Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2018
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: Category: compliance know-how
Jan 4, 2018

The Evaluation of Corporate Compliance Programs makes clear, a company must have more than simply at good ‘Tone-at-the-Top’; it must move down through the organization from senior management down to middle management and into its lower ranks. This means that one of the task is to get middle management to respect the stated ethics and values of a company, because if they do so, this will be communicated down through the organization.

Mike Volkov said in an article entitled, “Mood in the Middle Versus Tone at the Top” that “Even when a company does all the right things at the senior management level, the real issue is whether or not that culture has embedded itself in middle and lower management.  A company’s culture is reflected in the values and beliefs that exist throughout the company.” To fully operationalize your compliance program, you must find a way to articulate and then drive the message of ethical values and doing business in compliance with such anti-corruption laws such as the FCPA from the top down, throughout your organization.

What should the tone in the middle be? What should middle management’s role be in the company’s compliance program? This role is critical because the majority of company employees work most directly with middle, rather than top management and consequently, they will take their cues from how middle management will respond to a situation. Perhaps most importantly, middle management must listen to the concerns of employees. Even if middle management cannot affect a direct change, it is important that employees need to have an outlet to express their concerns. Your organization should train middle managers to enhance listening skills in the overall context of providing training for their ‘Manager’s Toolkit’. This can be particularly true if there is a compliance violation or other incident which requires some form of employee discipline. Most employees think it important that there be organizational justice so that people believe they will be treated fairly. For if there is organization justice, it engenders perceived procedural fairness which makes it more likely an employee will be willing accept a decision that they may not like or disagree with end result.

Even with a great Tone-At-the-Top and in the middle, you cannot stop. One of the greatest challenges of a compliance practitioner is how to affect the ‘tone at the bottom’. One of the things you can do is assemble a compliance focus group to find out how business is done in the field and if it differs from what your company expects from an ethical and compliance perspective. Begin by assembling a group of employees who are familiar with the challenges of doing business in a compliant manner in certain geographic regions to discuss the challenges of doing business ethically and in compliance. Ask them questions about their understanding of your compliance regime. Then categorize the answers into the theory and practice of compliance in your company.

From this then test what is real in theory and in practice. You can check and see which employees are promoted more regularly; those who do business ethically and in compliance or those who meet their sales quotas every quarter. After you have internally tested, reassemble the original group and have them consider the beliefs that were articulated by them individually in the context of your how your compliance model tested. Lead a discussion that attempts to identify any what is different in practice and in theory and then how you can move from theory to practice to operationalizing compliance. Finally, and in the feedback step, test how to more fully operationalize your compliance regime. These tests can be accomplished in the regular course of business or through a special project with a special team and separate budget.

By engaging employees at this level, you can find out not only what the employees think about the company compliance program but use their collective experience to help design a better and more effective compliance program. Employees want to do business in an ethical manner. Given the chance to engage in business the right way, as opposed to cheating; will win the hearts and minds of your employees almost all the time. By using the protocol suggested by the authors you can not only find out the effect of your company’s compliance program on the employees at the bottom but you can affect them as well.

Employees often look to their direct supervisor to determine what the tone of an organization is and will be going forward. Many employees of a large, multi-national organization may never have direct contact with the CEO or even senior management. By moving the values of compliance through an organization into the middle, you will be in a much better position to inculcate these values and operationalizing compliance with them.

Three Key Takeaways

  1. Tone at the tops- direct supervisors become the most important influence on people in the company.
  2. Give your middle managers a Tool Kit around compliance so they can fully operationalize compliance.
  3. Organizational justice is a further way to help operationalize compliance.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 3, 2018

Under the Evaluation of Corporate Compliance Programs, Prong 2, it states:

  1. Senior and Middle Management

Conduct at the Top – How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behavior? How has senior leadership modelled proper behavior to subordinates?

This requirement is more than simply the ubiquitous ‘tone-at-the-top’ as it focuses on the conduct of senior management. The Justice Department wants to see a company’s senior leadership actually doing compliance. The DOJ asks if company leadership has through their words and concrete actions brought the right message of doing business ethically and in compliance to a company. How does senior management model its behavior on a company’s values and finally how is such conduct monitored in an organization?

How can senior management operationalize compliance going forward? One of the best places to start is the article from the Harvard Business Review by Professor Lynn Paine entitled, “Managing for Organizational Integrity”. Five factors, derived from the article, can be used guideposts to not only to set the right tone from senior management on doing business ethically and in compliance but also lay the ground for senior management to model appropriate behavior and then have it monitored by the company going forward.

  1. The guiding values of a company must make sense and be clearly communicated by senior management in a variety of settings, to the entire company workforce.
  2. The company’s leader must be personally committed and willing to take action on the values. This means that management must not simply ‘overlook’ the transgressions of top producers.
  3. A company’s systems and structures must support its guiding principles and these internal systems and structures cannot be over-ridden by senior management without both justification and Board approval.
  4. A company’s values must be integrated into normal channels of management decision-making and reflected in the company’s critical decisions. Sometime a company must turn down business if there are too many red flags present or by engaging in such behavior the company’s value and ethics will be violated.
  5. Managers must be empowered to make ethically sound decisions on a day-to-day basis. This means senior management must fully support and back-up such decisions.

David Lawler, in his book, Frequently Asked Questions in Anti-Bribery and Corruption boiled it down as follows “Whatever the size, structure or market of a commercial organization, top-level management’s commitment to bribery prevention is likely to include communication of the organization’s anti-bribery stance and appropriate degree of involvement in developing bribery prevention procedures.” Lawler went on to provide a short list of points that he suggests senior management engage in to communicate the type of tone to follow an anti-corruption regime.” I had a CEO of a client, who after I described his role in operationalizing his company’s compliance program observed the following, “You want me to be the ambassador for compliance.” I immediately averred in the affirmative. The following is a list of things that a CEO can do as an ‘Ambassador of Compliance’ to fully model the conduct that senior management must show.

  • Reject a ‘do as I say, not as I do’ mentality;
  • Not just ‘talk-the-talk’ but ‘walk-the-walk’ of compliance;
  • Oversee creation of a written statement of a zero tolerance towards bribery and corruption;
  • Appoint and fully resource, with money and headcount, a Chief Compliance Officer;
  • Oversee the development of a Code of Conduct and written compliance program implementing it;
  • Ensure there are compliance metrics on all key business reports;
  • Provide leadership to middle managers to facilitate filtering of the zero-tolerance message down throughout the organization;
  • Not only have a whistleblowing, reporting or speak up channel but celebrate it;
  • Keep talking about doing the right thing;
  • Make sure that you are seen providing your Chief Compliance Officer with access to yourself and the Board of Directors.

Coming at it from a different perspective, author Martin Biegelman provides some concrete examples in his book entitled, “Building a World Class Compliance Program – Best Practices and Strategies for Success”. Biegelman begins the chapter discussed in this posting with the statement “The road to compliance starts at the top.” There is probably no dispute that a company takes on the tone of its top management. Inspired by a list from Joe Murphy of actions that a CEO can demonstrate to set the requisite tone from the Captain’s Chair of any business, you can do some of the following.

  1. Keep a copy of the Code on your Desk. Have a dog-eared copy of your company’s Code of Conduct on your desktop and be seen using it.
  2. Give Your CCO Real Authority. Make sure your compliance department has authority, influence and budget within the company. Have your Chief Compliance Officer (CCO) report directly to the Board of Directors.
  3. Hold them Accountable. At Senior Executive meetings, have each participant report on what they have done to further the compliance function in their business unit.
  4. Reward and Punish. Have both sanctions for violation of company compliance policies and incentives for doing business in a compliant manner.
  5. Walk the Walk. Turn down an expensive dinner or trip offered by a vendor. Pass on a gift that you may have received. Turn down a transaction based upon ethical considerations.
  6. Be a Compliance Student. Be seen at intra-company compliance training. Take a one or two-day course or attend a compliance conference outside your organization.
  7. Recognize Compliance at Your Company. You should recognize outstanding compliance efforts with companywide announcements and awards.
  8. Enshrine Compliance at the Board. Recruit a nationally known compliance expert to sit on your company’s Board and chair the compliance committee.
  9. Independent Review. Obtain an independent, outside review of your company’s compliance program and report the results to the Board’s Compliance Committee.
  10. Push Compliance into Your Supply Chain. Mandate that all vendors in your Supply Chain embrace compliance and ethics as a business model. If not, pass on doing business with them.
  11. Create an Executive Network for Compliance. Talk to other CEOs and senior executives in your industry on how to improve your company’s compliance efforts.

Another area a CEO can forcefully engage an entire company through is a powerful video message about doing business the right way and in compliance. A great example was a CenterPoint Energy video put out in 2015 after the Volkswagen (VW) emissions-testing scandal become public. The video featured Scott Prochazka, CenterPoint Energy President and Chief Executive Officer (CEO). He used the VW scandal to proactively address culture and values at the company and used the entire scenario as an opportunity to promote integrity in the workplace. But more than simply a one-time video, the company followed up with a with an additional resource, entitled “Manager’s Toolkit – “What does Integrity mean to you?””, which managers used to facilitate discussions and ongoing communications with employees around the company’s ethics and compliance programs. Finally, as noted by Amy Lilly, Director, Corporate Ethics and Compliance at CenterPoint Energy, the cost for the video was quite reasonable as it was produced internally.

Three Key Takeaways

  1. Senior management must actually do compliance; walk-the-walk, not simply talk-the-talk.
  2. Use your CEO to talk about current events and how those ethical failures are lessons to be learned for your organization.
  3. CEO as Compliance Ambassador.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 2, 2018

Operationalizing your compliance program can take many shapes and forms. Using the entire risk management process to embed your compliance program within the contours of your organization is an important, key step as it will allow you to have full visibility of your compliance risks through a longer life cycle. Forecasting allows you to consider your business strategy and wed the risks you can foresee. Risk assessments allow you to evaluate and measure known risks. Risk-based monitoring allows you to monitor both the compliance risks you know about detect those you do not know, on an ongoing basis. 

I think there are several key lessons to be considered by any Chief Compliance Officer (CCO) or compliance practitioner. The first is the process around risk management. Most compliance practitioners understand the need for a risk assessment as it is articulated as Hallmark No. 4 of the Ten Hallmarks of an Effective Compliance Program. From the 2012 FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” In addition to this business case, the 2012 FCPA Guidance also specified the enforcement reasons for performing a risk assessment, “DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not pre­vent an infraction in a low risk area because greater atten­tion and resources had been devoted to a higher risk area.” The DOJ Evaluation of Corporate Compliance Programs builds on this. 

Yet as compliance evolves and corporate compliance programs become more sophisticated, compliance is seen not as simply a legal prophylactic, but as a business process. Seen in this light, it is clear the risk management process should begin with forecasting as it attempts to estimate future aspects of your business. Compliance professionals should be able to say with some degree of authority, what will happen in the next three months, six months, twelve months, twenty-four months. This can facilitate resources deployment where they think is appropriate in order to meet these future demands. 

