In this week which starts the 4th of July holiday weekend, Jay and I return for a wide-ranging discussion on some of the week’s top compliance related stories, including:
Yesterday I considered an article by Ryan Hubbs, entitled “10 Factors Leading to Reporting Mechanism Distrust”, in which he detailed 10 factors leading to hotline distrust. Today I want to pick up on that article with Hobbs' tips for building a trusted hotline reporting program and culture, talk about the SEC whistle blowing program, and conclude with a few thoughts on why experienced, invested counsel is so critical in these.
Organizations implement and maintain hotlines, trusted programs, hotline programs differently depending on their sizes, cultures, geography, and many other factors if they must decide if they'll construct such programs. Many organizations find benefit to taking it outside from the experience and expertise, the appearance of independence which can increase employee trust. A smaller organization may not be able to do so. Nevertheless, there are many competent companies that put on hotline services for small individuals.
What can you do to help build trust for your reporting system?
1. Training and awareness. Increased awareness of the program will help build employee's confidence around it, and organization should continually strive to help employees know that the hotline reporting system program works, why the organization believes in it, who operates it, and why it's a critical part of the culture of the company and the compliance ethos of the company. Organizations should include hotline frequently asked questions and answers for all employee new hires and supervisory training.
Next, is an assessment on whether the ethics and hotline policies, procedures, and technology are meeting the needs of the organization and the employees. Here let me emphasize technologies, because I earlier about a situation where an employee does not have access to a computer. What if the employees are out on a drilling rig? Would they have access to a cell phone, or could they report in that manner? Maybe not. They may have to use a computer. You must have the appropriate technology for your diverse workforce.
What about after the report is made? Are your internal investigations and resulting disciplinary actions consistent with the organization's desired culture of compliance? Here you need to make sure that the actions you have taken really are consistent because employees understand this and they will watch and see what happens. Are independent reviews conducted by internal audit or external professionals with ongoing oversight by an audit committee of the hotline and results? Finally, are complaints and resolutions disclosed to or discussed with external auditors? Are you bringing in outside experts to help you?
All of this is important because of Dodd-Frank and its creation of a Whistleblower program for securities violations, such as the Foreign Corrupt Practices Act (FCPA) for issuers. As of April, of 2017, the Securities and Exchange Commission (SEC) has made 43 whistle blowers awards of over $153 million to whistle blowers under the Whistleblower program established under Dodd-Frank. This is a direct result of failure of corporate hotlines. Any regulator will tell you that 95% of all employees attempted to report internally first and they were either rebuffed, they were retaliated against, or in some other way rejected. The amount of money, fines and penalties, paid out for ignoring whistle blowers, people who report anonymously, is significant.
Finally, as I end this one-month series, I would just like to re-emphasize the need for experienced investigative counsel for serious matters. Recently had a declination issued in the Linde Gas case by the Department of Justice (DOJ), and it really was clear that the counsel used by Linde in in addition to the decision self-disclose, was a critical factor in Linde getting the superior decision it did, which was a declination to prosecute. The investigation was a very difficult set of facts, very convoluted, very muddled up over many countries with shell companies, direct companies, and others. You really must have experienced investigative counsel for things that are outside the routine. Having an experienced, season and competent FCPA bar-lawyer who could both investigate it and negotiate with the government is very critical going forward.
Three Key Takeaways
Today I want to consider some factors which can lead to employees’ distrust of an internal reporting system. Ryan Hubbs wrote an excellent article entitled “10 Factors Leading to Reporting Mechanism Distrust”.
The guidance and mandates for companies on reporting mechanism reporting are numerous, overlapping and sometimes very broad. There are the US Sentencing Guidelines; regulations under Sarbanes-Oxley (SOX), the Dodd-Frank Act and the 2012 FCPA Guidance. There are international guidelines from the EU, US and London based stock exchanges and even the United Nations deems reporting mechanism reporting a necessary good business practice. Dodd-Frank attempted to strengthen accountability by specifically providing protections for those who come forward as whistle blowers but also allows regulators to respond to misconduct through finding some legal action. While the goal of whistleblowers and reporting mechanisms might be to identify and correct wrongdoing, they do not guarantee success and they do not even guarantee effective and trusting programs.
Trust is a primary factor as to whether an employee will come forward with a concern. Management might try a quick-fix reaction to a messy investigation with more reporting mechanisms, posters or asking a CEO to use compliance training to generally get the word out. Nevertheless, employees view it as a trust issue, and you must have that trust. If an employee chooses not to report and an outside source later discovers misconduct, the organization will certainly be subject to potential financial losses and reputational damage that could have been avoided. If the employee does report, but the culture of trust is lacking or they faced retaliation, up to and including termination, then you have a disgruntled employee who is most likely going to go to the Securities and Exchange Commission.
What are Hubbs’ 10 factors leading to distrust of internal reporting mechanisms? Number one is that employees do not understand the reporting mechanism system. Some the questions include, “who answers the reporting mechanism number? Will they know that I filed a reporting mechanism complaint if I do so anonymously? Will they tell my boss that I've reported a concern? Where does my complaint go and who reviews it?” Employee doubt and uncertainty can impede an employee's decision to report a concern. Transparency is also noted to aid in trust and the more likely an employee is to come forward.
Number two is inadequate reporting mechanism resources and poor reporting program design. Companies can demonstrate their commitment to a reporting mechanism by spending money on well-designed reporting mechanism programs and professionally trained, efficient responders and investigate, fully integrated case management systems and all necessary supported tools. Anything less, will engender employee mistrust.
