as a core value of the organization. Other employees feel validated and when they can open up to outsiders it can be a cathartic experience for employees. For the larger organization, the monitor can tell the company what it does not know and provide a much needed “Big Picture” impact; delivering insight on how the company can be run more efficiently and profitably. The bottom line is that the benefits in using an independent monitor can be as behavioral and psychological as compliance and legal.

Stern described the impact of working with a monitor is present at several different levels. The first is a very personal, at the employee level. He said, “I've seen this time and time again when we will sit with either an individual employee at different levels, it could be at a lower level, it could be at the CEO level. The employee will feel validated and in some ways innocent. It sounds odd to say that because you would think that if the company was working properly that each employee would have an opportunity to sort of say their piece, describe observations and things that they were experienced. Unfortunately, that is not the way the real world works when people have concerns and fears of retaliation and the like.”

Stern has found after doing an interview or a focus group, they will sometimes say, “ I have been wanting to say these things to somebody and I hope that, this is not attributed this to me. I'm not looking for you to go back ono anybody and say that I said this, but I hope that you will take what I have said and what others have said and make some suggestions to the company.” The bottom line is that a key impact from working with a monitor is that the monitor listens and “I do think that employees feel better kind of explaining their perspective on what's happening internally in the company.”

Another important reason all of this works is if an organization uses a truly independent monitor. This means one which is not the lawyer for the firm or with the company’s regular outside counsel. This is something most employees more fully appreciate talking to “outsiders who were being were coming in, who they do not interact with on a day to day basis.” Even if the monitorship is required under an enforcement action and in the in the context of a government settlement, Stern has found that if the monitor makes it clear they are independent from the government, employees are more likely to not only open up but also appreciate the experience.  

These concepts tie directly into the Fair Process Doctrine, which most generally holds that if the process is fair, people are more likely to accept undesired outcomes. An independent monitor, who does not perform ongoing work with the company, will certainly be perceived as more fair. As Stern noted, “it’s just human nature.”

This independent nature also gives the monitor the ability to impact the company by helping it turn the page on any conduct which may have gotten it into trouble in the first place. This is particularly true where a company has gone through an enforcement action and resolved the matter with the government and is now ready to move on in a positive way. Stern said that employees typically want to feel good about the organization they work for, they want to be proud of who they work for. Stern said, “time and time again, people aspire to work for a company that they feel good about. They want to tell their spouse that wants to tell their children. They want to feel good. When the neighbors asked them, who do they work for and when companies get into trouble, um, they liked the fact that the pages being turned in that once again, that can be very proud of where they work.”

This independence from the government also works to positively impact the work of a monitor. Stern noted that although an independent monitor has “an obligation to report to the government faithfully as to what we are seeing; the good, bad and the ugly; an independent monitor is not beholding to the government.” Stern’s experience has been “at the end of the day respect us and they recognize that it's in their interest for us to be independent. If we're in the company's pocket and we do whatever the company wants it at the end of the day, the government will see right through that and it's not going to be a good outcome.”

The bottom line is that the positive impacts of working with a monitor can happen on many levels. Obviously for a company which has recently concluded an enforcement action, a monitor can yield many benefits to improve a compliance program. Yet some of the greatest benefits may be more behavioral and psychological to the company’s employees. Not only can talking to a truly independent outsider be cathartic for employees but the entire process can help to reinstill a sense of pride in who they are, who they work for and what the organization means.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

May 7, 2018

I continue my five-podcast exploration of working with monitors. I am joined by Don Stern, Managing Director, Corporate Monitors and Consulting Services at Affiliated Monitors, Inc. (the sponsor of this five-part series) on working with monitors. Today we consider how monitors work.

Stern explained that there are variety of tasks and roles a monitor uses when engaging in an independent monitorship. A monitor should understand type of approaches they will take to make an organization more compliant, starting with understanding the work plan. Many times, the monitor must push the organization along by getting buy-in and building consensus. Finally, there should be an awareness of helping the company being compliant in the future.

The starting point is understanding what is the mission of the monitorship. As Stern put it, “we really begin at the beginning.” We meet sometimes meet separately with the government agency to get an appreciation understanding as to why they think things have reached that point, what they see as the problems in the company, what they see as the problems in the industry. And then of course we do the same thing with the company.” Such meetings could also include “outside counsel who have been sort of living with the whatever the precipitating cause a problem which led to the settlement with the government or the investigation. They've lived with it for years. And in many cases, by the way, the company has already remediated significant portions of the problem.”

A monitor should have a particular focus on a particular goal, a particular set of tasks. Yet from there, Stern explained it is “very much a people exercise. The thing that is often obvious relatively early on, a one way or the other is whether the company has a paper program or real program.” Stern indicated that a monitor should spend time at both the higher levels of the company and at the middle and lower levels of the company. Some of the specific techniques can be one on one interviews, site visits to specific offices and with “focus groups where we get people at the same level so we don't get middle managers and upper managers together in one room.”

Stern emphasized it is critical that both company management and the regulators not be surprised by a finding. This means the monitor (and team) should literally “pour through the company” to come up an honest final assessment or report for the organization. It is important to give the company credit where it has remediated or shown improvement and this means emphasizing to the government the wins a company’s compliance program may have sustained.

Interestingly, Stern emphasized that in monitorships as with compliance programs in general, one size does not fit all. A monitor should test whether there is sufficient training on the Code of Conduct, compliance policies and procedures and other issues such as Conflicts of Interest policy. There should also be inquiries into hotline overview and use. Yet there can also be recommendations which arise from the employee interviews, which the monitor may raise to senior management for implementation.

Here Stern presented a simple yet powerful example. It was around having a compliance moment once per week at company meetings. The organization was an engineering company and they took safety very seriously, opening each company meeting with a safety moment. This led to the suggestion of opening meetings with a compliance moment, which employees used not simply to state ethics and compliance issues but to describe situations they faced daily.

A situation arose where an employee was offered tickets to a baseball game by a vendor. The company policy on conflicts of interest prevented the employee from accepting the tickets and he felt conflicted because he wanted to go to the game. More importantly he did not know what to tell the vendor to make them understand he could not accept the tickets. Through discussing this issue after a compliance moment in a company meeting, there was a dialogue allowed the company employees to feel that they have an opportunity to be part of the process. It demonstrated that ethics and compliance is not something imposed on them, but something that is part and parcel of their job and part and parcel of their responsibility.

A monitor must literally work with groups as diverse as the Board of Directors to employees on the shop floor. It is incumbent to use a variety of tactics and techniques to fulfill the mission of a monitor. An independent and experienced monitor is required to use a variety of tools to help an organization move forward with a compliance regime. Stern noted, “a monitor should also have the experience to come in and not only look at how your company is doing, but also benchmark against what is happening not only in your industry but in other industries. And at the end of the day it's a little bit like the making of sausage. At the end of the day we're going to have some recommendations and the expectation is that your company is going to be top of the heap, that you will have a state of the art compliance and ethics program and you will have contributed to making it better.”