By starting with forecasting, a compliance function utilizes risk assessment to consider issues which forecasting did not predict for or issues which the forecasting model raised as a potential outcome which warranted a deeper dive. If you are moving into a new product or sales area and are required to use third-party sales agents, a risk assessment would provide information that a company could use to ameliorate the risks. Risk-based monitoring follows on from the issues that your risk assessment identified as your highest risks. Risk-based monitoring tends to look at things on an ongoing basis, and the models that are behind the risk-based modeling, are continuously refined based on incoming data. 

All of these three tools tie back into process management and process improvement. There is a balance between what is actually important for your business or for proper execution; versus the practical aspects of the whole process. Ben Locwin stated, “If you are not measuring at a high enough resolution, then you are not capturing a lot of the environmental, market forces and  external factors that probably are of high leverage to your operations in business that you simply do not know about.” 

For example, if there is a one-in-three chance of a compliance failure occurring, which a company knew that in advance; the executive committee probably almost stop the activity before there was a compliance failure and possible legal violation. This is how the risk management process can work to fulfill the three prongs of a compliance program, prevent, detect and remediate. You are using your risk forecast and you have a contingency in place, which you execute upon. In other words, it comes down to execution. This means you have to use the risk management tools available to you and when a situation arises, you remediate when required. This is not only where the rubber hits the road but the information and data you garner in the execution phase should be fed back into a process loop. From this, you will develop continuous feedback and continuous improvement. 

I have gone through this in some detail to emphasize the business process nature that compliance has evolved into as a corporate discipline. By using these techniques, the CCO or compliance practitioner makes the business run more efficiently and at the end of the day, more profitably. The more you can bring these types of insight to a Chief Executive, the more you demonstrate how compliance adds to the bottom line and is not simply a cost center.

Three Key Takeaways

  1. The risk management process is an important backbone of operationalizing compliance.
  2. You should be able monitor and measure both known and unknown risks.
  3. All of these steps help a business to run more efficiently and more profitably. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Dec 31, 2017

2017 was a very significant year for every compliance practitioner and compliance program. The year brought two important documents on compliance programs. It began with the Evaluation of Corporate Compliance Programs (Evaluation) released in February 2017 and ended with the Department of Justice (DOJ) announcing a new Policy regarding Foreign Corrupt Practices Act (FCPA) enforcement in November 2017. Building upon the Ten Hallmarks of an Effective Compliance Program, as first articulated in the 2012 FCPA Guidance, there are now specific points, issues and questions a compliance professional can use to more fully operationalize your compliance program. 

In November 2017, Deputy Attorney General Rod Rosenstein announced the new FCPA Corporate Enforcement Policy. This new Policy incorporated the Ten Hallmarks of an Effective Compliance Program through reference to the 2012 FCPA Resource Guide as continued best practices and added new information on the DOJ’s expectations for more fully operationalizing compliance. The DOJ further incorporated language and concepts from a variety of sources, including the 2016 FCPA Pilot Program and the 2017 Evaluation.

Three Key Takeaways 

  1. 2017 brought two key DOJ documents forward for use by the compliance practitioner, the Evaluation and new FCPA Corporate Enforcement Policy
  2. You must work to more fully operationalize your compliance program
  3. Always remember the three most important things in any compliance program are: Document, Document, and Document
Dec 29, 2017

As every compliance practitioner is well aware, third parties still present the highest risk under the Foreign Corrupt Practices Act. The Department of Justice Evaluation of Corporate Compliance Programs devotes an entire prong to third party management. It begins with the following:

Risk-Based and Integrated ProcessesHow has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?

This first set of queries clearly specifies the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance must have a process for the full life cycle of third party risk management. There are five steps in the life cycle of third party management.

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

 Step 1 - Business Justification

The purpose of the Business Justification is to document the satisfactoriness of the business case to retain a third party. The Business Justification should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed.   The Business Justification should be completed by the Business Sponsor, who will be the company’s primary business contact with the third-party going forward.

Step 2 - Questionnaire

The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. I believe that this requirement is not only a key step but also a mandatory step for any third party that desires to do work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk but run away from doing business with such a party.

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses.

Step 3 - Due Diligence

Most compliance practitioners understand the need for a robust due diligence program to investigation third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence required under the FCPA. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner.

Our British compliance cousins of course are subject to the UK Bribery Act. In its Six Principles of an Adequate Procedures compliance program, the UK MOJ stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of this principle is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique.

After you have completed Steps 1-3 and then evaluated and documented your evaluation, you are ready to move onto to Step 4 - the contract. In the area of compliance terms and conditions, the 2012 FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

Step 4 - The Contract

You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, which have appeared, these Red Flags must be cleared or you must demonstrate how you will manage the risks identified. In others words you must Document, Document and Document that you have read, synthesized and evaluated the information garnered in Steps 1-3. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a ‘Check-the-Box’ exercise. 

Step 5 - Management of the Relationship

I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins and that work is found in Step 5– the Management of the Relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship.

I continually give my Mantra of compliance, which is Document, Document, and Document. Each of the steps you take in the management of your third parties must be documented. Not only must they be documented but they must be stored and managed in a manner that you can retrieve them with relative ease. The management of third parties is absolutely critical in any best practices compliance program.

Three Key Takeaways 

  1. Use the full 5-step process for 3rd party management.
  2. Make sure you have BD involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives. 

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 28, 2017

From the information provided by the Justice Department in Opinion Releases and in enforcement actions, there are several different insights which may be drawn on what should go into your policy on facilitation payments:

  1. Size of payment - Is there an outer limit? No, there is no outer limit but there is some line where the perception shifts. If a facilitating payment is over $100 you are arguing from a point of weakness. The presumption of good faith is against you. You might be able to persuade the government at an amount under $100. But anything over this amount and the government may well make further inquiries. So, for instance, the DOJ might say that all facilitation payments should be accumulated together and this would be a pattern and practice of bribery.
  2. What is a routine governmental action? Is the company entitled to this action, has it met all of requirements to obtain the requested permit, license or action or is it asking the government official to look the other way on some requirement? Is the company asking the government official to give us a break? The key question here is whether you are entitled to the action otherwise.
  3. Does the seniority of the governmental official matter? This is significant because it changes the presumption of whether something is truly discretionary. The higher the level of the governmental official involved, the greater chance his decision is discretionary.
  4. Does the action have to be non-discretionary? Yes, because if it is discretionary, then a payment made will appear to be obtaining some advantage that is not available to others.
  5. What approvals should be required? A facilitation payment is something that must be done with an appropriate process. The process should have thought and the decision made by people who are the experts within the company on such matters.
  6. Risk of facilitation payments and third parties? Whatever policy you have, it must be carried over to third parties acting on your behalf or at your direction. If a third party cannot control this issue, the better compliance practice would be to end the business relationship.
  7. How should facilitation payments be recorded? Facilitation payments must be recorded accurately. You should have a category entitled “Facilitation Payments” in your company’s internal accounting system. The labeling should be quite clear and they are critical to any audit trail so recording them is quite significant.
  8. Monitoring programs? There must always be ongoing monitoring programs to review your company’s internal controls, policies and procedures regarding facilitation payments. 

Also remember that the defense of facilitation payments is an exception to the FCPA prohibition against bribery. Any defendant which wishes to avail itself of this exception at trial would have to proffer credible evidence to support its position, but at the end of the day, it would be the trier of fact which would decide. So much like any compliance defense, the exception is only available if you use it at trial and it would be difficult to imagine that any company would want this matter to ever see the light of a courtroom.

After answering the above questions and your organization decides it desires to allow facilitation payments, you should draft a policy permits the company to make Facilitating Payments with (1) prior approval of the Compliance Department, (2) prior approval from Company management, and (3) proper financial recording. It may be difficult to distinguish a legal facilitation payment from a request that could be viewed as an illegal bribe or kickback; therefore, Facilitating Payments should be strictly controlled, and every effort should be made to eliminate or minimize such facilitating payments.

Do not forget that facilitation payments must be accurately shown on the books and records of your company. In all cases the employee who requested permission to make the facilitation payment must be responsible for obtaining all required approvals and forwarding a copy of the approvals and any other relevant supporting documentation as required, so that the it is recorded as a facilitation expense in the books and records maintained in a central file. Facilitation payments should not be recorded as consulting fees, entertainment expenses, or other types of expenses that may misrepresent the true nature of the payments.

There may be emergency situations when it will be difficult or impossible for employees to obtain approvals from immediately before having to decide whether or not to pay a facilitation payment. If the facilitation payment is made in an emergency, the employee reports the Facilitating Payment to the Compliance Department and explain the emergency as soon as practical after making the facilitation payment.

Three Key Takeaways

  1. What was the amount of the facilitation payment?
  2. Was the action truly routine?
  3. How high up was the government official who received the facilitation payment? Was his or her decision discretionary?

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 27, 2017

One of the more confusing areas of the FCPA is in that of facilitation payments. Facilitation payments are small bribes but make no mistake about it, they are bribes. For that reason, many companies feel they are inconsistent with a company culture of doing business ethically and in compliance with laws prohibiting corruption and bribery.  Further, the 2012 FCPA Guidance specifies, “while the payment may qualify as an exception to the FCPA’s anti-bribery provisions, it may violate other laws, both in Foreign Country and elsewhere. In addition, if the payment is not accurately recorded, it could violate the FCPA’s books and records provision.” Finally, the 2012 FCPA Guidance states, “Whether a payment falls within the exception is not dependent on the size of the payment, though size can be telling, as a large payment is more suggestive of corrupt intent to influence a non-routine governmental action. But, like the FCPA’s anti-bribery provisions more generally, the facilitating payments exception focuses on the purpose of the payment rather than its value.” [emphasis in original text]

In addition to these clear statements about whether the FCPA should continue to allow said bribes; you should also consider the administrative nightmare for any international company. The UK Bribery Act does not have any such exception, exemption or defense along the lines of the FCPA facilitation payment exception. This means that even if your company allows facilitation payments, it must exempt out every UK Company or subsidiary from the policy. Further, if your company employs any UK citizens, they are subject to the UK Bribery Act no matter who they work for and where they may work in the world so they must also be exempted. Finally, if your US Company does business with a UK or other company subject to the UK Bribery Act, you may be prevented contractually from making facilitation payments while working under that customer’s contract. As I said, an administrative nightmare.

Interestingly, one of the clearest statements about facilitation payments comes not from a FCPA case about facilitation payments but the case of Kay v. Rice, 359 F.3d 738, 750-51 (5th Cir. 2004). This case dealt with whether payment of bribes to obtain a favorable tax ruling was prohibited under the FCPA. In its opinion, the Fifth Circuit commented on the limited nature of the facilitating payments exception when it said:

A brief review of the types of routine governmental actions enumerated by Congress shows how limited Congress wanted to make the grease exceptions. Routine governmental action, for instance, includes “obtaining permits, licenses, or other official documents to qualify a person to do business in a foreign country,” and “scheduling inspections associated with contract performance or inspections related to transit of goods across country.” Therefore, routine governmental action does not include the issuance of every official document or every inspection, but only (1) documentation that qualifies a party to do business and (2) scheduling an inspection—very narrow categories of largely non-discretionary, ministerial activities performed by mid- or low-level foreign functionaries.