Number three is the lack of personalization of employee concerns. Utilizing an internal reporting mechanism can be a very personal experience for an employee as the whistleblower might be a victim, the employee could well have witnessed significant wrongdoing. He or she may view using the reporting mechanism as simply taking a personal chance by coming forward and doing the right thing. This means that if an employee only hears a recorded message or an automated response; they may view the entire program as machine-like and indifferent. Having qualified and experienced compliance or investigative professionals who should follow a predesigned investigative protocol, should immediately follow up on reported concerns. Moreover, concerned employees need support and reassurance they have done the right thing and the organization will address their concerns and that they will be protected from retaliation. There should also be a strong written statement against retaliation.
Number four is the improper handling of whistleblower complaints and lack of training of investigators. The mishandling of complaints and poor training of reporting mechanism calls and investigations can cause reporting errors in which the company conducts an inadequate investigation and/or comes to the wrong conclusion. As noted above an investigative protocol coupled with skilled investigators early in the reporting process. Employees who experience mishandled complaints will almost certainly communicate their dissatisfaction with colleagues, and that can certainly destroy reporting mechanism morale.
Number five is the always dicey question of whether management is involved in the reporting mechanism. If local management gets involved early when they may be the problem, or complicit in allowing concerns to go forward or unaddressed. Local HR professionals might also appear to employees to be closely aligned with management, they also might be inadequately trained and show bias or favoritism. To ensure transparency and objectivity, often when it's effective to use a third-party administrator for your reporting mechanism. At the point when concern becomes part of an investigation, the organization can involve management, including internal audit, compliance, legal and HR, depending on the type of complaint.
Number six is too many reporting mechanisms. Your corporate reporting mechanism should be the primary entry point for all concerns regardless of who reports or how companies identify them. Unfortunately, companies also have avenues such as emails, web portals, writing and of course, in person. These can require companies to struggle to determine who owns the proactive and reactive assessments of reporting and responses. Many companies offer reporting mechanisms just beyond the centralized reporting mechanism, but you should have a professionalized, centralized, clearly articulated program that help streamline reporting, increase communication and awareness, and decrease confusion to help build trust.
Number seven is there is too much emphasis placed on reports which must be based solely on “credible complaints. Employees who file fictitious or malicious complaints against companies and colleagues defend pending terminations or to get others into trouble or retaliate for some perceived personal slight.” While some companies attempt to reduce meritless complaints by communicating that employees should only report credible or good-faith complaints, others might go a step further by saying employees could be subject to disciplinary action for filing complaints that are not found to be credible. However, these tactics may well deter employees from reporting any concerns.
Number eight are the twin obstacles of negative incidences and retaliation. If I have had one key theme throughout this series on reporting, and indeed, throughout this month of investigations, it is an absolute prohibition against retaliation. Companies must prevent retaliation. When an employee is mistreated for following the organization's reporting policy, the reporting mechanism can sustain severe damage to its credibility and viability as a safe and secure mechanism. The damage from mismanagement and reprisals is memorialized on the internet and court records or public documents can create a devastating silent, do-not-report culture. Companies must communicate they have a zero tolerance for retaliation and deal with any retaliation swiftly and publicly.
Number nine is the problem of inconsistent outcomes. Companies must demonstrate that consistent and fair outcomes are routine, regardless of people, relationships or scenarios. Employees will learn through the grapevine if the organization delivers fair, consistent discipline, regardless of how confidentially an organization hides such outcomes. Of course, if employees view outcomes as fair, they will be more compelled to report concerns. Employees know that inconsistency equals personal risk.
Finally, number 10 is the time worn adage that actions speak louder than words. Employees critique, judge and evaluate what an organization says about its reporting mechanism reporting program by what it does, rather than what it says. Does it follow policies and procedures as assigned? Does it really have a zero-tolerance policy on retaliation? Are outcomes consistent, fair and appropriate? Does it truly allow employees to report concerns anonymously?
Three Key Takeaways
The top compliance roundtable podcast is back with a wealth of new topics. Stayed tuned to the end where there are some heartfelt and somber rants in this edition.
For Matt Kelly’s posts on Uber and the intersection of policies and procedures, see the following:
For Mike Volkov’s post on blockchain and compliance, see the following:
For reading on blockchain and compliance, see the following:
Will Blockchain Transform Compliance? by Tom Fox
Blockchain Explained, by Zach Church in MIT Sloan Management Review.
For the Cordery Compliance client alert see the following:
For Jay Rosen’s posts see the following:
The members of the Everything Compliance panel include:
In an article entitled “How to Launch and Operate a Legally-Compliant International Workplace Report Channel” or in compliance parlance, a hotline, author Donald Dowling of the law firm of White and Case, provided a useful guide to help navigate the challenges of setting up a multi-national whistleblower’s hotline, such as is required under the FCPA and UK Bribery Act. The majority of his article “analyzes the six categories of laws that can restrict whistleblower hotlines abroad, focusing on compliance.” You should obtain a copy of this article and keep it for reference in regards to your company’s hotlines. It is available on the White and Case website, by clicking here.
This group of laws “comprises mandates that require setting up whistleblower hotlines in the first place.” This includes the US Sarbanes-Oxley (SOX) as well as other jurisdiction laws which generally protect whistleblowers from retaliation but do specifically require any hotlines be set up on a company wide basis. Dowling also found a couple of countries, Norway and Liberia, which require general receiving and processing of “public interest disclosures.”
This category of laws generally related to legal requirements for the reporting of illegal acts to government authorities in two ways. First, these laws encourage whistleblowing to government which then compete with employer hotlines by enticing internal whistleblowers to divert denunciations from company compliance experts and over to outside law enforcers who indict white collar criminals. This first approach is found in Dodd-Frank, which offers bounties. Second, these “laws that require (as opposed merely to encourage) government denunciations rarely except corporate hotline sponsors. These laws therefore force hotline sponsors to divulge hotline allegations over to law enforcement.” This second approach is found in SOX which “requires an employer to offer internal hotline procedures”.