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

May 7, 2018

I continue my five-podcast exploration of working with monitors. I am joined by Don Stern, Managing Director, Corporate Monitors and Consulting Services at Affiliated Monitors, Inc. (the sponsor of this five-part series) on working with monitors. Today we consider the various manners in which regulators at all levels, from the federal, to state and local levels, use monitors. We also consider how monitors can be used outside the regulatory context in areas as diverse as mergers and acquisitions, business ventures, IP and licensing.  

Most compliance practitioners are aware of the role monitors play in the Foreign Corrupt Practices Act (FCPA) enforcement arena. However, the use of independent monitors is much broader than simply in criminal or civil enforcement actions involving a Deferred Prosecution Agreement, Non-Prosecution Agreement, Corporate Integrity Agreement or other form of resolution. Federal agencies use monitors for a wide variety of roles to ensure compliance with agreements.

At its most basic level, an independent monitor is a way for the government to extend its reach. Both in terms of lengthening out the time that you have true government oversight and in terms through many of the techniques we discussed earlier:  focus group meetings, review documents, talking senior and middle management. It is a very cost-effective way for federal, state and even local governments to extend out their reach. This cost-effectiveness is driven home by that fact that the cost is not borne by the governmental entity or the regulators. The cost is borne by the entity involved.

Stern pointed to the use of an independent monitor by the Federal Communications Commission (FCC) to ensure that the conditions around anti-competitive and other issues, the FCC approved for the merger between AT&T and Direct TV, were fulfilled. He went on to provide an example where “one of the conditions was  they had to offer a discounted broadband service to certain low-income households. The FCC  wanted access to broadband for low income families, particularly for school kids. The monitor assessed the marketing program on this issue, looking at their efforts to provide discounted broadband, low income households.”

Stern provided another example of regulator use of an independent monitors, this time by a state regulator, the Attorney General of Rhode Island in the area of hospital conversions. This is the situation where a non-profit hospital is purchased by a for profit chain. In such situations, the state attorney general in most states will have to approve that transfer of assets from charitable assets to for-profit assets, applying certain conditions. It could be in the area of recruiting  physicians or requiring the acquiring institutions to keep the mental health services open. You don't have to spend x millions of dollars on new equipment. It is generally around very specific metrics  and it is “increasingly being used by government agencies as a way of not only having confidence that the regulatory decisions are being followed but provides some comfort and confidence to the public knowing that who is looking over the shoulder of the organizations in the public’s interest.”

Yet an independent monitor can be used in non-regulatory areas. One that certainly comes up is pre-acquisition due diligence in the FCPA realm. An independent monitor can be used to assess whether a target or takeover candidate has a robust compliance program. These same concepts also work in the licensing area in pre-acquisition work and even for company which want to test the audit compliance of customers.

The bottom line is independent monitors can come in and look at the system of controls in a wide variety of regulatory and legal areas. This is true because there is no substitute for having somebody independent of the company with some expertise and common sense and practical reality coming in and asking, how are you doing? Stern concluded, “You don't have to do this all the time. It isn't something you need to do even every year, but every once in a while, have somebody come in and take a hard look at how you're doing and then reporting back internally to the company. It is money well spent because you have established that the organization being reviewed has a good program and if you need to fine tune your program in certain ways. Here again, I think that's all to the good.”

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

May 7, 2018

I conclude this five-podcast exploration of working with monitors, where I have been joined by Don Stern, Managing Director, Corporate Monitors and Consulting Services at Affiliated Monitors, Inc. (the sponsor of this five-part series) on working with monitors. In this final episode we consider lawyers using monitors, most typically where the clients are under investigation for some regulatory issue, such as a Foreign Corrupt Practices Act (FCPA) enforcement action.

Stern said the biggest mistake lawyers make is to wait too long before bringing in an independent monitor. His experience is that if  you wait until after the conclusion of a matter, you have lost valuable time and potentially cost yourself money, in the form or higher fines and penalties, by waiting. The government expects compliance shortcomings to be remediating during the pendency of an investigation. A monitorship can even begin before  self-reporting to the government. This is because a company should want to find the problem before it voluntarily reports the problem to the government. In this manner, the company could receive get the credit for having done so. It also allows the company to package the entire process “in a way to say not only we discovered the problem, not only are we reporting the problem, but we fixed the problem. We did with an independent third party and we may even want to keep that third party with us to independently assess how we do going forward. That's very persuasive to prosecutors and I've certainly seen situations where in some cases it's resulted in a declination or in a significantly diminished” fine and penalty.   

This is using an independent monitor in a pro-active manner which demonstrates how serious the company is about compliance. It can also be a way to demonstrate any illegal conduct may simply have been an outlier and does not reflect the values, culture and the way the company generally does business. This can provide quite a positive story to present to prosecutors, particularly under the new FCPA Corporate Enforcement Policy.

If your company is active in the remediation phase, particularly through an independent monitorship, it is looking at the problem in a holistic approach. It is more than assessing that problem, coming up with some solutions and then implementing the solutions. More importantly an organization is taking that information and looping it back in, in a literally a feedback loop so the companies can improve their compliance program. This is an approach which can be persuasive to regulators.

Stern noted this approach is even more critical for what he called ‘repeat customers’ or recidivist actors. He said government regulators are becoming much more sophisticated in understanding whether a compliance program is simply a paper program. The government wants to know if this a real program. One clear indicia is the feedback loop from an assessment by an independent monitor looping the information back to the company, making changes, testing to see whether the changes are real changes are working changes.

One final area that using an independent monitor is in the area of credibility. One thing I have consistently heard from white-collar practitioners perhaps the most important thing in any FCPA investigation or enforcement action is credibility with the prosecutors. By having a truly independent monitor who is even independent of the outside counsel, who may be heading up an investigation and assessing the compliance program; is one more way to bring that credibility to a, in front of the prosecutors. Stern noted that as the former US Attorney for Massachusetts, your reputation in representing clients before the government is absolutely critical. Having that independence as a monitor can aid a company by giving credibility to their compliance program efforts and this can pay off with real benefits in terms of lesser penalties all the way to a declination.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Apr 25, 2018

In this episode, Matt Kelly and I go into the weeds to consider the recent racial incident at Starbucks store in Philadelphia where two African-American males were arrested for criminal trespass while waiting for a third colleague to join them for a business meeting. They had not purchased any products but were not engaging any type of disruptive behavior. They were released with no charges filed.

We consider several points around this incident from the compliance perspective, including the lessons for compliance officers are really about the challenges of policy and procedure at large organizations. The gap between those two requirements is filled by employee judgment — and that is where things went awry. We consider if a single solution, such as  all seats and bathrooms are reserved for patrons who have already purchased a product, create more problems than they solve. We also review the underlying premise of ‘what is Starbucks’ to see if a more robust risk assessment process might have helped identify these gaps.

This week’s discussion is literally torn from recent headlines. It provides an excellent example of the many compliance challenges every business and CCO face.