Enforcement Actions 

Con-way

The FCPA landscape is littered with companies who sustained FCPA violations due to payments which did not fall into the facilitation payment exception. In 2008, Con-way Inc., a global freight forwarder, paid a $300,000 penalty for making hundreds of relatively small payments to Customs Officials in the Philippines. The value of the payments Con-way was fined for making totaled $244,000 and were made to induce the officials to violate customs regulations, settle customs disputes, and reduce or not enforce otherwise legitimate fines for administrative violations.

Helmerich and Payne

In 2009, Helmerich and Payne, Inc., paid a penalty and disgorgement fee of $1.3 million for payments which were made to secure customs clearances in Argentina and Venezuela. The payments ranged from $2,000 to $5,000 but were not properly recorded and were made to import/export goods that were not within the respective country’s regulations; to import goods that could not lawfully be imported; and to evade higher duties and taxes on the goods.

Panalpina

Finally, there is the Panalpina enforcement action. This matter was partly resolved with the payment by Panalpina and six of its customers of over $257 million in fines and penalties. Panalpina, acting as freight forwarder for its customers, made payments to circumvent import laws, reduce customs duties and tax assessments and to obtain preferential treatment for importing certain equipment into various countries but primarily in West Africa.

Three Key Takeaways

  1. Do not forget the administrative nightmare of facilitation payments for international organizations.
  2. The Kay decision made clear how narrow the ‘routine government action’ exception is.
  3. Facilitation payments will usually be an add-on as they are symptomatic of an ineffective, paper compliance program.

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 22, 2017

The original version of the FCPA, enacted in 1977, contained an exception for payments made to non-US officials who performed duties that were “essentially ministerial or clerical”. In 1988 Congress responded by amending the FCPA under the Omnibus Trade and Competitiveness Act to clarify the scope of the FCPA’s prohibitions on bribery, including the scope of permitted facilitation payments. An expanded definition of “routine governmental action” was included in the final version of the bill, reflecting the intent of Congress that the exceptions apply only to the performance of duties listed in the subcategories of the statute and actions of a similar nature. Congress also meant to make clear that “ordinarily and commonly performed actions”, with respect to permits or licenses, would not include those governmental approvals involving an exercise of discretion by a government official where the actions are the functional equivalent of “obtaining or retaining business for, or with, or directing business to, any person”.

The FCPA contains an explicit exception to the bribery prohibition for any “facilitation or expediting payment to a foreign official, political party, or party official for the purpose of which is to expedite or to secure the performance of a routine governmental action by a foreign official, political party, or party official”. “Routine government action” does not include any decision by a public official to award new business or continue existing business with a particular party. The statute lists examples of what is considered a “routine governmental action” including:

  • obtaining permits, licenses, or other official documents to qualify a person to do business in a country;
  • processing government papers, such as visas or work orders;
  • providing police protection, mail pick-up and delivery, or scheduling inspections associated with contract performance or transit of goods across country;
  • providing phone service, power and water supply, loading and unloading cargo, or protecting perishable products from deterioration; and
  • actions of a similar nature.

There is no monetary threshold for determining when a payment crosses the line between a facilitation payment and a bribe. The accounting provisions of the FCPA require that facilitation payments must be accurately reflected in an issuer’s books and records, even if the payment itself is permissible under the anti-bribery provisions of the law

Risks associated with relying on the “facilitation payments” exception

Facilitation payments carry legal risks even if they are permitted under the anti-bribery laws of a particular country. In the US enforcement agencies have taken a narrow view of the exception and have successfully prosecuted FCPA violations stemming from payments that could arguably be considered permissible facilitation payments. Violations of the accounting and recordkeeping provisions of the FCPA are also more likely when a company makes facilitation payments. Abroad, countries are increasingly enforcing domestic bribery laws that prohibit such payments. Companies that allow facilitation payments face a slippery slope to educate their employees on the nuances of permissible payments in order to avoid prosecution for prohibited bribes.

  1. US enforcement authorities construe the exception narrowly

Other than as discussed above, there is no definitive guidance on circumstances in which the facilitation payments exception applies. There may be less risk of enforcement by US authorities in cases involving bona fide facilitation payments that are made specifically for one of the purposes enumerated in the FCPA. However, companies still face the risk of at least facing a governmental inquiry to explain the circumstances surrounding the payments, possibly resulting in penalties based on an unanticipated restrictive interpretation of the exception. As noted by the FCPA Professor, the recent Noble Non-Prosecution Agreement noted that the payments made by Noble’s Nigerian customs’ agent Panalpina, to facilitate the importation of its rigs into Nigeria did “not constitute facilitation payments for routine governmental actions within the meaning of the FCPA"

2. Potential non-compliance with the FCPA’s accounting and record-keeping provisions

While the anti-bribery provisions of the FCPA permit facilitation payments, the accounting and recordkeeping provisions of the law nevertheless require companies making such payments to accurately record them in their books and records. Companies or individuals may be reluctant to properly record such payments, as it shows some semblance of impropriety and effectively creates a permanent record of a violation of local law. However, failure to properly record such expenditures may result in prosecution by the Securities and Exchange Commission (SEC) even if the underlying payments themselves are permissible. One example of prosecution resulting from the misreporting of seemingly permissible facilitation payments involves Triton Energy Corporation, which settled an investigation by the SEC involving multiple alleged FCPA violations, including the miss-recording of facilitation payments. An Indonesian subsidiary of the company had been making monthly payments, of approximately $1,000, to low-level employees of a state-owned oil company in order to assure the timely processing of monthly crude oil revenues. The SEC did not charge that these payments violated the anti-bribery provisions of the FCPA; however, these payments were miss-recorded in corporate books and therefore violated the FCPA’s accounting and recordkeeping provisions. Triton Energy consented to an injunction against future violations of the FCPA and was fined $300,000.

3. Increased enforcement of non-US laws that do not recognize an exception for facilitation payments

While the FCPA and certain other national anti-bribery laws contain exceptions for facilitation payments, such payments typically are considered illegal in the country in which they are made; there is not any country in which facilitation payments to public officials of that country are permitted under the written law of the recipient’s country. Accordingly, even if a particular facilitation payment qualifies for an exception of the FCPA, it, nevertheless, is likely to constitute a violation of local law – as well as under anti-bribery laws of other countries that also might apply simultaneously – and thus exposes the payer, his employer and/or related parties to prosecution in one or more jurisdictions. While enforcement to date in this area has been limited increased global attention to corruption makes future action more likely. Countries that are eager to be seen as combating corruption are prosecuting the payment of small bribes with greater frequency.

4. Corporate approaches to facilitation payments may exceed the legitimate scope and applicability of the exception

Businesses still struggle with how to address the facilitation payments exception in their compliance policy and procedures, if the subject is covered at all. Businesses should be wary of allowing employees to decide on their own whether a particular payment is permissible. Unless such payments are barred completely or each payment is subject to pre-approval (which in many cases would be unrealistic (e.g., passport control)), there is always the risk that an employee, agent or other person whose actions may be attributed to the company will make a payment in reliance on the exception when in fact the exception does not apply. In addition, the temptation to improperly record otherwise permissible facilitation payments has been discussed above.

Three Key Takeaways

  1. Many companies still struggle with facilitation payments.
  2. What are the five listed purposes for facilitation payments?
  3. The facilitation payment exception is narrowly construed by both the courts and the Justice Department.

Why are facilitation payment so problematic?

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 21, 2017

The FCPA states, “The FCPA’s anti-bribery provisions apply to corrupt payments made to (1) “any foreign official”; (2) “any foreign political party or official thereof”; (3) “any candidate for foreign political office”; or (4) any person, while knowing that all or a portion of the payment will be offered, given, or promised to an individual falling within one of these three categories. Although the statute distinguishes between a “foreign official,” “foreign political party or official thereof,” and “candidate for foreign political office,” the term “foreign official” in this guide generally refers to an individual falling within any of these three categories.”

Government policies affect the commercial environment.  A company is subject to legislation and regulation that affects how it conducts its business and generates value for its investors.  Participating in the political process is part of a business strategy to protect a company’s interests.

Most international businesses have strategy to engage in the political process with a view to the long-term interests of the company and to promote and protect its interests. All political contributions and expenditures on behalf of the Company and management reports on these political contributions and expenditures should be reported to the Board of Directors annually.  No political contributions may be made or promised unless written pre-approval has been obtained from the corporate compliance function.

Among the factors that influence which candidates merit political donations include:

  • Candidate support for key company business and public policy priorities;
  • Candidate voting record and leadership position;
  • Candidate commitment to company’s industry growth, and ability to positively impact its goals; and
  • Company assets or employees in a region or state represented by the candidate.

All political contributions should be made in accordance with all applicable laws and regulations and disclosed as required by law. Any requests for contributions to a political candidate, committee, or party must be addressed to the corporate compliance function and must include an analysis of the four factors above, as well as business justification for the request to support the particular candidate, committee, or party. 

Additionally, no Company funds or other assets may be used for political contributions outside the U.S., unless expressly approved in writing by Government Affairs.  A Company employee seeking approval for political contributions outside the U.S. must present Government Affairs, in writing, with all relevant information to allow for a thorough and careful analysis.  Among the information required by compliance function should be:

  • The name of the candidate, committee, or political party;
  • The government agency(ies) with which the candidate is or has been affiliated (e.g., has the candidate served with the Ministry of Interior and in what period of time);
  • The candidate’s position on key issues that affect Company’s business (e.g., human rights, equality, labor laws, unionization, taxes, foreign investment, etc.);
  • The candidate’s voting record on the issues affecting the Company;
  • Whether Company does business with the government entity with which the candidate is seeking a position and the amount of such business in the preceding 24 months;
  • Any pending or recently awarded contracts with the government entity with which the candidate is affiliated or is seeking a position;
  • Any pending or recently awarded contracts overseen or managed by the committee, party, or political entity for which the political contribution is sought; and
  • The business justification for making the political contribution.

Your company policy should prohibit politically exposed persons (PEPs) from exerting pressure or undue influence over you employees, agents, consultants, or representatives to make personal political contributions. 

Your policy should prohibit use of your company’s resources or assets, including work time, to support candidates or campaigns personally. In the course of employment, PEPs should be prohibited from engaging in any activity on a company’s behalf that is intended to influence legislation, rulemaking, or governmental policy or engage lobbyists or others to do so, without pre-authorization of the corporate compliance function.

Political contributions shall not be used to disguise a payment that is prohibited by a company’s Code of Conduct, Anti-Corruption Policy, or other policies or procedures.  If your company’s policies prohibit the payment in another form, it should not be made under the guise of a political contribution.  No employee should utilize third parties or their own personal funds to make a payment that cannot be made under a company’s policies and procedures.   

Any exceptions to this policy should only be approved by the CCO, Compliance Oversight Committee or Board of Directors.