This category is exemplified by European data protection laws which act to restrict companies’ freedom to launch and operate reporting programs. Dowling believes that these laws are based upon the fact that Europeans “see hotlines as threatening privacy rights of denounced targets and witness”. Also this would seem to be in response to the totalitarian past from the World War II era. The author identifies what he termed “the four biggest hurdles” set up to frustrate hotlines in EU jurisdiction. They are “(1) restrictions against hotlines accepting anonymous denunciations; (2) limits on the universe of proportionate infractions on which a hotline accepts denunciations; (3) limits on who can use a hotline and be denounced by hotline; and (4) hotline registration requirements.
This category will be familiar to US compliance practitioners through the applications of US laws such as SOX, Dodd-Frank and numerous state whistleblower statutes. Additionally, the author lists numerous foreign jurisdictions which have such laws. But here he believes that the key is communication because in many countries and foreign jurisdictions, there is no tradition of protection of persons who make reports against superiors so that an “employer needs to overcome worker fear of reprisal for whistleblowing.”
Typically laws on internal investigation do not impact hotlines because a hotline is a “pre-investigation tool.” However, the author believes that No. 4 above, communication by the employer is critical to complying with laws that enact procedural safeguards for persons under investigation. Heavy-handed communications about a hotline could blow back against employers in claims by employees that “an employer rigged the investigation process.” So companies should ensure that communications about hotlines do not convey an “overzealous approach to complaint processing and investigations.”
Here the author recognizes that the title of this category “is necessarily vague and determining which laws fall into it is difficult.” Nevertheless, he writes that the most “likely candidates are data protection laws silent on hotlines and labor laws imposing negotiation duties and work rules.” Regarding the former, the author argues that hotlines are not databases but conduits for the transmittal of information. He acknowledges that EU data privacy laws reject this distinction and treat hotlines as if they were databases where information is stored. He does not identify other jurisdictions which yet take this aggressive approach but he believes this may become a trend. The labor law issue is also tricky and may turn on the interpretation of whether the institution of a hotline is viewed as substantive change in working conditions under a union-management labor agreement and therefore subject to collective bargaining.
There are several key inquiries you should make for your hotline. What jurisdiction are you in and what is the binding law or laws which will govern you going forward. Must you confine your hotline reporting to specific topics or is it open to all issues? Can anonymous allegations be brought forward in the jurisdiction in question. Do you have a hotline staffed in-house or do you use an external third party vendor? Finally, must you disclose hotline data to government regulators?
Three Key Takeaways
In this episode, Matt Kelly and I take a deep dive, literally into the weeds of the convergence of the compliance profession and the nascent cannabis industry. While several states have made pot for medical use legal and one state, Colorado has made it legal for personal consumption, it is still illegal under federal law. We consider such questions as:
For more from Matt Kelly:
See his blog post Compliance, Careers and Cannabis Industry;
Hear Matt Kelly’s interview with Amy McDougal (yes Matt has his own podcast as well-the Radical Compliance podcast) by clicking here.
Is your hotline working for you? In an article entitled, entitled “Promoting Effective Us of the Compliance Hotline” José Tabuena provided an excellent example of the power of a hotline. He provide a case study of a company which had not integrated its IT function into its regular compliance and ethics training programs. As such there were zero calls into the hotline by employees from the IT department. This dynamic was changed and IT was integrated into the company’s regular compliance and ethics training. Thereafter, the hotline received several calls from IT department employees indicating where there were two major areas of complaints. The first general area was that there were conflicts of interests between IT department managers, family members who were hired and perceptions of favoritism. The second generally revolved around allegations that certain company managers were manipulating data to maximize their bonuses.
The Favoritism Problem
The Human Resources (HR) department led an investigation that included questioning all IT managers about their direct reports and employees of their unit. The company determined that there was only one instance of a manger hiring a family member (a brother-in-law), but that person did not report to the manager and was in a different section of the IT organization. This finding made clear that there were misperceptions in the IT department, which affected the department morale. To remedy this all IT managers received training on appropriate employment practices, communications were also delivered to all IT employees explaining policies and practices regarding the hiring of family members. Most satisfyingly, during follow-up with callers to the helpline, the callers stated that the work environment in the IT department had noticeably improved. They also expressed gratitude that their questions were answered and that their issues were addressed. The callers felt their concerns were taken seriously when they saw the communications on hiring practices and upon having discussions with managers during staff meetings. Staff retention started improving in the department.
Manipulation of Data for Bonuses
The company used the hotline to obtain more information from the callers on “isolating the metrics and the managers in question. It was determined that the bonuses of a select few IT managers were indeed influenced by a questionable data source, which was controlled by a non-manager with minimal oversight and controls. Following interviews with key individuals and review of the data file (including forensic analysis), it was determined that one IT manager had misrepresented information provided to the staff person maintaining the data. Notably, this staff person also reported to this manager. As a result, the IT manager's bonus compensation was inflated. He was subsequently terminated.
Basic Tenets of an Effective Hotline
This case study provided three key tenets of an effective internal reporting system.
This case study demonstrates the power of a hotline. The company’s Compliance Department “established the credibility of the helpline as a resource to raise issues and report misconduct. The concerns regarding nepotism and conflicts of interest were taken seriously, and although the violations were not as widespread as the calls indicated, the review went a long way to clear the air.” Equally important, the helpline proved to be a successful management tool as well. The company was able to manage potential compliance issues and improve employee morale.