For more reading, see Matt’s blog post Starbucks and Policy Management Perilsand Tom’s blog post Starbucks and Lessons for the Compliance Practitioner in Risk Management

Apr 23, 2018

In this episode of the FCPA Compliance Report, I visit with Laura Perkins, a partner at Hughes Hubbard & Reed. Perkins formerly worked with the Department of Justice, FCPA Unit, departing in September 2017. We discuss the decision to self-disclose a potential FCPA violation to the Justice Department. Some of the highlights include:

  • What should a company expect after it makes a decision to self-disclose the to DOJ? What information should be in the initial self-disclosure?
  • What should be in the initial investigation plan they present to the DOJ?
  • When should remediation begin and how much information does the government want to know about in this area?
  • What should a company do to satisfy the government it has secured all documents and communications?

We next turned to the resolution phase and discussed several topics including:

  • When is a company ready to present information to the DOJ that it believes the matter should be closed?
  • Whether through declination or charging document?
  • How is the final penalty decided? and
  • Is it through negotiation or simply presented to the company?

For more information on Laura Perkins and Hughes Hubbard & Reed, check out the firm’s website, here.

Apr 23, 2018

In this episode of the FCPA Compliance Report, I visit with Laura Perkins, a partner at Hughes Hubbard & Reed. Perkins formerly worked with the Department of Justice, FCPA Unit, departing in September 2017. We discuss the decision to self-disclose a potential FCPA violation to the Justice Department. Some of the highlights include:

  • What should a company expect after it makes a decision to self-disclose the to DOJ? What information should be in the initial self-disclosure?
  • What should be in the initial investigation plan they present to the DOJ?
  • When should remediation begin and how much information does the government want to know about in this area?
  • What should a company do to satisfy the government it has secured all documents and communications?

We next turned to the resolution phase and discussed several topics including:

  • When is a company ready to present information to the DOJ that it believes the matter should be closed?
  • Whether through declination or charging document?
  • How is the final penalty decided? and
  • Is it through negotiation or simply presented to the company?

For more information on Laura Perkins and Hughes Hubbard & Reed, check out the firm’s website, here.

Apr 9, 2018

In this episode of the FCPA Compliance Report, I visit Hogan Lovells partner Stephanie Yonekura on the always difficult decision on whether a company should self-disclose a potential FCPA violation or even allegations of a potential FCPA violation to the Justice Department. We consider such questions as:

  • What should a company do to prepare for a multi-national multi-jurisdictional anti-corruption enforcement action?
  • What should a company do to prepare when an internal investigation determines there may be instances of ABC violations in multiple countries, all of which have ABC laws.
  • How should a company prepare for self-disclosure? To US authorities only or to multi-jurisdictions at once?
  • Do evidentiary standards differ across the globe and how should a company prepare or respond?
  • How should a company prepare for multiple fines and penalties from multiple jurisdictions?
  • How can a company negotiate one pie in the context of an international anti-corruption enforcement action?

Yonekura is the Former Acting US Attorney for the Central District of California so she brings a wealth of knowledge to the topic. We consider all of these questions and more in light of the new FCPA Corporate Enforcement Policy and whether it has changed the calculus for self-disclosure or not. We also visit on whether the recent lack of monitors required under DOJ/SEC FCPA enforcement actions is an omen of things to come or not.

She ends with one of the great pieces of advice you can receive, “You don’t want to poke the bear, whether there is no bear to be poked.”

Apr 2, 2018

This week, in a five-part podcast series, I have been exploring the role of corporate monitorships in compliance and some of the key issues which companies and compliance professionals may face in dealing with monitors. I have been joined in this exploration by Vincent DiCianni, founder and President of AMI and Eric Feldman, Senior Vice President and Managing Director of Corporate Ethics and Compliance Programs for Affiliated Monitors, Inc. (AMI), who is the sponsor for this series. Today, for our final episode in this series, we consider the always controversial topic of monitorship costs and expenses.

DiCianni noted that in any post-resolution monitorship, the monitor is coming in at the end of a long process. If it was a Foreign Corrupt Practices Act (FCPA) enforcement action, it could have been a years-long process with a lengthy investigation, coupled with an extensive remediation and then long negotiation with the government over the final penalty. Yet there is an approach that a company can use to help the final leg of this process more palpable.

DiCianni breaks the process down into three key areas. The first is the scope of the monitorship. You must understand the settlement documents so that you can fully appreciate the scope of the monitor’s remit and what the government expects from the monitor. DiCianni noted that some resolutions can have a narrow focus, with a finite number of records or other documents to review. With such information, you can work to scope out a range of what your costs might be. Conversely the settlement documents can literally be wide-open, which obviously will have a dramatic impact on potential costs and even estimating.

DiCianni related the next factor to consider is frequency. By this he meant how often is the monitor actually engaging in monitorship activities for the company. Is it daily? Is it weekly? Is it quarterly? The frequency of monitoring will have a significant role on your overall monitorship costs. The final factor to consider is duration. Tied to this question of frequency is the length of the monitorship. How long will the monitorship last, one-year, two-years, three-years or even five years; is a critical element.

The final factor is the experience of the monitor. As we explored in Episode 4 of this series, you really need to have a very direct conversation with monitor candidates to determine if they have the experience to work with other individuals or teams of individuals. Does the monitor understand their role, as prescribed by the four corners of the settlement document(s). Are they going to reinvent the wheel for each new part of the monitorship? DiCianni said, “as they are going along which is going to add to the cost of the monetization so that's a factor that I think companies should consider”. This brings up another important factor on costs is the not only the scope of the monitorship but also the efficiency of the monitor.

DiCianni noted a key document for cost control can be the monitor’s workplan, which lays out the monitor’s anticipated services. This gives the monitor, the company and the government a set of expectations for the tasks to be accomplished. Even though it may turn out to be a preliminary document, it does help to provide a level of certainty. Equally important is for the monitor to understand they do not have to look at everything during the monitorship. You can randomly sample and drill down to test if you need to do so. A monitor does not have to interview all persons in a high-risk location but can select certain employees for a focus group and then perform a round of interviews if required. The workplan and its execution can be a powerful tool to help not only estimate the total cost but also keep them down.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Apr 2, 2018

What is the role of a corporate monitorship? Is a corporate monitorship to be feared if your company is in the middle of a Foreign Corrupt Practices Act (FCPA)? Can a monitor be used in a manner other than post-settlement, such as in a pro-active manner to help forestall a government enforcement action, fine or penalty? If your company is in the market for a monitor what are some of the indicia you should consider? Finally there are lots of rumors about the alleged exorbitant costs of monitorship? Is this an urban myth or is it based on facts? If the former, what can a company do to protect itself. I will explore these and many other questions in a new podcast series I am putting on sponsored by Affiliated Monitors, Inc. (AMI).

In this five-part podcast series, I am exploring the role of corporate monitorships in compliance and some of the key issues which companies and compliance professionals may face in dealing with monitors. I am joined in this exploration by Vincent DiCianni, founder and President of AMI and Eric Feldman, Senior Vice President and Managing Director of Corporate Ethics and Compliance Programs for AMI. Today, we consider what is a corporate monitorship?