Three Key Takeaways

  1. Political candidates are covered by the FCPA.
  2. What is the business purpose for the contribution?
  3. Do not make contributions towards candidates who can award your company business.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 20, 2017

What should your compliance policy and procedures on charitable donations look like? What should you prohibit or even caution against? The starting point is the 2012 FCPA Guidance regarding charitable donations. Your policy should begin by asking the following five initial questions:

  • What is the purpose of the donation?
  • Is the payment consistent with the company’s internal guidelines on charitable giving?
  • Is the payment at the request of a foreign official?
  • Is a foreign official associated with the charity and, if so, can the foreign official make decisions regarding your business in that country?
  • Is the payment conditioned upon receiving business or other benefits?

There are additional inquiries based upon the DOJ Opinion Releases issued regarding charitable donations. Some of the protections a company can do to comply with the FCPA regarding charitable donations are as follows:

  • Will the donation recipients certified that they or the entity will comply with the requirements of the FCPA;
  • Will the recipient provided audited financial statements; and
  • Will the recipient restrict the use of the donated funds to humanitarian or charitable purposes only;
  • Will the funds transferred to a valid bank account; and
  • Will the recipients, allow ongoing auditing and monitoring of the efficacy of the charitable donation program.

 

Based upon the Schering-Plough and Lilly SEC enforcement actions, there are some additional inquiries that should be specified:

  1. What was the timing of the charitable donation or promise to make a donation in relation to the obtaining or retaining of business?
  2. Did the company follow its normal protocol for requesting, reviewing and making a charitable donation or is there a pattern of unusual donations outside the protocol?
  3. Did any one person make multiple donations just below their authority level so that it did not have to go up the line for review?
  4. Was the total amount donated to one charitable foundation out of proportion to the rest of the country or region’s charitable donation budget?
  5. Did the sales in one area, region or country spike after a pattern of charitable donations?

The information on the red flags from the prior Opinion Releases and the best practices, as set out in the 2012 FCPA Guidance, have been available for some time. From the Schering-Plough and Lilly enforcement actions, your policy should consdier the timing of charitable donations to see if they are at or near the time of the awarding of new or continued business. Finally in managing the relationship, you now need to look at overall increases in sales to determine if they are tied to a pattern of charitable donations. By looking at the timing and quantum of charitable donations, internal audit may be able to ascertain that a spike in sales is tied to corrupt conduct.

Three Key Takeaways

  1. What are the basic inquiries to make around charitable donations?
  2. Use all of the communication tools the DOJ has provided; written guidance, enforcement actions and Opinion Releases to inform your charitable donation policy.
  3. Document Document Documents the basis of your charitable donations risk assessment.

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 20, 2017

In this episode, Matt Kelly and I take a deep dive into a report from the Financial Stability Oversight Council on the cybersecurity risk of third party technology providers in the financial industry. We discuss some of the specific risks and recommendations laid out in the report. We use this as a jumping off point to explore how such issues are becoming more and more the purview of the compliance practitioner. Some of the solutions Matt discusses are directly in the wheelhouse of the compliance professional. Finally we note the potential for more regulatory scrutiny from both the SEC and PCAOB going forward into 2018.

For addition information on this topic see some of Matt’s writings in this area see

 

Feds Eye Cybersecurity Risks of Tech Providers

The Fine Art of Scoping a SOC 2 Audit

NIST Standards and Why They Matter

Dec 19, 2017

Opinion Releases can provide valuable information for the compliance practitioner. I agree with the statement found in the 2012 FCPA Guidance that “DOJ’s opinion procedure is a valuable mechanism for companies and individuals to determine whether proposed conduct would be prosecuted by DOJ under the FCPA. Generally speaking, under the opinion procedure process, parties submit information to DOJ, after which DOJ issues an opinion about whether the proposed conduct falls within its enforcement policy.” 

In the areas of charitable donations, the DOJ has provided several Opinion Releases which give solid guidance on this tricky issue. There have been four Opinion Releases in the area of charitable donations under the FCPA. In each Opinion Release, the DOJ indicated that it would not initiate prosecutions based upon the fact scenarios presented to it.

95-01

This request was from a US based energy company that planned to operate a plant in South Asia, in an area where was no medical facilities available. The energy company planned to donate $10 million for equipment and other costs to a medical complex that was under construction nearby. The donation would be made through a US charitable organization and a South Asian LLC. 

The energy company stated it would do three things with respect to this donation.

  1. Before releasing funds, the energy company said it would require certifications from the officers of all entities involved that none of the funds would be used in violation of the FCPA.
  2. It would ensure that none of the persons employed by the charity or the LLC were affiliated with the foreign government.
  3. The energy company would require audited financial reports detailing the disposition of the funds.

97-02

This request was from a US based utility company that planned to operate a plant in Asia, in an area where there was no primary-level school. The utility company planned to donate $100,000 for construction and other costs to a government entity that proposed to build an elementary school nearby. Before releasing funds, the utility company said it would require certain guarantees from the government entity regarding the project, including that the funds would be used exclusively for the school. 

06-01

This request was from a Delaware company doing business in Africa. The company desired to initiate a pilot project under which it would contribute $25,000 to the Ministry of Finance in the country to improve local enforcement of anti-counterfeiting laws. The contribution would fund incentive awards to local customs officials, which was needed because this African country was a major transit point for illicit trade and the local customs officials have no incentive to prevent the contraband. 

The company said that along with the contribution, it would execute an agreement with the Ministry to encourage exchange of information and establish procedures and criteria for incentive awards. The company said that if the program is successful, the awards would continue to be funded as needed, and the company will seek the participation of its competitors in this program. 

The company would implement at least five safeguards to ensure the funds would be used as intended, including:

  1. Payments to a valid government account, subject to internal audits.
  2. Payments only upon the confirmation that goods seized were in fact counterfeit.
  3. The Ministry would identify award candidates without input from the company and would provide evidence that funds were used properly.
  4. The company would monitor the program’s effectiveness.
  5. Records will be required to be kept and be available for inspection for a period of time. 

10-02 

A US Company desired to move from a charitable entity model to a for profit model in the area of micro-financing. To do so it was required to make a large cash donation to a charity in the country in question. The company engaged in three rounds of due diligence in which it determined that the most favorable candidate had a government official on its Board of Directors but that under the laws of the country in question, the government official could not receive compensation to sit as a Board member. After initially listing the 3 levels of due diligence in which the company had engaged prior to finalizing its choice of local entity to receive the donation; the DOJ noted that the donation ‘requested’ of the US Company would be subject to the following controls: 

  1. Payments of the donations would be staggered over a period of eight quarters rather than in one lump sum.
  2. Ongoing monitoring and auditing of the funds use for a period of five years.
  3. The donations would be specifically utilized for the building of infrastructure.
  4. The funds could not be transferred to either the charities parent or any other affiliated entity.
  5. The funds would not be paid to the parent of the organization receiving the grant and there was an absolute prohibition on compensating Board Members.
  6. The proposed grant agreement under which the funds would be donated had significant anti-corruption provisions which included a requirement that the local organization receiving the funds adopt an anti-corruption policy and that company making the donation shall receive full access to the local organization’s books and records.
  7. Right to terminate the agreement and recall the funds if evidence was found that “reasonably suggests” a breach of compliance provisions. 

Mendelsohn Guidance 

Dick Cassin, writing in the FCPA Blog, in a posting entitled “When is Charity a Bribe?”, cited to the then Deputy Chief of the Criminal Division’s Fraud Section at the DOJ Mark Mendelsohn.  Mendelsohn was asked about the guidelines regarding requests for charitable giving and the FCPA and said that any such request must be evaluated on its own merits. He advocated a “common sense” approach in identifying and clearing Red Flags. Some of the areas of inquiry would include answers to the following questions. 

  1. Is there a nexus between the charity and any government entity from which the company is seeking a decision?
  2. If the governmental decision-maker holds a position at the charity, that's a red flag.
  3. Is the donation consistent with the company's overall pattern of charitable donations?
  4. If one donation or a series of them is more than the company has made to any other charity in the past five years, that would also be a red flag.
  5. Who made the request for the donation and how was that request made? 

Three Key Takeaways

  1. You can utilize the Opinion Release process for a wide variety of issue.
  2. You must manage your charitable donations program even after the money has been donated.
  3. Never forget the Mendelsohn common sense approach to charitable donations.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 18, 2017

When is a rose not a rose? When it is a charitable donation not made for philanthropic purposes and violates the FCPA. This was a feature of the Eli Lilly and Company (Lilly) FCPA enforcement action brought by the Securities and Exchange Commission in 2012, involving a bribery scheme utilized by Lilly in Poland. The scheme and FCPA violations mirrored an earlier FCPA enforcement action, also brought by the SEC as a civil matter, rather than by the Department of Justice as a criminal matter, against another US entity Schering-Plough, for making charitable donations in Poland which violated the FCPA. One of the remarkable things about both of these enforcement actions, brought almost eight years apart, was that they involved improper payments to the same Polish charitable foundation to wrongfully influence the same Polish government official to purchase products from both of these companies.

The Bribery Schemes

Both companies were involved in negotiations for the sale of products with the Director of the Silesian Health Fund (Health Fund). He had also established a charitable foundation, the Chudow Foundation to engage in restoration of ancient castles in Poland. Both companies made donations to the Chudow Foundation at or near the time decisions were made regarding the purchase of their respective products by the Health Fund. The FCPA books and records violations for the donations stated that they were all mischaracterized on the respective company’s books. The donations were made by each company with the description for the donations as follows:

Although all of these donations were approved by a team within Lilly, the “Medical Grant Committee [MGC]”, who reviewed the requests for such donations, the MGC’s approval was “largely based on the justification and description in the submitted paperwork.” While Requests 1 & 2 may have had tangential value to the stated purpose of the Chudow Foundation to restore castles in Poland, even Request 3 was clearly a quid pro quo as an action to obtain business. Just as clearly, ‘rental of castle’ is not a charitable donation but an expenditure, even with that understanding, the SEC Complaint noted that Lilly held no conferences at any castles so it was an outright misrepresentation.

The Schering-Plough SEC Complaint noted that the company Manager involved in the payment scheme, “provided false medical justifications for most of the payments on the documents that he submitted to the company’s finance department.” Additionally, he structured the payments so that they were at or below his approval limit so that he did not have to ask for permission to make the improper payments. The Manager in question viewed the donations as “dues that were required to be paid for assistance from the Director.”

The Red Flags for Charitable Donation

A.Schering-Plough

What were the factors which should become red flags for the review of charitable donations under the FCPA? The Schering-Plough SEC Complaint listed several items which it deemed indicia of red flags.

  1. No due diligence. The first is that no due diligence was performed on the charity to identify the Director of the Silesian Health Fund as the founder or his role in the Chudow Foundation.
  2. Donations not related to health care. While the company permitted donations to healthcare related programs there was no follow up to determine the purposes or uses of the donated funds.
  3. Outside normal range of donation. The next red flag was that the donations made to this single charitable foundation approximately 40% of the company’s promotional budget in 2000 and 20% in 2001.
  4. Disproportionate sales. The company’s sales increased disproportionately compared with its own sales of the same products in other areas of Poland. Up to 53% of one product was sold in the region run by the Director of the Silesian Health Fund.