Three Key Takeaways
In this episode, I visit with Steven Durham, a partner in the law firm of Labaton Sucharow. The firm is one of the leaders in the SEC Whistleblower practice. Durham describes his background and how he got to the firm. He relates the Whistleblower Practice at Labaton, what is your role and how Jordan Thomas worked to create the firm’s whistleblower practice after leaving the SEC. He then relates what the SEC Whistleblower program is and how has it worked to pay out over $150MM in bounties through this spring. Durham then discusses how the SEC Whistleblower office facilitates the SEC’s mission to protect investors, why whistleblowing benefits society and corporate America and how firms like Labaton assist the SEC in its practice. We conclude with a discussion of where Durham sees SEC Whistleblower program going under the Trump Administration.
For more information on Steven Durham, the law firm of Labaton Sucharow and its whistleblower practice, check out the firm’s website by clicking here.
Today I would like to review some best practices regarding a compliance hotline.
Like other risk management issues, hotlines must also be managed effectively after implementation and roll-out. Here are some practical tips which will help you make your hotline an effective and useful tool.
Get the word out. If employees do not know about the hotline, they will not use it. Allocate a portion of your time and budget to promoting the corporate hotline through multiple channels. Put up posters and distribute cards that employees can keep in their wallets or desk drawers. Deliver in-person presentations where possible. And do not think of the promotional initiative as a one-time effort. It is important to remind employees regularly, through in-person communications, via e-mail, or through intranets, newsletters, and so on, that this resource is available to them. Some hotlines offer promotional materials to help make the job easier; make sure you ask what type of promotional support may be available.
Train all your employees. Getting employees to use the system is one half of the challenge; ensuring they use it properly is the other half. This is where training becomes essential. Make sure people understand what types of activities or observations are appropriate for reporting and which are not. HR and compliance staff will need training too, to help them understand how the hotline impacts their day-to-day activities. Company leaders also need to understand the role the hotline plays in the organizational culture, and the importance of their visible support for this compliance initiative.
Take a look at the data. Use the data derived from or through the hotline to identify unexpected trends or issues. Examples might be what percentage of employees use the hotline and what issues are they submitting? A healthy hotline reporting system will yield reports from .5 to 2 percent of your employee base. If your reporting patterns are higher or lower, it may indicate mistrust of the hotline, misuse, or a widespread compliance issue. Isolate the data by location and department to identify micro-trends that could indicate problems within a subset of your corporate culture. Analyzing the data can help you stay a step ahead of emerging issues.
Response is critical to fairness in the system. Seeing a hotline system in action in this way can go a long way toward dispelling employee fears of being ostracized or experiencing retaliation because if they see that their concerns are heard clearly and addressed fairly, they will learn to view the hotline as a valuable conduit. If your compliance group responds promptly and appropriately to hotline complaints, you can ensure robust participation and ongoing success. Even when a complaint proves to be unfounded, it can still provide an opportunity to open a dialogue with employees and clear up any misunderstandings. Responding to reported issues also gives compliance officers a chance to prove that issues can be resolved or addressed while protecting the privacy and anonymity of the whistleblower.
Three Key Takeaways
In this episode, I visit with James Gellert, CEO of RapidRatings, a company which uses a financial dialogue to determine third party supplier health and viability. Gellert explains what supply chain resilience is and how can examining financial health of your suppliers can lead to a more financially efficient supply chain. We then discuss the company’s third party risk management tools. We consider how a company might evaluate a potential purchaser, partner or someone buying a part of a business. Finally we have a lengthy discussion of how a corporate compliance function use the health of a third party as a tool to determine third party compliance risk?
For more information on RapidRatings, check out their website by clicking here.
After last week’s guest announcers, Jay and I return for a wide-ranging discussion on some of the week’s top compliance related stories, including:
Who to suspend during any Foreign Corrupt Practices Act (FCPA) investigation is always a delicate question to answer. Unfortunately there is never an easy answer. As the Volkswagen (VW) emission-testing scandal continues to reverberate, it continues to bring up some very knotty questions, which have bedeviled the Chief Compliance Officer (CCO) or compliance practitioner in many areas. Today there is an example around internal investigations.
In an article in the Wall Street Journal (WSJ) entitled “Scope of VW Suspensions Grows”, William Boston reported on the ongoing internal investigation by the company’s outside counsel Jones Day. Boston noted that VW had “suspended a larger number of engineers than previously acknowledged, following a recommendation from the law firm conducting” the investigation. The article went on to state, “Jones Day urged suspension of anyone who could have been involved in the scam - from high level decision makers to ordinary engineers – to prevent possible perpetrators from tampering with the evidence”.
This final statement emphasizes a key consideration in a FCPA investigation, which is to tie down the evidence. Former Arnold & White partner Mara Senn has said that “probably from the government's perspective, the most important aspect of setting up an investigation in a way that makes them feel comfortable, is ensuring that all data is locked down.” However, if you are worried about evidence tampering you may have a bigger problem on your hands.
Pointing up the difficulties in making such a blanket sweep an un-named source, who provided this information to Boston, was quoted in the WSJ piece as saying “We had to suspend everyone in this area to get them out of the way of this process. This is necessary for the investigation, but it’s really hard for us because we are now missing their professional knowledge and experience.”
This issue brings up another point that Senn has discussed, around when to suspend or discipline an employee during an internal investigation. Senn related, “That is a very case-by-case difficult question to answer, but in general, I think it’s better to keep them around for as long as you may need them. Once they’ve been fired or otherwise disciplined, really, even if you keep them around, they’re going to be less cooperative with you and possibly, if you fire them, not cooperative at all. You can require them to be cooperative in the termination agreement, but obviously in practice, cooperation can mean a lot of different things.”