DiCianni explained that most generally, a corporate monitorship is “an individual or team of individuals that are independent of an entity that is subject to the monitoring group bring a level of expertise perhaps in that subject matter that has to be overseen.” The person or group would have the ability bring a level of expertise, training and learning to any task where a true independent is needed to assess the validity of the required criteria, as that criteria is defined in the four corners of the relevant document. In the FCPA world that could be a Deferred Prosecution Agreement (DPA), Non-Prosecution Agreement (NPA) or other document.

Monitors generally report to an oversight agency or regulator but work with a company or individual. The cost of the monitorship is borne by the company being overseen. It is a unique model that has been created where an unrelated, independent private person or entity who is still being overseen by a government agency or regulator monitoring a company but with specific terms for that third party. It is spelled out in the settlement documents which for the basis of the monitorship.

Another key for a successful corporate monitorship is in the area of subject matter expertise. Obviously first-rate knowledge of compliance and ethics is critical but as monitoring is used across multiple industries and businesses, a wider variety of technical experience is required. Monitors have been used in health care, financial services, police department just to name a few. A wide variety of subject matter experts may be needed to be a part of the monitorship team to successfully complete the assignment.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Apr 2, 2018

This week, in a five-part podcast series, I am exploring the role of corporate monitorships in compliance and some of the key issues which companies and compliance professionals may face in dealing with monitors. I am joined in this exploration by Vincent DiCianni, founder and President of AMI and Eric Feldman, Senior Vice President and Managing Director of Corporate Ethics and Compliance Programs for Affiliated Monitors, Inc. (AMI), who is the sponsor for this series. Today, we consider what is a post-resolution monitorship.  

Feldman explained that most generally, a “post resolution monitor ship is essentially a situation where a government agency and a private organization, it could be a corporation it could be a nonprofit organization, as a requirement of settling some kind of a dispute or a matter between those two entities the company; the regulator agrees they are going to use a monitor to ensure that any specific conditions of the agreement to settle the matter are met.” He went on to note it is usually an independent third-party who is brought in for this purpose.

Post-resolution monitorships are well-known to the compliance community through the Foreign Corrupt Practices Act (FCPA) enforcement. Yet Feldman stressed they are use in a much wider area of practice than simply FCPA. He said, “Other kinds of enforcement scenarios would involve state Attorneys Generals that perhaps are investigating and settling cases with companies involving consumer protection or even civil rights cases. State regulatory boards medical boards and other types of licensing institutions and various states they could sign agreements that require a monitor to monitor the conditions of those agreements.” Of course, there are situations where there is court ordered enforcement as a result of a court ordered settlement and “a monitor is required to report to the court and both parties’ compliance with that particular agreement.”

Yet monitorships have been employed in anti-trust scenarios to ensure compliance not with Consent Decrees but with Federal Trade Commission or Federal Communications Commission-approved merger conditions. Here Feldman pointed to the example of the merger conditions between DirecTV and AT&T. In that case, the monitor was charged with reviewing and assessing compliance with certain merger conditions. Feldman noted there was no enforcement action and no wrongdoing but a recognition by all parties involved for the need of a truly independent third party to assess compliance with the acquisition conditions.

One thing about the post-resolution monitorship is that if viewed as a tool for compliance, a wider variety of uses can be envisioned. In the FCPA world, we have seen shareholder actions brought against Boards of Directors and companies for failing in their duties to put compliance programs in place. Occasionally, these actions are resolved before the conclusion of a FCPA investigation or enforcement action. If you had a post-settlement monitorship for the shareholder action, both the findings of the monitor and the monitor’s report could potentially help the recalcitrant company under the new FCPA Corporate Enforcement Policy. In such a scenario a post-resolution monitorship could have the impact of a pre-settlement monitorship.

Feldman concluded by noting, there are a number of applications and uses of an independent, credible third-party to facilitate the resolution of disputes. There are different ways having a third party come in and help to resolve issues; the number of ways is almost infinite or at the very least, limited to your imagination.  Often a monitor could come in collect information on what one or both of the parties are doing to help facilitate a settlement. Feldman discussed matters such as consumer protection issues. He noted that AMI has done monitorships where state agencies have done investigations of consumer protection and AMI would come in as a “secret shopper” to determine whether an organization is in fact doing what it is supposed to be doing.

The bottom line is that there is certainly no finite number of categories for the post-resolution monitorship. They can be utilized in a wide variety of ways to help facilitate not only resolution of enforcement actions but to satisfy compliance with a wider variety of cares, concerns and issues.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Apr 2, 2018

This week, in a five-part podcast series, I am exploring the role of corporate monitorships in compliance and some of the key issues which companies and compliance professionals may face in dealing with monitors. I am joined in this exploration by Vincent DiCianni, founder and President of AMI and Eric Feldman, Senior Vice President and Managing Director of Corporate Ethics and Compliance Programs for Affiliated Monitors, Inc. (AMI), who is the sponsor for this series. Today, we consider what is a pre-settlement monitorship and how it can be such a powerful tool for the compliance professional.  

Feldman explained that most generally, a “pre-settlement monitorship is an organization using an independent body to conduct any kind of a third-party review or assessment.” It can also be considered as a proactive monitorship. It involves a company desiring to assess its implementation of a compliance and ethics program on a proactive basis. Such a monitorship does more than simply focus on whether there is a compliance program in place but more fully assesses its effectiveness. This assessment can be used by a wide variety of parties, such as the corporation itself, with its stakeholders, with regulators or even with the public to demonstrate compliance with a wide variety of issues.

Feldman explained that a key piece of the pre-settlement monitorship is to assess the company’s culture of compliance. Using such a proactive monitorship can help an organization to assess not only where they might be at this point in time but also work to create a road map to improve and strengthen their culture of compliance and ethics. Finally, as Feldman noted, “Another reason for doing a pre-settlement monitorship might be when a company wants to explicitly demonstrate its due diligence to law enforcement or regulators should something occur in the future that would result in action against the company.”

He noted German enforcement authorities are now assessing if companies engage in sufficient investigations of not only whom they are doing business; which is traditional third-party due diligence, but these same authorities are inquiring if a company is putting the same effort into assessing itself. The pre-settlement monitorship is an excellent mechanism to do so. He stated, “in Germany there have there has been a move on the part of the governments to take into account all due diligence activities that a company has taken in the past which would include a pre-settlement kind of monitorship when there is any fine or penalty or action on any issue against the company in the United States.”

Another way to consider it might be as a “preemptive strike against more punitive action on the part of government agencies”. Feldman related that his company, Affiliated Monitors has had instances where companies subject to an action with one level of government, such as a US Attorney’s Office in one area of the country, will use the pre-settlement monitorship to avoid being suspended or barred by the federal government and from federal government contracts. The pre-settlement monitorship performed a complete review, then made recommendations for remediations. This led to positive resolution with the government in the form of no suspension or debarment.