B. Lilly

The Lilly SEC Complaint listed several items which it deemed indicia of red flags.

  1. No due diligence. Once again there was no due diligence performed on the charity to identify the Director of the Silesian Health Fund as the founder or his role in the Chudow Foundation.
  2. Donations not related to health care. Unlike Schering-Plough, the reasons listed for the charitable donations did not relate to health care. Moreover, they were approved by a Lilly committee specifically tasked with reviewing such requests failed to investigate beyond the submitted paperwork, which was apparently not correct.
  3. Outside normal range of donation. The SEC Complaint quoted an email from a Lilly manager who said that he had decided to commit 70-75% of the [charitable donation] budget and the Director of the Silesian Health Fund was given a “free hand to manage the Lilly investment, emphasizing the fact we only doing this for him…”
  4. Suspicious Timing. The donations were made at or near the time that decisions on the purchase of Lilly products were made by the Director of the Silesian Health Fund. One donation was made two days are the Director of the Silesian Health Fund agreed to make a purchase of Lilly products.

Here Lilly used charitable donations to a charitable foundation which was, as stated in the SEC Complaint, “founded and administered by the head of one of the regional government health authorities at the same time that the subsidiary was seeking the official’s support for placing Lilly drugs on the government reimbursement list.” There was a total of eight payments made to the charitable foundation. In addition to the charitable donations made, Lilly “falsely characterized the proposed payments”. Lilly had a group which reviewed the request for such donations called the “Medical Grant Committee [MGC]” which approved the payments “largely based on the justification and description in the submitted paperwork.”

Three Key Takeaways

  1. Every compliance practitioner should study both the Lilly and Schering-Plough enforcement actions.
  2. What is the purpose of the charitable entity you are making a donation to?
  3. Document Document Documents your due diligence around donees.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 18, 2017

In this episode, I visit with Brian Platz who discusses blockchain and his new company Fluree, a new Public Benefit Corporation that has introduced a scalable blockchain database for decentralized applications. Fluree is not healthcare specific, but there is a lot of potential for blockchain. 

In this podcast interview we covered the following:

  • What is a scalable blockchain database and why is it important?
  • What are some of the healthcare use cases for Fluree?
  • Transparency and consensus as key attributes of block chain. Does that contradict healthcare’s needs for privacy and security?
  • Who will leverage this technology in healthcare? What are its uses in the broader compliance context?
  • What impact will healthcare consumers and patients see as a result of Fluree?
  • Fluree organized as a Public Benefit Corporation. What does that mean for the company going forward?
Dec 15, 2017

 

Opinion Releases

Prior to the 2012 FCPA Guidance, the Justice Department issued two 2007 Opinion Releases which offered guidance to companies considering whether to, and if so how to, incur travel and lodging expenses for government officials. Both Opinion Releases laid out the specific representations made to the DOJ, which led to the Department to approve the travel to the US by the foreign governmental officials. These facts provided strong guidance to any company which seeks to bring such governmental officials to the US for a legitimate business purpose. In Opinion Release 07-01, the Company was desired to cover the domestic expenses for a trip to the US for a six-person delegation of the government of an Asian country for an educational and promotional tour of one of the requestor's US operations sites. In Opinion Release 07-01 the representations made to the DOJ were as follows:

  • A legal opinion from an established US law firm, with offices in the foreign country, stating that the payment of expenses by the US Company for the travel of the foreign governmental representatives did not violate the laws of the country involved;
  • The US Company did not select the foreign governmental officials who would come to the US for the training program;
  • The delegates who came to the US did not have direct authority over the decisions relating to the US Company’s products or services;
  • The US Company would not pay the expenses of anyone other than the selected official;
  • The officials would not receive any entertainment, other than room and board from the US Company;
  • All expenses incurred by the US Company would be accurately reflected in this Company’s books and records.

The response from the DOJ stated: “Based upon all of the facts and circumstances, as represented by the requestor, the Department does not presently intend to take any enforcement action with respect to the proposal described in this request. This is because, based on the requestor's representations, consistent with the FCPA's promotional expenses affirmative defense, the expenses contemplated are reasonable under the circumstances and directly relate to "the promotion, demonstration, or explanation of [the requestor's] products or services."

In Opinion Release 07-02 the Company desired to pay certain domestic expenses for a trip within the US by approximately six junior to mid-level officials of a foreign government for an educational program at the Requestor's US headquarters prior to the delegates attendance at an annual six-week long internship program for foreign insurance regulators sponsored by the National Association of Insurance Commissioners (NAIC).

In Opinion Release 07-02 the representations made to the DOJ were as follows:

  • The US Company would not pay the travel expenses or fees for participation in the NAIC program.
  • The US Company had no “non-routine” business in front of the foreign governmental agency.
  • The routine business it did have before the foreign governmental agency was guided by administrative rules with identified standards.
  • The US Company would not select the delegates for the training program.
  • The US Company would only host the delegates and not their families.
  • The US Company would pay all costs incurred directly to the US service providers and only a modest daily minimum to the foreign governmental officials based upon a properly presented receipt.
  • Any souvenirs presented would be of modest value, with the US Company’s logo.
  • There would be one four-hour sightseeing trip in the city where the US Company is located.
  • The total expenses of the trip are reasonable for such a trip and the training which would be provided at the home offices of the US Company.

As with Opinion Release 07-01, the DOJ ended this Opinion Release by stating, “Based upon all of the facts and circumstances, as represented by the Requestor, the Department does not presently intend to take any enforcement action with respect to the planned educational program and proposed payments described in this request. This is because, based on the Requestor's representations, consistent with the FCPA's  promotional expenses affirmative defense, the expenses contemplated are reasonable under the circumstances and directly relate to "the promotion, demonstration, or explanation of [the Requestor's] products or services."

Travel and Lodging for Governmental Officials

What can one glean from these two 2007 Opinion Releases? Based upon them, a US company can bring foreign officials into the US for legitimate business purposes. A key component is that the guidelines are clearly articulated in a compliance policy. Based upon Releases Opinions 07-01 and 07-02, the following should be incorporated into a compliance policy regarding travel and lodging:

  • Any reimbursement for air fare will be for economy class.
  • Do not select the particular officials who will travel. That decision will be made solely by the foreign government.
  • Only host the designated officials and not their spouses or family members.
  • Pay all costs directly to the service providers; in the event that an expense requires reimbursement, you may do so, up to a modest daily minimum (e.g., $35), upon presentation of a written receipt.
  • Any souvenirs you provide the visiting officials should reflect the business and/or logo and would be of nominal value, e.g., shirts or tote bags.
  • Apart from the expenses identified above, do not compensate the foreign government or the officials for their visit, do not fund, organize, or host any other entertainment, side trips, or leisure activities for the officials, or provide the officials with any stipend or spending money.
  • The training costs and expenses will be only those necessary and reasonable to educate the visiting officials about the operation of your company.

Incorporation of these concepts into a compliance program is a good first step towards preventing any FCPA violations from arising, but it must be emphasized that they are only a first step. These guidelines must be coupled with active training of all personnel, not only on the compliance policy, but also on the corporate and individual consequences that may arise if the FCPA is violated regarding gifts and entertainment. Lastly, it is imperative that all such gifts and entertainment are properly recorded, as required by the books and records component of the FCPA.

The 2012 FCPA Guidance does specify some types of examples of improper travel and entertainment

  • $12,000 birthday trip for a government decision maker from Mexico that included visits to wineries and dinners;

$10,000 spent on dinners, drinks, and entertainment for a government official;

  • A trip to Italy for eight Iraqi government officials that consisted primarily of sightseeing and included $1,000 in “pocket money” for each official;
  • A trip to Paris for a government official and his wife that consisted primarily of touring activities via a chauffeur-driven vehicle.

However, you can use the matter as a good reason to review not only your company’s procedures but to test to determine if they are being followed or if there are issues which you might need to take a closer look at. When a Wal-Mart, News Corp or GSK is in the news for alleged FCPA violations, it provides you a good reminder to review your compliance program.  

Three Key Takeaways

  1. Gifts and business entertainment continue to plague companies for compliance violations.
  2. The key is not the amount but of having a policy and procedure and following it.
  3. Always remember to record gifts and business entertainment expenses correctly.

Payment for travel expenses is appropriate it there is a legitimate business purpose. 

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 15, 2017

In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. It becomes effective for public entities for annual reporting periods beginning after December 15, 2017. In addition to changing things dramatically in the accounting and financial realms, this new revenue recognition standard which may significantly impact the compliance profession, compliance programs and compliance practitioners going forward. In this concluding episode, we consider what does it all mean.

Matt Kelly and I have put together a five-part podcast series where we explore implications of this new revenue recognition standard. Each podcast is short, 11-13 minutes and deals with one topic on the new revenue recognition standard. The schedule for this week is:

Part 1: Introduction;

Part 2: What the logic of your transaction price?;

Part 3: Shaking up software revenue recognition;

Part 4: Auditors need to pay attention; and

Part 5: What does it all mean for compliance (and everyone else)?

As you might expect from the Compliance Evangelist, I see most issues through the lens of compliance practitioner. A key reason this is so important in the compliance area is because the internal controls over financial reporting involved in implementing this new standard are critical to effective implementation. The Securities and Exchange Commission (SEC) has said explicitly in several public statements, and through their early comment letters on disclosures made in advance of implementation, that companies must inform the SEC about the accounting policies that they are changing, and how this new standard will affect a company’s accounting processes, and finally how those effects are going to be managed. This makes it clear to me that this is a really a compliance issue.

Moreover, the SEC has indicated that these disclosures are central to the new revenue recognition standard. This is because if a company has some sort of failure in their disclosures for an accounting standard, they are treated under section Sarbanes-Oxley (SOX) Section 302 of the SEC rules, and that has a level of significance or liability, which is much lower than the liability that a company might face under SOX Section 404, which has to do with the actual internal controls over financial reporting. While disclosure of internal controls might not typically bring Section 404 scrutiny, under the new revenue recognition standard, they may now do so. Kelly stated, the SEC has made it “clear that it will be watching this first year of financial statements under the new standard closely.”

This new revenue recognition standards intertwines two concepts. This first is the convergence and overlap between the compliance profession, compliance programs and compliance practitioners with internal controls. While largely seen as financial in nature, compliance internal controls are in place to both detect and prevent. Now compliance internal controls can also be used to gather the information which will be presented to auditors under the new revenue recognition standard. Many professionals are focused on the new revenue recognition from the auditing and implementation perspective. However, if you are a Chief Compliance Officer (CCO), you might want to go down the hall and have a cup of coffee with your Chief Financial Officer (CFO) and find out what internal controls might be changing or that they might be adding and consider how that will impact compliance in your organization.

The second concept is the continued operationalization of compliance. During my tenure in compliance, you rarely heard a CCO consider revenue recognition as a compliance related issue. By going into detail, we have shown how this new revenue recognition standard can change the manner in which a company might recognize revenue, leading to a greater risk of the obfuscation of payments for bribery by corrupt employees. This means as a CCO you must not only be aware of the risk to manage it but you also must take active steps to mitigate against it. 