In view of the Schrems decision by the European Court of Justice (ECJ), I also wonder how the investigation will fair with the German based employees? Obviously there will be data that in the US would be deemed company-owned but in Europe it may well be private to the employee being investigated. This problem became even greater with the recent decision by Privacy Regulators from 28 EU nations that backed the ECJ’s Schrems decision that invalidated the Safe Harbor regime. As reported by Jo Sherman in the FCPA Blog, “that closed the legal pipeline by which data has flowed freely from the EU to the U.S. for the last 15 years. The rationale for the court decision and the subsequent backing of the EU Data Protection Authorities is that the surveillance powers of the U.S. government are considered to be too excessive and disproportionate, and can override the data protections for EU citizens under the Safe Harbor framework.”
Lanny Breuer, the former number two at the Department of Justice (DOJ) and now a partner at Covington and Burling LLP, raised an interesting concern in the context of the Justice Department’s FCPA Pilot Program. It is around what Breuer terms “de-confliction”. This involves the government asking a company to halt its own investigation for the government to be the first to interview witnesses. At the FCPA Blog Conference, Breuer said that if “de-confliction” is required as cooperation to gain the benefits of the pilot program, such a request from the DOJ would be “an extraordinary request, in my view” because it “could lead companies to be unable to disclose to other agencies or to shareholders, and it could keep a board in the dark about the alleged wrongdoing.” Breuer added, “In general, publicly traded companies can’t just stand down from doing an investigation when such an allegation comes in.” He also commented that “he’d been asked to do so a couple of times.”
Breuer raised four questions during his presentation which every investigator must consider in the area of de-confliction. (1) Would complying with the request be consistent with directors’ and corporate officers’ fiduciary duty of oversight?; (2) How can a company make decisions without speaking with its employees?; (3) How will a delay affect the company’s other regulatory obligations?; and (4) How can external counsel advise a company without knowing the facts? Companies hire external counsel to conduct thorough investigations, evaluate their clients’ conduct, and provide informed legal advice. These tasks can be difficult if not impossible to accomplish where external counsel have their hands tied behind their backs.
Clearly the DOJ could have a broader remit or be involved with other ongoing investigations where they might make such requests. However, such ‘de-confliction’ could stop a company from engaging in a root cause analysis or even robust investigation. At the same conference, an earlier panelist, Gerald Kral, the Chief Ethics and & Compliance Officer (CECO) of Brown-Forman, said on his panel that his company did an extensive root cause analysis of every claim or incident so it can not only understand what happened but put sufficient risk management protections in place to try and make sure it does not happen again.
Three Key Takeaways
Prior to the Schrems decision by the European Court of Justice, US based law firms could rely on Safe Harbor to use and analyze information from investigations conducted in Europe. However the Schrems decision and subsequent EU privacy rulings and regulations have brought the entire issue around internal investigations into question.
In a podcast interview with UK solicitor and data privacy expert Jonathan Armstrong about the decision, Armstrong noted that the decision puts real roadblocks in the path of a US company that could be investigating potential anti-corruption allegations in the UK or EU member country. The biggest issue would be around personal privacy and information. Unlike the US, work emails are covered by the privacy rights afforded to individuals and are not the property of the company. The same is true of other information. Under the Schrems decision, the ability of a US corporation to access that information and then take it back to the US under the safe harbor provision is no longer available.
I asked Armstrong how a company might be able to move forward and internally investigate potential FCPA violations. Armstrong suggested that that the only way at this point was to obtain the consent of the person being investigated. However the obtaining of such consent raises a host of other problems. He said, “Can I really get consent in an internal investigation? Can I go along, speak to my Austrian agent and say, “Peter, I just need you to sign this form to transfer your data to the US”? Now, for consent to be valid the European legislation it has to be fully explained, it has to be honest, it can't be deceptive. I’ve got to say to him, “I want you to sign this form because I want to investigate you. I want to run a full FCPA investigation; you’re the prime suspect. I want to take a look at your emails and I have to inform you that by the way, you have the right not to consent and if you don’t consent there’s no way I can investigate you. Could you sign the form, please?”” As Armstrong went on to note, “What answer is he likely to give in an internal investigation and how would the US authorities feel if I go and tip off the main suspect that he’s under investigation?”
With these two key components of any best practices compliance program, hotlines and internal investigations, seemingly now unavailable to CCOs or compliance practitioners for EU sourced information; I believe there will be additional pressure put on the compliance function. Obviously any US company with EU based operations will have to take steps immediately to ring fence such data originating in Europe. It may also mean that any inquiries will need to be headed by locally based compliance practitioners.
Moreover, if you couple this ruling in the Schrems decision with the Yates Memo, you immediately see the issue involved for any company which is seeking cooperation credit because such company is required to turn over any and all information to the Department of Justice (DOJ) as soon as possible. But now, even if companies can still develop facts and data through internal investigations, in the manner suggested by Pirrotta in using local law firms, you might not be able to get the information back to the US to use.
Worse yet, is the option laid out by Armstrong to obtain consent from an investigation target? Not only do I find it very improbable that anyone, European or otherwise, would give such a consent but in the unlikely event such consent is given, you have told the target, they are the target and other data sources might well begin to disappear. Armstrong put it starkly when he said, “you’re going to get no sympathy from the bribery prosecutors, bribery regulators if you mess this up. The SFO [Serious Fraud Office] have already lost the case, allegedly, on the way in which the US firm involved conducted the investigation. They will have, rightly I think, no sympathy at all for people whose investigations are themselves conducted unlawfully. It’s going to need a lot of careful thought to structure data transfers, even to structure interviews. How do you move those interview notes about, how do you look at emails, all of this stuff is going to be absolutely critical not only so that you don’t break data privacy data protection laws, but also tipping off witness, you know, interfering with the scene of an investigation, et cetera, et cetera. All of these things are critical.”