When viewed in the light of the three prongs of any best practices compliance program, prevent, detect and remediate, the power of a pre-settlement monitorship comes more clearly into focus. A monitorship was traditionally viewed as an after-the-fact piece of an enforcement action. However through the pre-settlement monitorship, the tool becomes not only proactive but prescriptive as you are using as an ongoing monitoring solution. It is even more powerful because of the independent nature of the monitor, in bringing an unbiased eye to a compliance program.

Another use of the pre-settlement monitorship is in the mergers and acquisition arena. Feldman noted, “We have had situations where companies will, as part of the merger and acquisition pre-acquisition due diligence process, will hire an independent third-party monitor to review the target company to ensure that they in fact have the right kind of ethics and compliance posture and corporate ethical culture to be able to fully integrate into their organization if closing occurs.” Once again, this scenario speaks to the breadth and scope of the pre-settlement monitorship as a tool.   

Feldman concluded that it is critical that the monitor bring real value through the monitorship. He said the monitorship should provide insight through using a variety of investigative techniques, including interviews, document reviews and forensic auditing. All of this can provide solid information to not only a Chief Compliance Officer (CCO) but also the leadership of an organization.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Apr 2, 2018

This week, in a five-part podcast series, I am exploring the role of corporate monitorships in compliance and some of the key issues which companies and compliance professionals may face in dealing with monitors. I am joined in this exploration by Vincent DiCianni, founder and President of AMI and Eric Feldman, Senior Vice President and Managing Director of Corporate Ethics and Compliance Programs for Affiliated Monitors, Inc. (AMI), who is the sponsor for this series. Today, we consider what issues a company should consider when hiring or retaining a corporate monitor. 

It is important to note right of the bat, that the selection of an appropriate monitor can either make or break the entire monitorship program for an organization. Feldman advises that the forestall such a problem a company needs to have a clear understanding of what it is trying to get out a monitorship. If you are at the end of a Foreign Corrupt Practices Act (FCPA) enforcement action, your goals may be different than attempting to engage in a pre-settlement monitorship. You also need to understand what might be required by the government in any post-resolution settlement.

After this initial self-assessment of the company’s goals, you can move to considering the monitor. Here you need to assess the what Feldman called the philosophy of potential candidates. Is the monitor coming in to simply investigate the company or help to prevent or resolve issues? This means staying away from the prosecutorial ‘gotch-ya’ mindset and move towards a monitor who is focused on remediation “to help you be a better company”.

The next line of inquiry is can the company obtain the maximum value it can get from the expertise, the independence and the viewpoints the monitor can provide. In other words, what is the value the monitor will deliver to your organization? Feldman suggests asking a question such as: “Can the Monitor help my business?”

Third is the expertise of the monitor. But this is more than being a subject matter expert in the area of law being applied such as the FCPA; it is being an expert in monitorships. It is also more than simple cost-effectiveness. It is also how the monitor will work without disrupting your organization or working to keep such disruptions to a minimum. Such expertise would include how to conduct an evaluation, how to create a work plan which is rigorous yet cost-effective, and to “socialize the work plan with the company and with the government.” This means the monitors should have experience in balancing the interests of the government and the company. Other skills necessary include interview skills, ability to conduct focus groups, together with data gathering and analytics are also critical. Finally is the writing of the report and communication of information, for as Feldman stated, “There's no value added if there's not a clearly written factually based monitoring report, at the end of the process, that makes recommendations that logically flow from the information gathered and are culturally appropriate for that particular company. There is no one size fits all for the reporting or for the recommendations.”

Feldman spoke about the different types of value a monitor can bring. Obviously, the situation where there is a Deferred Prosecution Agreement (DPA) or other enforcement action resolution document in place would suggest one type of value. Yet there are other more business-process focused values a monitor can add. In the area of internal controls, a monitor’s assessment can lead to more effective internal controls, often through a reduced number of overall internal controls.

Feldman spoke to another ‘soft’ factor when he noted, “There's also another interesting factor involving value in a company. That is that the actual methods that we use to do the monitoring to go in and talk to employees, to do employee surveys to do interviews. That alone can have something of a cathartic effect on the company's employees and on the mood and the morale in the company. And we've seen that over and over again, when employees see that the company cares enough to bring in a firm that asks their opinions on what works and what doesn't work and ask their opinions about whether their managers are creating and an open environment to communicate issues and to report issues. It helps improve the company and as we know better morale in the company improves the bottom line.”

Finally a company needs to consider whether monitor who is “independent and conflict free”. Feldman says this is important “Because if not, then the value of the findings the value of the entire effort can be at risk. And we've seen this over time in organizations that bring in monitors that you know may within their broader organizational structure have some kind of a conflict within the industry or within that company.”

Any company faced with the selection of a monitor should take care in the process. Use a deliberative process which allows you to understand not only your goals, but also your requirements back from a monitor.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Mar 19, 2018

In this episode, I welcome back Steve Durham, a partner with Labaton and Sucharow to discuss the continued reverberations from the recent Supreme Court decision narrow the definition of whistleblowers in Digital Realty Trust v. Somers. Durham discussed the impact the decision may portend for the SEC Office of the Whistleblower and both the quality and quantum of tips and information brought forward to the SEC after the decision.

Mar 5, 2018

In this podcast I welcome back John Hanson, founder and President of the International Association of Independent Compliance Monitors (IAICM) the only professional group for independent corporate monitors. The IAICM was announced one year ago in conjunction with the ABA White Collar Conference. At it's one-year anniversary, Hanson returns to the podcast to reflect on the growth the IAICM, assess the first year of IAICM, discuss of the highlights of the first year for you as President of the IAICM and then goes into some of the goals or initiatives for the IAICM in year 2.

With the announcement of the Justice Department’s Evaluation of Corporate Compliance Programs in February and new FCPA Corporate Enforcement Policy in November, the landscape for monitors will likely continue to evolve in 2018. Hanson and I consider what these and other DOJ announcements may portend, including the following questions:

  • How will the Trump administration impact corporate criminal liability and the Monitorships that accompany 30-40% of those matters?  
  • What will be the effect on the use of Monitors by DOJ's new position with regard to FCPA matters?  
  • How will the use of Monitors be impacted by new leaders at the SEC?  
  • Will Federal Judges continue to intervene in plea and deferred prosecution agreements?  
  • How much more will the use of Monitors continue to grow in the wake of changes internationally, including especially Canada, Brazil, Australia, the UK, and the EU?

As with all visits with Hanson, they are thoughtful, well-informed and very insightful. If you practice in the FCPA world or in the broader international anti-bribery/anti-corruption sphere, you will not want to miss this interview.

For more information on the IAICM, including membership, resources, its Code of Conduct and services, check out the website IAICM.org.  

Feb 21, 2018

In this episode Matt Kelly and I go meta as we podcast about another podcast that Matt posted this week on his site, Radical Compliance, where he interviewed Paul Sobel, the incoming Chairman of COSO. We discuss how Sobel sees his new role at COSO, some of the initiatives that he has in mind for the organization and how companies can use the various COSO frameworks, including the Internal Controls and ERM frameworks to better manage risk some the strategic perspective. 