Kelly believes this new revenue recognition standard means a lot of work for probably the next 12 months; particularly in the next six months or so, from the end of this year until about May or June 2018. This is when most large companies publish their first annual reports, under the new revenue recognition rule. It is difficult to say how many companies will go through all of this to find that actually their numbers will not change to any material amount. However, for many companies, they may not be able to quantify it but their internal mechanisms are going to get a lot more scrutiny. There will be pressure on the internal financial controls and processes to determine how a business is justifying what is being audited and reported to investors.

Kelly concluded by adding that, at the end of the day, “revenue recognition is a financial process. It is a financial issue. This standard really gets to how are you justifying the process of putting forth these numbers. It is about documenting your judgment. It is about making sure the processes you use are full and complete and sound. Who is the one who makes sure that people understand what the process is the process is well thought out and correct and sturdy.”

Matt and I are preparing a white paper based upon our writings on revenue recognition and this podcast series. It will be available through JDSupra when released.

Dec 14, 2017

If one were to reflect upon the providing of gifts and business entertainment to foreign governmental officials, one might reasonably conclude that after 40 years of the FCPA, companies might follow its prescriptions regarding gifts and business entertainment. However, there have been some notable FCPA enforcement actions in this area.

The 2012 Guidance clearly stated the FCPA does not ban gifts and entertainment. Indeed, the Guidance specified that “A small gift or token of esteem or gratitude is often an appropriate way for business people to display respect for each other. Some hallmarks of appropriate gift-giving are when the gift is given openly and transparently, properly recorded in the giver’s books and records, provided only to reflect esteem or gratitude, and permitted under local law. Items of nominal value, such as cab fare, reasonable meals and entertainment expenses, or company promotional items, are unlikely to improperly influence an official, and, as a result, are not, without more, items that have resulted in enforcement action by DOJ or SEC.”

What does the FCPA Itself Say? 

While prohibiting payment of any money, or thing of value, to foreign officials to obtain or retain business, the FCPA arguably permits incurring certain expenses on behalf of these same officials. There is no de minimis provision. The presentation of a gift or business entertainment expense can constitute a violation of the FCPA if this is coupled with the corrupt intent to obtain or retain business. Under the FCPA, the following affirmative defense regarding the payment of expenses exists:

[it] shall be an affirmative defense [that] the payment, gift, offer or promise of anything of value that was made, was a reasonable and bona fide expenditure, such as travel and lodging expenses, incurred by or on behalf of a foreign official, party, party official, or candidate and was directly related to…the promotion, demonstration, or explanation of products or services; or…the execution or performance of a contract with a foreign government or agency thereof. 

As with most matters under the FCPA, there is little direct guidance on what conduct may step over the line set out above. Of course, there is always the gut check test, which simply measures “if it feels wrong in your gut, it probably is wrong”. It is something good to always keep in mind in any circumstance.

Opinion Releases 

Somewhat surprisingly, there are not any recent DOJ Opinion Releases from the past 10 years dealing with the values for gifts and business entertainment under the FCPA. However, there are three Opinion Releases from the early 1980s which can provide some guidance to current practitioners.

In Opinion Release 82-01, the DOJ approved the gift of cheese samples made to Mexican governmental officials, by the Department of Agriculture of the State of Missouri to promote the state of Missouri’s agricultural products. However, the value of the cheese to be presented was not included in the Opinion Release. In Opinion Release 81-02, the DOJ approved a gift of its packaged beef products from the Iowa Beef Packers, Inc to officials from the Soviet Ministry of Foreign Trade. The total value of all the samples presented was estimated to be less than $2,000 and the Iowa Beef Packers, Inc averred that the individual sample packages would not exceed $250 in value.

The final Opinion Release relating to gifts is 81-01. In this release, Bechtel sought approval to use the SGV Group, a multinational organization headquartered in the Republic of the Philippines and comprised of separate member firms in ten Asian nations and Saudi Arabia, which provide auditing, management consulting, project management and tax advisory services. The SGV Group desired to solicit business on behalf of Bechtel who had proposed to reimburse the SGV Group for gift expenses incurred in this business solicitation. Regarding the reimbursement of gift expenses by Bechtel to the SGV Group the DOJ stated:

(d) Expenses for gifts or tangible objects of any kind incurred without Bechtel's prior written approval will be reimbursed only where such expenditures are permitted under the local laws, the ceremonial value of the item exceeds its intrinsic value, the cost of the gift does not exceed $500 per person, and the expense is commensurate with the legitimate and generally accepted local custom for such expenses by private business persons in the country.

Policies and Procedures for Gifts and Business Entertainment

 Gifts to Governmental Officials 

Based upon the FCPA language and relevant Opinion Releases and allowing for inflation over the past 30 years, it would appear reasonable that a Company can provide gifts up to a value of $500. Below are the guidelines which the Opinion Releases would suggest incorporating into a compliance policy regarding gifts:

  • The gift should be provided as a token of esteem, courtesy or in return for hospitality.
  • The gift should be of nominal value but in no case greater than $500.
  • No gifts in cash.
  • The gift shall be permitted under both local law and the guidelines of the employer/governmental agency.
  • The gift should be a value which is customary for country involved and appropriate for the occasion.
  • The gift should be for official use rather than personal use.
  • The gift should showcase the company’s products or contain the company logo.
  • The gift should be presented openly with complete transparency.
  • The expense for the gift should be correctly recorded on the company’s books and records.

Business Entertainment of Governmental Officials 

Based upon FCPA language (there are no Opinion Releases on this point), there is no threshold that a Company can establish a value for business entertainment. However, I believe there are clear guidelines which should be incorporated into your business expenditure policy, which should include the following:

  • A reasonable balance must exist for bona fide business entertainment during an official business trip.
  • All business entertainment expenses must be reasonable.
  • The business entertainment expenses must be permitted under (1) local law and (2) customer guidelines.
  • The business entertainment expense must be commensurate with local custom and practice.
  • The business entertainment expense must avoid the appearance of impropriety.
  • The business entertainment expense must be supported by appropriate documentation and properly recorded on the company’s book and records.

The incorporation of these concepts into a compliance policy is a good first step towards preventing potential violations from arising, but it must be emphasized that they are only a first step. There must be procedures to implement these policies. At a minimum, you must require a business justification from the business representative requesting to provide the gift or business entertainment. Next it should be reviewed and approved by a front-line compliance professional. Then, depending on the amount and nature of the request, it may need CCO approval. Finally, if there is a Compliance Oversight Committee it should go to that Committee for a final check to make sure everything is in order.

These guidelines must be coupled with active training of all personnel, not only on a company’s compliance policy, but also on the corporate and individual consequences that may arise if the FCPA is violated regarding gifts and business entertainment. Lastly, it is imperative that all such gifts and business entertainment be properly recorded, as required by the books and records component of the FCPA.  

And, as always, do not forget the gut check test.

Three Key Takeaways

  1. Gifts and business entertainment continue to plague companies for compliance violations.
  2. The key is not the amount but of having a policy and procedure and following it.
  3. Always remember to record gifts and business entertainment expenses correctly.

There continue to be significant FCPA enforcement actions around the area of gifts. 

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 14, 2017

In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. It becomes effective for public entities for annual reporting periods beginning after December 15, 2017. In addition to changing things dramatically in the accounting and financial realms, this new revenue recognition standard which may significantly impact the compliance profession, compliance programs and compliance practitioners going forward. In this episode, we consider auditors and the new revenue recognition standard, including disclosures, the ICFR and PCAOB guidance on the new revenue recognition standard.

Matt Kelly and I have put together a five-part podcast series where we explore implications of this new revenue recognition standard. Each podcast is short, 11-13 minutes and deals with one topic on the new revenue recognition standard. The schedule for this week is:

Part 1: Introduction;

Part 2: What the logic of your transaction price?;

Part 3: Shaking up software revenue recognition;

Part 4: Auditors need to pay attention; and

Part 5: What does it all mean for compliance (and everyone else)?

Kelly identified three areas where he sees immediate auditor impact. The first is that the audit firms’ regulator, the Public Company Accounting Oversight Board (PCAOB) has clearly communicated to auditors they must pay attention to this new revenue recognition standard. One of the clear themes throughout this podcast series has been the increased amount of judgment which will come into these calculations going forward. This means companies will need to have more complete documentation which can then be reviewed and tested by their auditors. Add to this PCAOB auditing standards and there may well be a time for some sorting out of what will be required going forward.

Secondly, with this new emphasis on judgment, auditors will have a renewed emphasis on fraud detection. There may be some incentives for sales executives to manipulate the numbers a bit or to close the deal more quickly to hit a bonus. Such pressure could transgress into fraud and as Kelly noted “auditors will be looking more closely at fraud risk because there could well be circumstances where sales commissions could be higher because of the new revenue standard; that would let some firms recognize more of a transaction more quickly.” Finally, Kelly also noted the International Controls for Financial Reporting will have renewed focus from auditing firms.

Kelly pointed to the straightforward issue of whether a contract exists and then posed some of the questions auditors may be asking going forward: How do we know the organization’s contracts are complete and accurate? How does a company demonstrate its contract management system has not be tampered with after execution? What are the controls around these programs you might use to manage your financial transactions? Are we capturing all of the contracts that our employees are generating and that employees are not generating some contracts, have not informed management or that the company’s contract management system has not captured them? Finally, is there contract system security to insure there is no manipulation after the contract is signed?

Another key area for auditing will be whether the pattern and practice of doing business is the same as the contract performance terms and conditions. One immediate area is payment terms. Most contracts specify 30 days net payment terms. However often this date may slip 30, 60 days or even longer. Now take this same concept into the FCPA realm around vague deliverables in third party agent’s agreement and you begin to see some additional issues. If the performance deliverable terms are so vague as to render them meaningless, how will that be handled under this new revenue recognition standard.

My observation is there is a continuum, working backward from the PCAOB, to auditors and audits to the disclosures companies may have to make. Under GAAP, a disclosure may only need to be made if it is material. Yet in the FCPA world there is no materiality standard. At what point does the lack of materiality of a contract outside the United States make your books and records not correct leading to a potential exposure under a law unrelated to traditional revenue recognition; IE., the FCPA? Kelly concluded by noting that companies need to be (or have been in) discussions with their audit firm for to plan these things out as “these sorts of complexities are not to be dismissed because we don't know when they might boil up and suddenly grab you in the rear end. And when that happens it will happen at the least convenient time and cause the most pain.” (ouch!)

I hope you will continue to join us for our exploration this week. Tomorrow in Part V, we will conclude with what it all means going forward.

Dec 13, 2017

Simply having a Code of Conduct, together with compliance policies and procedures is not enough. As articulated by former Assistant Attorney General Lanny Breuer, “Your compliance program is a living entity; it should be constantly evolving.” The 2012 FCPA Guidance stated “When assessing a compliance program, DOJ and SEC will review whether the company Guiding Principles of Enforcement has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.” Some of the questions you should consider are:

  • When was the last time your policies and procedures were released or revised?
  • Have there been changes to your company’s internal controls since the last revision?
  • Have there been changes to relevant laws relating to a topic covered in your company’s policies and procedures?
  • Are any of the policies and procedures outdated?
  • What is the budget to create/revise your policies and procedures?