How does the Schrems decision contribute to compliance at the tipping point? If you can use two of the key components in a best practices compliance program; based upon the DOJ/Securities and Exchange Commission (SEC) Ten Hallmarks of an Effective Compliance Program or another standard; it will put significant pressure on other parts of the program. A compliance program will have to be structured more rigorously to prevent FCPA violations through the use of internal controls and transaction monitoring tools. CCOs and compliance practitioners will also have to be more involved and have more visibility into the entire lifecycle of transactions so they can determine how to begin to move from even prevention to proscription of any FCPA violations.
Just as the compliance world changed with the announcement of the Yates Memo, the DOJ Compliance Counsel and the VW emissions-testing scandal; the Schrems decision will change the need for a more robust compliance program going forward to help protect a company.
Three Key Takeaways
On June 16, 2017, the Department of Justice (DOJ) issued a Declination to Linde North American Inc. and Linde Gas North America LLC (collectively “Linde”). This is the first Declination issued by the DOJ in the era of the Trump Administration. For that reason alone, it was instructive and should be studied by the compliance profession. However, the case presented several interesting factors which merit consideration so we are discussing in depth to present lessons to be learned for the Chief Compliance Officer (CCO) or compliance practitioner.
The Bribery Scheme
Linde acquired Spectra Gases, Inc. (Spectra Gases) in October 2006. In November 2006, it purchased certain assets from the National High Technology Center (NHTC) of the Republic of Georgia. One of the keys to this purchase was a piece of equipment called the ““boron column,” which were used to produce boron gas.” Sales of boron gas after the acquisition helped fund the purchase price and payout to Spectra executives who stayed on after Linde purchased Spectra Gases.
Unfortunately, the three Spectra executives who stayed on were in cahoots with corrupt offices from the NHTC who made the sales agreement with Linde. Part of the Earn-Out by the former Spectra (now Linde) officials was paid to these corrupt government officials, both directly and through certain third parties. But the funding scheme to pay the bribes was quite creative and demonstrates once again to the compliance practitioner the myriad ways in which funds can be generated to pay bribes.
For reasons not made clear, Linde did not purchase the boron column outright but allowed the former Spectra executives and the corrupt NHTC officials to form two new entities to own and operate the boron column, Spectra Investors LLC (Spectra Investors) and Spectra Gases Georgia, which was wholly owned by Spectra Investors. Spectra Investors was owned 51% by the corrupt NHT officials and 49% by the Spectra Gases executives who now worked for Linde. Spectra Gases Georgia was formed as a separate management company, by the NHTC officials, which was claimed to provide services to Spectra Investors for which it would receive recompense. Of course, there was no evidence of services being delivered under this arrangement as it was simply a mechanism to funnel monies to the corrupt officials.
As a result of the ownership structure of Spectra Investors, with 51% being owned by corrupt NHTC officials and the management services contract, the corrupt NHTC officials received “approximately 75% of the profits generated by the boron column” while Spectra Gases received 25% of the profits. Clearly even with bribery and corruption, it was a bad business deal. In January 2010, Linde dissolved Spectra Gases and became its successor-in-interest and at some point later discovered the illegal conduct. Prior to the time of the dissolution, Spectra Gases had “received approximately $6,390,000”. After Linde became the direct owner, it “received approximately $1,430,000 as a result of the corrupt” actions.
While there is a dearth of fact about how the matter came to the attention of Linde and when it disclosed the matter to the DOJ, the decision to decline to prosecute was based on the following factors: (1) Linde’s timely self-disclosure; (2) a “thorough, comprehensive and proactive investigation” [emphasis supplied]; (3) Linde’s full cooperation and meeting the Yates Memo requirement for disclosing all known relevant facts about the “individuals involved in or responsible for the misconduct”; (4) full profit disgorgement; (5) Linde’s enhancement of its compliance program and internal controls; and (6) Linde’s full remediation, including termination or discipline of the three Spectra executives and lower-level employees involved in the misconduct; termination of the fraudulent management contract between the corrupt NHTC officials and Spectra Investors and termination of the Earn-Out payment due to the former Spectra executives who became Linde employees. The company also made the following payments.
This was yet another Foreign Corrupt Practices Act (FCPA) action where a company performed insufficient due diligence in the acquisition phase. The timing of the Linde purchase of Spectra Gases and Spectra Gases’ purchase of the income producing assets is too close in time to be a coincidence. It would certainly appear that Linde purchased Spectra Gases to facilitate its acquisition of the boron column and other assets. If your company is going to make such a multi-step acquisition, you must perform due diligence on all the actors and the assets involved.
The Byzantine corporate structure created for the ownership of the boron column, its operation and management contract are clear red flags that any CCO should sniff out immediately. While I am sure the internal corporate excuse for this clear ruse was the ubiquitous ‘tax considerations’; every such transaction should be reviewed by compliance as well. Anytime there is more than one entity to accomplish one task, there is the possibility of fraud present. Further, it is not clear how Linde could not have been aware of the ownership interests of a company which it ultimately controlled. It would seem that the company did not even make any inquiry.
Even in 2006, the Republic of Georgia’s reputation for bribery and corruption was quite high. The 2006 Transparency International-Corrupt Perceptions Index (TI-CPI) listed Georgia at 99 out of 176 countries listed so that alone warranted red flag scrutiny. If you are purchasing an entity in a country with such well known affinity for corruption, extra care is warranted. Perhaps back in 2006, Linde did not view the FCPA as something which it would deal with in such a situation.