We use the Sobel interview as a starting point to consider how Boards of Directors can think about risk management for a wide variety of issues, from climate change to cybersecurity to sustainability. We also discuss how the COSO frameworks can be used in conjunction with more tactical forms to create a more robust overall risk management program. Join Matt and myself as we go meta this week and take going into the weeds to a new level. 

For Matt Kelly's interview with Paul Sobol click here.

For Matt Kelly's blog post on the COSO ERM Framework see, "COSO Debuts Final ERM Framework

For Tom Fox's blog post on the COSO ERM Framework see, "The COSO ERM Framework

 

Feb 14, 2018

In this episode, Matt Kelly and I go into the weeds on the fascinating subject relating to the intersection of compliance and technology: AI and hotlines. Matt blogged on and podcasted with Scott LaVictor, CEO of Neighborhood Watch for Corporations. His firm has been developing an app to help employees report harassment in a way that is secure and anonymous for them, but useful for compliance officers. We explore how this phone app can assist the compliance practitioner by using technology to overcome the inherent tension in an anonymous reporting system where the reporter may desire anonymity while the CCO wants and needs as much information as possible. 

The hotline app example would seem to incorporate several of these concepts starting with an incredible ease of use as a phone app. But the AI features allow it to inquire directly from the reporter additional information which will be important to the compliance professional. We discussed the following example from Matt’s blog post; “an employee might call a telephone hotline and leave a recorded message, “I saw my boss bribing some guy $500 the other day!” An app could be programmed to ask: 

  • What is your boss’s title?
  • Had he met with the other person before?
  • What time of day did the meeting happen? 

We also discuss why if there was one technology tool for compliance to be bullish about it is AI. There is an obvious cost savings but more importantly there is the opportunity for more effective compliance risk management simultaneously with greater business efficiencies. All of this will lead to more profitability that the compliance function can point to going forward. This can include overseeing routine transactions, answering routine questions and extracting data from documents can be moved to a more efficient and useful platform. 

For additional reading and listening, see 

Matt’s blog post and podcast

Better Whistleblower Reporting

 

Tom’s blog posts

Using AI in Compliance-Introduction

Using AI in Compliance-Design Challenges

Using AI in Compliance-Implementation Challenges

Using AI in Compliance-AI Projects for Compliance

Jan 31, 2018

I hope you have enjoyed this 31-day series on how to design, create and implement a best practices compliance program. These blog posts and podcasts over the past 13 months will form the basis of my next book The Complete Compliance Handbook which will be published by Compliance Week in April, 2018. It will be the most up-to-date handbook for every compliance practitioner, including the most recent Department of Justice pronouncements on what constitutes a best practices compliance program, in the FCPA Corporate Enforcement Policy and the Evaluation of Corporate Compliance Programs. I know you will find it useful.

I next want to take a deep dive and exploration of the levels of due diligence. Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is for you to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.

Under the Evaluation of Corporate Compliance Programs (Evaluation) it states in Prong 10. Third Party Management: Risk-Based and Integrated ProcessesHow has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes? 

The question becomes how do you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.

A three-step approach was discussed favorably in Opinion Release 10-02. In this Opinion Release, the Department of Justice (DOJ) discussed the due diligence that the requesting entity performed. This Opinion Release sets out a clear break which every compliance practitioner should use in considering an appropriate level of due diligence to engage with your third-party risk management process or when considering the level of due diligence required on a potential business venture partner. I break due diligence down into three stages: Level I, Level II and Level III. A very good description of the three levels of due diligence was presented by Candice Tal in an article entitled “Deep Level Due Diligence: What You Need to Know”.

Level I

First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering (AML), anti-bribery, sanctions lists, coupled with other financial corruption and criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. Tal believes that this basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements.

Level II

Level II due diligence encompasses supplementing these Global Watch lists with a deeper screening of international media, typically the major newspapers and periodicals from all countries plus detailed internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company; the third party’s key executives and associated parties. I believe that Level II should also include an in-country database search regarding the third party. Some of the other types of information that you should consider obtaining are country of domicile and international government records; use of in-country sources to provide assessments of the third party; a check for international derogatory electronic and physical media searches, you should perform both English and foreign-language repositories searches on the third party, in its country of domicile, if you are in a specific industry, using technical specialists you should also obtain information from sector specific sources.

Level III

This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation. I agree with Tal that a Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in-country investigation.” Further, the “Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English.  Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points.”

But more than simply an investigation of the company, critically including a site visit and coupled with onsite interviews, Tal says that some other things you investigate include “an in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other law suits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publically.” 

Further, you may need to engage a foreign law firm, to investigate the third party in its home country to determine their compliance with its home country’s laws, licensing requirements and regulations. Lastly, and perhaps most importantly, you should use a Level III to look the proposed third party in the eye and get a firm idea of his or her cooperation and attitude towards compliance as one of the most important inquiries is not legal but based upon the response and cooperation of the third party. More than simply trying to determine if the third party objected to any portion of the due diligence process or did they object to the scope, coverage or purpose of the Foreign Corrupt Practices Act (FCPA); you can use a Level III to determine if the third party is willing to stand up with you under the FCPA and are you willing to partner with the third party?

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II & III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to Document Document Document all your due diligence. 

Three Key Takeaways

  1. A Level I due diligence should be only used where there is a low risk of corruption.
  2. A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to clear.
  3. Level III due diligence is deep dive, boots on the ground investigation.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 30, 2018

We previously considered the Prong in the Evaluation of Corporate Compliance Programs which was not present in the Ten Hallmarks of an Effective Compliance Program; that being root cause analysis. This addition was also carried forward as a requirement in the Department of Justice’s new FCPA Corporate Enforcement Policy. I want to consider how you should utilize the results of a root cause analysis in remediating a compliance program. 

Under Prong 1 Analysis and Remediation of Underlying Misconduct, the Evaluation stated: 

Remediation – What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future? What specific remediation has addressed the issues identified in the root cause and missed opportunity analysis? The new Department of Justice (DOJ) FCPA Corporate Enforcement Policy brought forward this requirement for a root cause analysis with the following language: “Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes;”. 

I begin with the question of who should perform the remediation; should it be an investigator or an investigative team which were a part of the root cause analysis? I put this question to well-known fraud expert Jonathan Marks, a partner at Marcum LLP who believes the key is both “independence and objectivity”. It may be that an investigator or investigative team is a subject matter expert and “therefore more qualified to get that particular recourse.” Yet to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution.

 

Ben Locwin considered it from the ‘blame’ angle, when he wrote “Simply ‘cataloguing’ and ‘assigning cause’ to a defect or error is not compliance. Compliance presumes systems and processes are designed to adhere to regulatory pronouncements. Selecting ‘human error’ from a dropdown list and assigning it as root cause means that user is accountable for having thoroughly investigated the causal factors of the error or defect, identifying and determining which root causes(s) are most likely, according to the preponderance of evidence, to have been associated with the defect. This means the person selecting the root cause has actually performed 5 Whys, fishbone diagram analysis, human factors analysis, fault tree analysis, and/or many other tools for actually determining root cause(s).” 