After considering these issues, you should benchmark your current policies and procedures against other companies in your industry. If you decide to move forward, I suggest a process which can be fully documented as a basis to include revisions to your compliance policies and procedures.

Get buy-in from senior leadership of your company 

Your company’s highest level must give the mandate for a revision to compliance policies and procedures. It should be the Chief Executive Officer, General Counsel or Chief Compliance Officer, or better yet all three to mandate this effort. Whoever gives the mandate, this person should be consulted at every major step of the policies and procedures revision process if it involves a change in the direction of key policies.

Establish a core policies and procedures revision committee 

You should have a cross-functional working group would be ideal to head up your effort to revise your compliance policies and procedures. This group should include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally, there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

From this large group, the topics can be assigned for initial drafting to functions based on their relevance or necessity. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. It is important that you establish a timetable for the revision process and you hold representatives accountable for meeting their revisions.

Conduct a thorough technology assessment 

The cornerstone of the revision process is how your company captures, collaborates and preserves all the comments, notes, edits and decisions during the entire project. In addition to this use of technology in revising your compliance policies and procedures revisions, you should determine if they will be available in hard copy, online or both. There must be a distribution plan, particularly if the Code and compliance policies and procedures will only be available in hard copy.

Determine translations and localizations 

The 2012 Guidance made clear that your compliance policies and procedures must be translated into local language for your non-English speaking workforce. The key is that your employees have the same understanding of the compliance policies and procedures-no matter the language. 

Develop a plan to communicate the revised policies and procedure 

A rollout is always critical because it is important that the revised policies and procedures are communicated in a manner which encourages employees to review and use the policies and procedures on an ongoing basis. Your company should use the full panoply of tools available to it to publicize the revised compliance policies and procedures. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide compliance policies and procedures meeting where the new or revised documents are rolled out across the company all in one day. But remember, with all thing compliance; the three most important aspects are ‘Document, Document and Document’. However, you deliver the new or revised policies and procedures, you must document that each employee received it.

Stay on Target and Budget 

You should work to set realistic expectations that to stay on deadline and stay within your budget. This is equally applicable to your policy and procedures revision. Also remember to keep a close watch on your budget so that you do not exceed it.

These points are a useful guide to not only thinking through how to determine if your policies and procedure need updating, but also practical steps on how to tackle the problem. If it has been more than five years since it was last updated, you should begin the process now. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

Three Key Takeaways

  1. If you have not revised your compliance policies and procedures in the past five years, you should do so no.
  2. Set a timeline and budget and stick to it in the compliance policy and procedure revision process.
  3. Document your process of revision to demonstrate more complete operationalization of your compliance program as set out in the DOJ Evaluation of Corporate Compliance Programs.

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 13, 2017

In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. It becomes effective for public entities for annual reporting periods beginning after December 15, 2017. In addition to changing things dramatically in the accounting and financial realms, this new revenue recognition standard which may significantly impact the compliance profession, compliance programs and compliance practitioners going forward. In this episode, we consider how the new revenue recognition standard could shake up the software industry.

Matt Kelly and I have put together a five-part podcast series where we explore implications of this new revenue recognition standard. Each podcast is short, 11-13 minutes and deals with one topic on the new revenue recognition standard. The schedule for this week is:

Part 1: Introduction

Part 2: What the logic of your transaction price?

Part 3: Shaking up software revenue recognition.

Part 4: Auditors need to pay attention.

Part 5: What does it all mean for compliance (and everyone else)?

One of the industries which may greatly feel the impact of the new revenue recognition standards is the software industry. Kelly noted, the new revenue recognition rule will ultimately allow some portion of the software sector to recognize more of their long-term contract revenue immediately. He believes they initially may think something along the lines of “Hey that's sounds good right. We can hit our quarterly numbers. However, that then brings about bigger strategic questions.” So the reality may be somewhat different as a software company might need to think about this might well drive much more volatile revenue patterns over a multi-year period.

Kelly provide an example of the volatility from one of the companies he has studied, Microsoft. He stated that “when Microsoft adopted the revenue recognition standard earlier this summer, it actually pushed its revenues up because all those liabilities that would have been deferred revenue on the balance sheet recognized them all at once. Microsoft's total revenue for 2017 went from $8.9bn to $26.5bn.” All that just because of a change in revenue recognition.

He then gave a more tangible example of a specific contract, where a company entered into a contract for five years, paying $500,000 and receiving 1000 seat licenses and four years of updates. Under the prior revenue recognition standards, the software company recognized a $100,000 in that first year when they signed the deal and then they had $400,000 of deferred revenue, which they recognized in chunks of $100,000 per year. Now a software company under the same scenario could recognized the entire $500,000 in the first year. While this may look great, it has serious implications. First and foremost, it will impact the software company’s balance sheet for the final four years of the five-year contract. It will seem most bare, with no deferred revenue. Kelly concluded “that's the sort of thing that the software companies sector is going to go through a bit of a blender in early 2018 as people start to realize what all this means.”

Another obvious area of change will be in commission payments for sales persons and third parties. Previously they may have been paid when the revenue was recognized over the life of a contract. Now it may be all up front in the first year. This could cause a commission payment to be made in Year 1 of a 5-year contract. This would present the same cash flow issue for a sales person. Now consider this in a FCPA context. The five-year split of a commission payment has acted as an internal compliance control to keep such payments low enough so as not to create a fund for bribery. Now that type of internal control may not be available to the Chief Compliance Officer.

In a white paper for CalcBench, Kelly and Pranav Ghai found several themes emerging for software companies under the new revenue recognition standard.

First, software companies expect the new standard to accelerate revenue recognition for some long-term software contracts, where previously the revenue would have been recognized in increments across the life of the contract. This is because the new standard eliminates the need for “vendor-specific objective evidence” (VSOE). With the VSOE requirement gone, the new standard will allow firms to recognize more of the revenue from a long-term contract immediately.

Second, numerous firms said the new standard will change how they account for sales commissions, which qualify as costs of obtaining contracts. Under the new standard, sales commissions can be capitalized over the term of a contract, rather than expensed immediately. That means deferred commissions will increase as an asset on the balance sheet, and the amortization costs will be expensed over the term of the contract.

Finally, the data does raise questions about how well-prepared some software firms are for the new standard. While numerous firms say they plan to implement the standard by Jan. 1, 2018— but still report that they are uncertain about its possible effect, or even what adoption method they will use.

Perhaps one of the most unintended consequences will be for software companies looking for some sort of a merger, exit or those looking for an investment round from private equity or venture capital. The difficulty for PE or VC will be to determine what a software company’s value might be over a period of time. This may end up being one of the most critical questions facing software companies and those who invest in them.

I hope you will continue to join us for our exploration this week. Tomorrow in Part IV, we will consider how and why auditors need to pay attention.

 

Dec 12, 2017

There are numerous reasons to put some serious work into your policies and procedure. They are certainly a first line of defense when the government comes knocking. The 2012 FCPA Guidance made clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” And by using the word “considered”, it is clear that this means the regulators will take a strong view against a company that does not have well thought out and articulated policies and procedures; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the ‘Document, Document and Document’ mantra applies just as strongly to this area of anti-corruption compliance.

The specific written policies and procedures required for a best practices compliance program are well known and long established. The 2012 FCPA Guidance stated, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company. Procedures are the documents that implement these standards of conduct.

The role of compliance policies is to protect companies, their stakeholders, including employees, third-parties and others, despite an occasional lapse. A company’s compliance policies provide a basic set of guidelines for employees and others to follow. Compliance policies should give general prescriptions and should be supplemented by more specific procedures. By establishing what is and what is not acceptable ethical and compliant behavior, a company helps mitigate the risks posed by employees who might not always make the right ethical choices.

The Evaluation of Corporate Compliance Programs builds up on the requirements articulated in the 2012 FCPA Guidance. Under Prong 4, Policies and Procedures it states, Applicable Policies and ProceduresHas the company had policies and procedures that prohibited the misconduct? How has the company assessed whether these policies and procedures have been effectively implemented? How have the functions that had ownership of these policies and procedures been held accountable for supervisory oversight? The Evaluation then goes on to ask about both accessibility and effectiveness of the compliance policies and procedures by stating, Accessibility – How has the company communicated the policies and procedures relevant to the misconduct to relevant employees and third parties? How has the company evaluated the usefulness of these policies and procedures?

Compliance policies do not guarantee employees will always make the right decision. However, the effective implementation and enforcement of compliance policies demonstrate to the government that a company is operating professionally and ethically for the benefit of its stakeholders, its employees and the community it serves.

There are five general elements to a compliance policy. It should stake out the following:

  • identify who the compliance policy applies to;
  • set out what is the objective of the compliance policy;
  • describe why the compliance policy is required;
  • outline examples of both acceptable and unacceptable behavior under the compliance policy; and
  • lay out the specific consequences for failure to comply with the compliance policy.

The Evaluation mandates there must be communication of your compliance policies and procedures throughout the workforce and relevant stakeholders such as third-parties and business venture partners. Compliance training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, simply the logistics of training can appear daunting. Small groups, where detailed questions about policies can be raised and discussed, can be a powerful teaching tool. Another technique can be the posting FAQ’s in common areas and virtually. Also, having written compliance policies signed by employees provides what some consider the most vital layer of communication. A signed acknowledgement can serve as evidentiary support if a future issue arises. Finally, never forget the example of the Morgan Stanley declination where the recalcitrant employee annually signed such certifications. These signed certifications help Morgan Stanley walk away with a full declination.

The 2012 FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” It is important that compliance policies and procedure are applied fairly and consistently across the organization. The Fair Process Doctrine demonstrates that if compliance policies and procedures are not applied consistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated. This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

Three Key Takeaways

  1. The Code of Conduct, together with written compliance policies and procedures form the backbone of your compliance program.
  2. The DOJ and SEC expect a well-thought out and articulated set of compliance policies and procedures.
  3. The Fair Process Doctrine holds for the application of policies and procedures.

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 12, 2017

Welcome to Episode 7 of Compliance Man Goes Global podcast of FCPA Compliance Report International Edition. In this episode, we will focus on typical mistakes, which Compliance officers do sometimes. We will explore this matter in a plain language so to say and in the simple game form. Moreover, to make the podcast and text more appealing, will also illustrate today’s episode with an illustration from the Compliance Man illustrated series, created by Timur Khasanov-Batirov.

For those of our listeners who are not aware about our format, in each podcast, we take two typical concepts or more accurately misconceptions from in-house compliance reality. We check out if these concepts work at emerging jurisdictions. For each podcast, we divide roles with Timur, a practitioner who focuses on embedding compliance programs at high-risk markets. One of us will advocate the concept identifying pros. The second compliance man will provide arguments finding cons and trying to convince audience that that we face a pure myth. As a result, we hopefully will be able to come up with some practical solutions for in-house compliance practitioners.

Myth 1-There is no practical way to improve Compliance program. This is just a fancy and useless statement. In corporate practice, it is just unreal.