Yet even with all the apparent miss-steps and non-steps of compliance, the company was able to secure a declination from the DOJ. While there may be some additional penalties or sanctions by the Securities and Exchange Commission (SEC) for the failures of internal controls, the result obtained by Linde was certainly a superior result. The company would seem to have met the four pillars under the FCPA Pilot Program through (a) self-disclosure, (b) extraordinary cooperation, (3) full remediation, and (d) profit disgorgement. Interestingly, the profit disgorgement in this case would appear to have been beyond the five year of limitations for profit disgorgement under the recent Supreme Court decision in Kokesh. If there is a FCPA enforcement action brought by the SEC perhaps additional facts will be recited in any resolution documents.
Nevertheless, kudos are due to Linde and its counsel for obtaining this declination. Every CCO should study it for both the superior result received and underlying facts to see if you face anything similar in the Republic of Georgia or elsewhere.
For a full copy of the Linde Declination, click here.
The concept of privilege in an internal investigation is critical. Two important privileges are the attorney/client privilege and the work product privilege. Unfortunately both are often miss-understood, miss-applied and consequently lost.
One such recent example of the miss-application of the attorney/client privilege was in the trial of former PetroTiger co-Chief Executive Officer (co-CEO) Joel Sigelman has brought the issue of the parameters of the attorney/client privilege yet again. As part of its undercover operation the FBI wired up the then PetroTiger General Counsel (GC), Gregory Weisman, and instructed him to go meet with Sigelman to discuss the payments by the company to the wife of an official of the Columbian state owned energy company Ecopetrol.
Sigelman’s counsel sought to have the video and audio recordings of this meeting suppressed based upon the attorney-client privilege that generally protects open communications between lawyer’s and their clients, where legal advice is sought by the client. To determine whether Sigelman has a valid claim, it is encumbent to understand the parameters of the attorney/client privilege. In an article, entitled “The Evolving Attorney-Client Privilege: Business Entities”, David E. Keltner wrote that under US federal law, the attorney/client applies when the following are present:
The significance of meeting each of these five prongs is critical. If they are met, “Absent privilege, once the attorney-client privilege is properly invoked – the privilege is absolute.” However the failure to meet Prong 1 is what doomed former co-CEO Sigelman’s efforts; as he was not seeking legal advice. It was former GC Weisman who flew to Sigelman’s home to confront him over the fact that the FBI had come to his house asking questions about the payments made in Columbia. Finally, it is important to note that the attorney/client privilege belongs to the corporation and not to any one individual.
The attorney/client privilege can be waived. While there is a general recognition that “only an authorized agent of a corporation may waive the privilege of the corporation” Keltner advises that the “most frequently encountered instances of losing the privilege through selective disclosure” are in responding to a government investigation; supplying information to a government agency; information disclosed in certain Securities and Exchange Commission (SEC) filings or other required financial disclosures; in certain circumstances disclosures to external corporate auditors or accounting responses; any disclosure made to a third party not affiliated with a lawyer; and insurance disclosures.
How should we apply the above to the situation faced by former co-CEO Sigelman? Was he simply meeting with his lawyer or was he seeking legal advice? As reported by Joel Schectman in the Wall Street Journal (WSJ), in an article entitled “Secret Informant Recordings to be Allowed in PetroTiger Case”, the trial court distinguished between having an attorney/client relationship from the attorney/client privilege. Schectman reported, “a judge in U.S. District Court in Camden said last week that merely having an attorney-client relationship isn’t enough to make all conversations privileged–a client needs to be actively seeking legal advice. “I cannot find a shred of indication that Weisman is there with the intention of giving legal advice to Sigelman,” Judge Joseph Irenas said, “or the converse, that Sigelman was seeking legal advice from Weisman.””
Interestingly the trial court did not opine on the question on who was the client in this situation. My experience is that most CEO-types think of a GC as their personal lawyer. That view is also misplaced as a GC works for a company and the client is the corporation. While he did not have to reach the question of who was the client in the Sigelman/Weisman meeting, the trial court might well have allowed the current corporate owners of PetroTiger to waive any privilege asserted by a former co-CEO. Schectman quoted G. Derek Andreson, a lawyer specializing in the Foreign Corrupt Practices Act, that “Attorney client privilege is often misinterpreted as broader than it is.”
Did the FBI take advantage of some special type of relationship between Sigelman and Weisman? As reported in the article, in his brief attempting to suppress the evidence, Sigelman’s counsel said, ““Messrs. Sigelman and Weisman had a “long standing attorney-client relationship, one that fostered candor and trust between them–as any good attorney-client relationship should. The government took advantage of this trust.”” Such would seem to be the nature of wiring up cooperating witnesses; if they cannot engender trust with those they are speaking to and surreptitiously taping; it would seem they are of little use to authorities.
For the attorney/client privilege to be of use to you, certain hard work must be done to establish the attorney/client privilege in the corporate context. The five prongs listed by Keltner must be fulfilled for the privilege to apply. Simply having a chat with your lawyer or even the company’s lawyer will not invoke the privilege or protect you.
In addition to the attorney/client privilege there is another privilege which can come into play around internal investigations. It is the attorney/work product privilege. Keltner noted, “The attorney-client privilege and the attorney work-product doctrine are often asserted interchangeably. While there is some overlap between the two, the attorney-client privilege is significantly different than the attorney work-product doctrine.” Moreover as “codified in Fed R.Civ. P. 26(b)(3), [the attorney/work product] provides a qualified protection to materials prepared by party’s counsel or other representative in the anticipation of litigation.” The doctrine exists “because it permits lawyers to “work with a certain degree of privacy, free from unnecessary intrusion by opposing parties . . .”