Locwin went on to state that it is “unlikely that the real cause of the deviation was human error, it makes sense to adopt the lean manufacturing principle of a no-blame culture. Use an error as an opportunity for elevating your company’s problem-solving processes; don’t think of it as an annoyance that must be rapidly misclassified and pushed into the deviation process black box.

This means not blaming some individuals and terminating them but actually fixing the broken compliance systems which allowed the violation in the first place.” 

As required under the Evaluation, from the regulatory perspective, the critical element is how did you use the information you developed in the root cause analysis. Literally every time when you see a problem as a compliance officer, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis that you can bring real value and real solutions to your compliance programs.

 

The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Identify current and future needs for organizational improvement. Your solution should be repeatable, step-by-step processes, in which one process can confirm the results of another. By focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event you will have a much more robust solution in place. This is because the solution(s) are more effectively when accomplished through a systematic process with conclusions backed up by evidence. 

Three Key Takeaways

  1. An effective system of internal controls provides reasonable assurance of achievement of the company’s objectives, relating to operations, reporting and compliance.
  2. There are two over-arching requirements for effective internal controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach.
  3. For an anti-corruption compliance program, you can use the Ten Hallmarks of an Effective Compliance Program as your guide to test against. 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 30, 2018

Welcome to Episode 9 of Compliance Man Goes Global podcast of FCPA Compliance Report International Edition. In this episode, we will focus on things, which actually could kill compliance in the organization. We will explore this matter in a plain language so to say and in the simple game form. Moreover, to make the podcast handy and more appealing we attach respective illustration from the Compliance Man illustrated series, created by Timur Khasanov-Batirov. 

For those of our listeners who are not aware about our format, in each podcast, we take two typical concepts or more accurately misconceptions from in-house compliance perspective. We check out if these concepts work at emerging jurisdictions. For each podcast, we divide roles with Timur, a practitioner who focuses on embedding compliance programs at high-risk markets. One of us will advocate the concept identifying pros. The second compliance man will provide arguments finding cons and trying to convince audience that that we face a pure myth. As a result, we hopefully will be able to come up with some practical solutions for in-house compliance practitioners.

Myth #1 Absence of support from top management could kill compliance as a concept in the organization. Tim, would you agree with this statement? 

Tim Khasanov-Batirov: I think we should define whom we consider a top management and what we mean by support. If we start with a question of top management, I would think that there is no need to expect appreciation or kind attitude to compliance from everyone among senior management. It will never happen. You obviously want to have an understanding of what you have been doing among your company’s decision-makers. Still it does not lead to full support in everything a compliance officer is proposing. I believe it is about values. If key stakeholders appreciate integrity and compliance that something which really matters for compliance officer.   

 

The second question is about support. Based on my practice there is no way to have daily support from everyone in the organization. If compliance person maintains good working relations with employees from different levels of corporate hierarchy, that makes operationalization of compliance program more effective. What is your opinion, Tom? 

Tom:  A couple of things come to my mind, Tim: First and foremost, There are several key issues why top management support is more than simply critical, it is mandatory. It is senior management that sets the priority of a company and if they are not committed to compliance and ethics, everyone in the organization will understand it. I often provide the example of Regional VP who said the following: If I violate the Code of Conduct, I may or may not be caught; If I violate the Code of Conduct and am caught, I may or may not be disciplined; If I miss my numbers for two quarters I will be fired. If senior manage focuses only on numbers, that will be communicated throughout the organization. 

Yet another key issue I would like to touch upon is the question of trust. When a compliance officer is promoting a compliance initiative across the organization, they could be successful if employees embrace it. He has to demonstrate that they have being doing right thing rather than just executing corporate compliance requirements. You can achieve this result if people trust you. If there is no trust neither senior management, nor employees will support compliance. What must a compliance officer should do to get trust? Just be risk oriented, try to suggest ethical solutions to achieve business tasks, be open-minded, and feel interested in corporate processes. In other words, you must operationalize compliance to make it a part of the very DNA of your organization. You have to become a trustworthy partner in order to get the level of support required for effective execution of the corporate compliance program.   

Myth #2. Bad corporate culture can kill Compliance in the organization. Tim, will you agree with this concept?

Tim: I agree that culture of non-compliance could kill the compliance idea in the organization. I believe that no matter if it is a big corporation or a small firm the culture starts from the CEO. There is always someone in the organization who is not a fan of compliance. It is fine, unless CEO himself does not support ethics. In this case, you have no chance to survive. In our attached issue of the Compliance Man illustrated series, we have depicted challenges, which compliance professionals face. However, in my view issues like decrease of the department’s headcount or budget are something, which cannot stop compliance officer.       

Tom: I believe that strong ethical culture is a key factor for building a solid compliance program. From practical perspective, I think surveying personnel about their attitude towards integrity could give you a real picture about state of culture in your organization. Another point to mention is the necessity to understand views of managers who due to their job responsibilities pose compliance risks, those in high-risk positions. This may be heads of construction or procurement teams as they interact with governmental officials. In ideal scenario, they share your values or at least strictly follow respective compliance procedures. In the worst case your efforts in embedding compliance program could be diminished by ignorance from actors which play critical role in its effectiveness.   

Thus, as key takeaways from today discussion, which is inspired by famous Unstoppable video of Sia, I think we can mention the following:

  • A compliance officer should be ready to overcome difficulties at all stages of compliance program execution. The best way to do it is to obtain trust from key stakeholders, win minds and hearts for compliance and never give up. Just be unstoppable.

Tom Fox and Tim Khasanov-Batirov are here for you. Join us for the next episode of Compliance Man Go Global episode of FCPA Compliance Report International Edition. Let’s bust more corporate compliance myths with us.

Jan 29, 2018

One new and different item was laid out in the Evaluation of Corporate Compliance Program, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action. Under Prong 1 Analysis and Remediation of Underlying Misconduct, the Evaluation stated: 

 Root Cause AnalysisWhat is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis?  

 Prior IndicationsWere there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed?  

The new Department of Justice (DOJ) FCPA Corporate Enforcement Policy brought forward this requirement for a root cause analysis with the following language: “Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes;”. 

The site Thwink.org has defined root cause analysis as “The purpose of root cause analysis is to strike at the root of a problem by finding and resolving its root causes. Root cause analysis is a class of problem solving methods aimed at identifying the root causes of problems or events. ... The practice of root cause analysis is predicated on the belief that problems are best solved by attempting to correct or eliminate root causes, as opposed to merely addressing the immediately obvious symptoms.” 

Well known fraud investigator Jonathan Marks, has noted, has noted a root cause analysis “is a research based approach to identifying the bottom line reason of a problem or an issue; with the root cause not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.” 