Myth 2-As compliance practitioners, we should draft and amend exclusively compliance policies. The list of such policies is well known and is exhaustive like code of ethics, gifts policies and alike. There is no need spare time for reviewing corporate policies beyond our Compliance Policies List

Dec 12, 2017

In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. It becomes effective for public entities for annual reporting periods beginning after December 15, 2017. In addition to changing things dramatically in the accounting and financial realms, this new revenue recognition standard which may significantly impact the compliance profession, compliance programs and compliance practitioners going forward. In this episode, we consider how you should set your transaction price.

Matt Kelly and I have put together a five-part podcast series where we explore implications of this new revenue recognition standard. Each podcast is short, 11-13 minutes and deals with one topic on the new revenue recognition standard. The schedule for this week is:

Part 1: Introduction

Part 2: What the logic of your transaction price?

Part 3: Shaking up software revenue recognition.

Part 4: Auditors need to pay attention.

Part 5: What does it all mean for compliance (and everyone else)?

FASB states that Step 3, determine the transaction price, is the amount of consideration to which an entity expects to be entitled in exchange for transferring promised goods or services to a customer, excluding amounts collected on behalf of third parties. To determine the transaction price, an entity should consider the effects of:

  1. Variable consideration - If the amount of consideration in a contract is variable, you must determine the amount to include in the transaction price by estimating either the expected value or the most likely amount.
  2. Constraining estimates of variable consideration - An entity should include in the transaction price some, or all, of an estimate of variable consideration only to the extent it is probable that a significant reversal in the amount of cumulative revenue recognized will not occur.
  3. The existence of a significant financing component - An entity should adjust the promised amount of consideration for the effects of the time value of money if the timing of the payments agreed upon by the parties to the contract provides the customer or the entity with a significant benefit of financing for the transfer of goods or services to the customer.
  4. Noncash consideration - If a customer promises consideration in a form other than cash, an entity should measure the noncash consideration at fair market value.
  5. Consideration payable to the customer - If an entity pays, or expects to pay, consideration to a customer in the form of cash or items, such as a credit, a coupon, or a voucher, that the customer can apply against amounts owed to the entity, the entity should account for the payment as a reduction of the transaction price or as a payment for a distinct good or service, or both.

Kelly noted all of this means judgment are going will become more important under the new revenue recognition standard. He said “People should be thinking about that judgment means, who will be able to defend, precisely how your organization is defining the transaction price. That is something that your audit firm will want to look at and you should understand that the audit firms have more pressure to be more skeptical about judgments their clients make.”

One particular problem could be non-cash transactions or even consideration. He advised to think “about the difference between cash and non-cash compensation for a deal. What if some of your payment for a transaction was in Bitcoin; the value of which is literally changing by the day right now. You could have a transaction that you agree to payment on the first of the month and some part of it might be conveyed in Bitcoin at the end of the month. However, the value of bitcoin could change dramatically before the end of the month or the quarter. Further,  compensation can come in many forms, such as receipt a patent from a joint venture partner, travel voucher or really anything of value. It will create a requirement to accurately value them and implement that valuation.

An ancillary result will be that many non-accountants are going to find that they get pulled into these conversations that you probably have not had much experience with before over revenue recognition. Lawyers and compliance practitioners, for instance may well be a part of these conversations going forward. They typically have not been a part of the discussion to determine the transaction price in the past.  That is really going to be the tricky part of defining what a transaction is under this new revenue recognition standard.

For the compliance practitioner, it is not simply being able to read a spreadsheet anymore. It is understanding the underlying basis of that spreadsheet and are those underlying bases defensible. Consider in the FCPA and greater compliance ream, you may be required to justify the values assigned to either discounts, rebates or some other form of payment variance. In the overall context of an FCPA investigation, under the books and records provisions, a compliance professional may well have to take a much more detailed view of this to determine the transaction price when you sit down across the table from somebody at the DOJ.

Kelly concluded, “in the grand scheme what FASB wanted to achieve with this new revenue recognition standard was to bring more transparency to the logic of the economic action.” You will need to be able to justify where did these numbers come from related to this business transaction the companies are engaged in going forward. It is certainly going to be a very different world for some people.

I hope you will continue to join us for our exploration this week. Tomorrow in Part III, we will explore how this new revenue recognition standard will shake up the software industry.

Dec 11, 2017

How can you work to operationalize the Code of Conduct as articulated in the Department of Justice (DOJ) Evaluation of Corporate Compliance Programs? The Evaluation focuses not on whether a company has a paper compliance program but whether a company is actually doing compliance. A company does compliance by moving it into the functional business units as a part of an overall business process. That is what makes a compliance program effective at the business level. There are several different parts of the Evaluation that touch upon your Code of Conduct.

Prong 2, Senior Leadership and Middle Manage states the following:

Shared CommitmentWhat specific actions have senior leaders and other stakeholders (e.g., business and operational managers, Finance, Procurement, Legal, Human Resources) taken to demonstrate their commitment to compliance, including their remediation efforts? How is information shared among different components of the company? 

The Code of Conduct process should involve these corporate disciplines. Your Code of Conduct should enshrine your company’s values. Those are set by senior management and their input and support for any Code of Conduct project, whether initial draft or update, is critical.

Prong 4, Policies and Procedures states the following:

Designing Compliance Policies and ProceduresWhat has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out? 

This question gets to the heart of operationalization and demonstrates how a Code of Conduct can work to meet the DOJ requirements. As an early part of your design and drafting process, you should assemble a cross-functional team. This is important for several reasons. First diversity in your team will help produce a more well-rounded final product. But having such team diversity will also assist in your benchmarking effort, coupled with those who are going to help you out looking at designs and maybe helping forge the design of the Code. Finally, you can use a group to help in the drafting, redrafting and editing process. This diversity will help you to answer all of the three DOJ questions from the Evaluation in a manner consistent to support operationalization.

This project team diversity will also help to operationalize your Code of Conduct after implementation. You will have various business unit members invested in your new or revised Code of Conduct. This ownership will help not only in your internal marketing but demonstrate to employees the commitment to doing business ethically and in compliance to your entire workforce.

Prong 6, Training and Communication, states:

Form/Content/Effectiveness of TrainingHas the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training?  

There are several different types of training, including live, interactive and online training. But in addition to training, your Code of Conduct can form the basis of ongoing communications throughout the organization. Through a Code of Conduct, a company has acknowledged certain risks and it can communicate those risks through effective use of a Code of Conduct. It can also serve as a jumping off point for training and communications about more focused topics and discussions led by employees outside the compliance department.

You can measure the effectiveness of your training through a variety of mechanisms including knowledge assessments, culture surveys, focus groups, tracking your internal intranet training, reporting of trends and even hotline calls. These techniques can help to drive compliance into the very fabric of your company by operationalizing compliance. Another important consideration around effectiveness for training, and the text of the Code of Conduct, is translations, or as the DOJ stated, “Has the training been offered in the form and language appropriate for the intended audience?”

Three Key Takeaways

  1. What has been the role of senior management in the creation or update of your Code of Conduct?
  2. How have you worked with employees outside the compliance function to lay the groundwork for fully operationalizing your compliance program?
  3. How have your measured the effectiveness of your Code of Conduct training? 

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 11, 2017

In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. It becomes effective for public entities for annual reporting periods beginning after December 15, 2017. In addition to changing things dramatically in the accounting and financial realms, this new revenue recognition standard which may significantly impact the compliance profession, compliance programs and compliance practitioners going forward. In this episode, we provide an introduction to the new revenue recognition standard.

Matt Kelly and I have put together a five-part podcast series where we explore implications of this new revenue recognition standard. Each podcast is short, 11-13 minutes and deals with one topic on the new revenue recognition standard. The schedule for this week is:

Part 1: Introduction

Part 2: What the logic of your transaction price?

Part 3: Shaking up software revenue recognition.

Part 4: Auditors need to pay attention.

Part 5: What does it all mean for compliance (and everyone else)?

This standard has been a long time in coming but the go live date is here; it becomes effective on December 15, 2017. This means the financial reports your company will submit which will come out sometime in February or March will be under the new revenue recognition standard. Kelly noted that “upwards of 80 percent of filers in the United States have a year end of December 31 as their fiscal year end. For most companies, this new revenue recognition standard is here you are going to have to start worrying about it now. You are going to have to start reporting under the new standard early in the spring.” While some companies, such as Google, General Motors and Microsoft adopted the standard early, most will be doing so on the fly in Q1 2018.

The prior revenue recognition standard was rules-based, while this new revenue recognition standard is principles-based. This was done deliberately as FASB is coordinating this rollout with how revenue is recognized in other parts of the world, specifically International Financial Reporting Standards (IFRS) which are put forth by the International Accounting Standards Board. This was a joint effort to have a one global approach to how companies recognize revenue and the process involves a lot more judgment. Kelly noted, “The good news is that you can exercise a lot more judgment and if you have good judgment you can finesse things to be much more reflective of what's the economics of the deal.”

The new revenue recognition standard is really about a series of performance obligations; what a company is committing to do in delivering a good, delivering a service, or both. Next, has a company fulfilled those performance obligations. Finally, is do these actions give that obligation to a company beyond the contract language? Kelly said, “It's a sweeping standard. The philosophy of when you have a transaction and when you do not, has changed. Different types of industries will be hit by this quite a bit by this new revenue recognition standard but others will not.”

Kelly said this use of more judgment, than rules cuts, both ways. “If your judgment is not sound or if your judgment could be called into question because you have not properly documented your logic and your chain of thought, your organization is opened itself to questioning your judgment much more than might have happened under the old standard. This means a key will be the logic in determining the transaction price.” In addition to the process aspect, there is the document, document, document process which should warm the heart of every compliance practitioner. As the prior revenue recognition standard was rules based, “you went through all the contortions you come to a number that's the number.”  Now, as Kelly noted, “it's down to this is our judgment and if our judgment is good and we can document it.”

Kelly also noted the Securities and Exchange Commission (SEC) has gone to great lengths over the past two years at least about this new revenue recognition standard, giving what he termed “gentle nudges and sometimes not gentle nudges to companies that you've got to get on board with this new revenue recognition standard.” The good thing is that while the SEC may well provide a few comment letters, as companies are reporting under the new revenue recognition standards, they will probably not sanction companies for reporting errors for some period of time. Kelly believes, “as long as you are actually trying to embrace the spirit of the new revenue recognition standard” the SEC will not sanction your organization. However, if an organization is “committing accounting fraud you are still going to get nailed.”

Kelly concluding by raising the very interesting question of whether the investor community is ready for this new revenue recognition standard. This may be truer for private equity companies investing in the tech space are the rules around revenue recognition for software companies could be more greatly impacted than other organizations. (We will take up the new revenue recognition standards for software companies in Part 3.) The bottom line is that a wide variety of interests, in a multitude of organizations will be impacted by this new revenue recognition standard; including the compliance profession.

I hope you will join us for our exploration this week. Tomorrow we will ask, and hopefully answer, the question: What is the logic of your transaction price?

1 « Previous 4 5 6 7 8 9 10 Next » 18