Marks also contrasted a root cause analysis with an investigation. He noted, “in an investigation we are try to either prove or disprove an allegation.” This means that in a compliance investigation you may be trying to prove or disprove certain transactions could form the basis of a corrupt payment or bribe by garnering evidence to either support or refute specific allegation or allegations. You do not assess blame and that is the point where a root cause should follow to determine how the compliance failure occurred or was allowed to occur. 

There is no one formula for performing a root cause analysis. An approach articulated by Marks is the Five Why’s approach. As he explained “Early questions are usually superficial, obvious; the later ones more substantive.” Borrowing from Six Sigma, the site iSixSigma.com believes this approach contemplates that “By repeatedly asking the question “Why” (five is a good rule of thumb), you can peel away the layers of symptoms which can lead to the root cause of a problem. Very often the ostensible reason for a problem will lead you to another question. Although this technique is called “5 Whys,” you may find that you will need to ask the question fewer or more times than five before you find the issue related to a problem.” 

Yet another approach was suggested by risk management expert Ben Locwin in an article entitled, "Human Error" Deviations: How You Can Stop Creating (Most Of) Them”. It is the “Fishbone Diagram”, also known as the “Ishikawa diagram” for its progenitor, Kaoru Ishikawa, if because it looks like the skeleton of a fish. Locwin noted that “You put the problem statement at the “head” of the fish, and the causal factor categories as the “ribs” (remember, fish have cartilage, not bone, so these categories can be adjusted to suit your needs). By having a working group list causal factors under each category, you begin to develop a visual of how many things could contribute to your main effect (the problem statement).” 

The bottom line is there are multiple ways to perform a root cause analysis. However, it is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer which is provided to you, as you might in an internal investigation. Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they're doing.”

Three Key Takeaways

  1. A root cause analysis is now required if you have a reportable compliance failure.
  2. There is no one process for performing a root cause analysis. You should select the one which works for you and follow it.
  3. To properly perform a root cause analysis, you need these trained professionals who really understand what they're doing. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

 

Jan 28, 2018

Your company has just made its largest acquisition ever and your Chief Executive Officer (CEO) says that he wants you to have a compliance post-acquisition integration plan on his desk in one week. Where do you begin? Of course, you think about the 2012 FCPA Guidance language which stated, “pre-acquisition due diligence, however, is normally only a portion of the compliance process for mergers and acquisitions. DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.” You also recall that the 2012 Guidance did not have the time lines established in the previous enforcement actions involving Johnson & Johnson (J&J) and Data Systems & Solutions LLC and the Opinion Release 08-02, the Halliburton Opinion Release. Yet you do remember the FCPA M&A Box Score Summary of Opinion Release and enforcement actions regarding M&A issues.

You are also aware of the language from the Evaluation of Corporate Compliance Programs about mergers and acquisitions (M&A), which reads under Prong 11, Mergers and Acquisitions:

Integration in the M&A ProcessHow has the compliance function been integrated into the merger, acquisition, and integration process? 

Process Connecting Due Diligence to ImplementationWhat has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities? 

Yet many compliance professionals struggle with is how to perform these post-acquisition compliance integrations. An article from the Harvard Business Review, entitled “Two Routes to Resilience”, Clark Gilbert, Matthew Eyring and Richard Foster wrote about business transformation which speak directly to the compliance practitioner to help create post-acquisition integration game plan.

Anyone who has gone through a large merger or acquisition knows how terrifying it can be for the individual employee. Many people, particularly at the acquired company will be fearful of losing their jobs. This fear, mis-placed or well-founded, can lead to many difficulties in the integration process. The creation of a Compliance Capabilities Exchange process which allows “the two organizations to live together and share strengths” and will coordinate “the two transformational efforts so that each gets what it needs and is protected from [unwanted] interference by the other.” There are five steps in this process.

  1. Establish Compliance Leadership. While this may be the “simplest step but also the one most open to abuse.” The process should be run by just a few top people, the Chief Executive Officer, Chief Financial Officer and Chief Compliance Officer of the acquiring company and a similar counter-part from the acquired company.
  2. Identify the compliance resources the two organizations can or need to share. Hopefully the acquiring organization will have some idea of the state of the compliance program before the deal is closed. It may be that there is some or all of a minimum best practices compliance program in place.
  3. Create Compliance Capability Exchange Teams. In many “synergy efforts, everyone is expected to think about ways resources might be shared.” Senior leadership should create compliance teams by assigning a small number of people from both entities with the responsibility of allocating resources used in the integration project.
  4. Protect Boundaries. This one is tricky as employees from the former target may not want to move forward with the integration; for fear of losing their jobs or some other reason. There may be internal disputes as to which group may handle an issue going forward. Once again, the Leadership Team must step in and referee disputes decisively if required.
  5. Scale up and promote the new compliance program. It is important to celebrate and promote the new entity to both the acquiring company, others in the company and even external stakeholders. It is important that markets and others in the same or similar industry see this evolution and growth.

The bottom line is that you must train the newly acquired employees, reevaluate third parties under your company standards, and conduct compliance audits on new business units. This process should be based your pre-acquisition due diligence and risk assessment. Moreover, the Justice Department and SEC clearly view both the pre-and post-acquisition phases of mergers and acquisitions as tied together in a unidimensional continuum. If  pre-acquisition due diligence is not possible, you should the requirements and time frames laid out in Opinion Procedure Release No. 08-02, so as was noted in the 2012 FCPA Guidance, “pursuant to which companies can nevertheless be rewarded  if they choose to conduct thorough post-acquisition FCPA due diligence.

Three Key Takeaways

  1. Planning is critical in the post-acquisition phase.
  2. Build upon what you learned in pre-acquisition due diligence.
  3. You literally need to be ready to hit the ground running when a transaction closes. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 27, 2018

A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue—with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability.” While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the 2012 FCPA Guidance focused many compliance practitioners for the need to engage in robust pre-acquisition due diligence.

Under Prong 11. Mergers and Acquisitions; there were a series of queries which tied together how pre-acquisition due diligence and post-acquisition integration. Due Diligence ProcessWas the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What has been the M&A due diligence process generally? 

The pre-acquisition process was then tied to post-acquisition with the following: Process Connecting Due Diligence to ImplementationWhat has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities? 

The 2012 FCPA Guidance emphasized the pre-acquisition phase and the Evaluation took a deeper dive into the need for the compliance component of your mergers and acquisition regime to begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.

The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

There are multiple red flags which could be raised in this process, which would warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breach of policies and procedures. Obviously, a target which is in financial difficulty would bear closer scrutiny from the compliance perspective. Structurally, if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors level, this could present issues. From the CCO perspective, if the position did not have Board access, CEO access or if there were not regular reports to the Board, it could present an issue for compliance. Conversely if there were frequent requests to waive policies, management over-ride of compliance controls or no consistent consequence management for violations; it could present clear red flags for further investigation.

Three Key Takeaways

  1. The results of your pre-acquisition due diligence will inform your post-acquisition integration and remediation going forward.
  2. Periodically review your M&A due diligence protocol.
  3. If red flags appear in pre-acquisition due diligence, they should be cleared.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

1 « Previous 2 3 4 5 6 7 8 Next » 18