The key is that it be prepared in anticipation of litigation Unlike the attorney-client privilege which belongs to a client, work-product immunity may be asserted either by the lawyer or the client. While the attorney-client privilege is included in the Rules of Evidence, the work-product doctrine is included in the Rules of Civil Procedure in the series relating to discovery. This makes it problematic to assert in the context of a criminal investigation.
For in-house lawyers in the UK or EU countries however, there is no such work product privilege. Two recent examples brought up this key difference in US and UK and EU legal systems. First was the raid by German prosecutors of Volkswagen’s outside counsel, Jones Day’s offices for information surrounding the law firm’s investigation relating to the company’s emissions-testing scandal. The raid was based on a court issued subpoena.
The second is the recent judicial decision out of the UK, involving Eurasian Natural Resources Corp. (ENRC). The UK’s highest court held the company must produce to the UK's Serious Fraud Office (SFO) documents the company claimed were privileged, including attorneys' notes of employee interviews conducted during the company's internal investigation. The SFO sought the documents as part of its criminal investigation into allegations of fraud, bribery, and corruption. The court largely rejected ENRC's claims of the work product privilege, holding that it does not apply when a document is not prepared for the sole or dominant purpose of conducting adversarial litigation. ENRC was required to produce the bulk of the contested documents because the investigation was a fact-finding exercise.
Three Key Takeaways
In this episode, James Koukios, a partner at Morrison & Foerster returns to discuss the firm's newsletter Top Ten International Anti-Corruption Developments for April 2017. In this episode we highlight the three following matters for discussion and what lessons can be garnered from them.
World Bank Veteran to Change Positions.The World Bank announced that Pascale Helene Dubois would become the new head of the World Bank Group’s Integrity Vice Presidency, known as INT. The INT is an independent unit within the World Bank Group that investigates and pursues sanctions related to allegations of fraud and corruption in World Bank Group‑financed projects. Dubois is well known in the anti-corruption community and has long been a thought leader in this space. In her current post, she has worked to increase transparency and due process at the World Bank generally and in the Office of Suspension and Debarment specifically. Koukios relates how Dubois’s work and that of INT has helped foster greater cooperation between the World Bank and law enforcement agencies around the world.
Engineering Firm and Its Executive Debarred by World Bank for Bribery in Southeast Asia.
In April the World Bank Group announced the debarment of Denmark-based Consia Consultants ApS and its managing director. According to the World Bank, INT’s investigation revealed evidence that the company made payments to officials to influence contract awards in connection with the World Bank-financed Strategic Road Infrastructure Project in Indonesia. The World Bank stated that the company further failed to disclose its agreement and commissions paid to its agent in connection with the project and misrepresented the availability of key staff it has claimed would be assisting with the execution of its technical assistance contract under the project. The World Bank also said it found evidence that the company made corrupt payments in Vietnam in connection with the Hanoi Urban Transport Development Project, in addition to fraudulent misconduct relating to the Second Northern Mountain Poverty Reduction Project. The World Bank debarred the company for 14 years and its managing director for 3.5 years.
Former Diplomat Pleads Guilty to FCPA Charges in United Nations Bribery Case, While Judge Denies Motion to Dismiss FCPA Charges against Another Defendant.
On April 28, 2017, Francis Lorenzo, a former deputy ambassador from the Dominican Republic, pleaded guilty in the Southern District of New York to conspiring to violate the FCPA and to pay and receive bribes and gratuities in a bribery scheme allegedly involving Ng Lap Seng, a Chinese national and real estate developer accused of bribing former U.N. General Assembly President John Ashe. Lorenzo pleaded guilty to related charges in 2016 and is expected to testify against Seng at trial, currently set to begin May 30, 2017. Two days before Lorenzo’s guilty plea, on April 26, 2017, Southern District of New York Judge Vernon S. Broderick denied Seng’s motion to dismiss FCPA and related charges against him, finding that the superseding indictment sufficiently presented the essential facts underlying the charges and that the prosecution had made sufficient disclosures concerning the nature of the charged offenses by other means, including through the various complaints filed in the case, extensive discovery, agent affidavits, and a written response to Seng’s letter request for a bill of particulars.
To read a full copy of the firm's newsletter, click here.
In this episode, I visit with Roy Snell about his recent announcement that he is stepping down as head of the SCCE. We review the current state of the SCCE and how the Roy has seen the compliance evolve from its start after the 1992 US Sentencing Guidelines. We discuss where Roy sees compliance going in the next several years and where the SCCE may go to support the profession.
This announcement comes when the SCCE has grown to 50 staff members and one of the has one of the strongest boards in the professional association world. the SCCE has a strong footprint in the US and is a material player internationally with 17,500 members in 95 countries. It has a great reputation and its success to date has been quite remarkable.
The call for applications will close on August 20th 2017. A detailed job description and position summary are available at http://www.corporatecompliance.org/CEO. SCCE plans to complete the interview and selection process in the Fall of 2017 and onboard a Deputy CEO in early 2018. The Deputy CEO will likely assume the role of the CEO sometime in 2019. Roy will stay on with the organization for roughly one year to work on special projects. To be considered for the CEO of SCCE and HCCA, please fill out the questionnaire with return instructions available at: http://www.corporatecompliance.org/CEO.
Day 14-Miranda and Internal Investigations: What Rights Does an
Must an investigator warn an employee that concealing information from company lawyers conducting an internal FCPA investigation could be a federal crime? Even if the company attorneys handling the investigation provided the now standard corporate attorney Upjohn warnings, does a company attorney asking questions morph into a de facto federal agent during an internal company investigation regarding alleged FCPA violations and is the attorney thereby required to provide a Miranda warning to employees during a FCPA investigation?
In a recently released paper entitled “Navigating Potential Pitfalls in Conducting Internal Investigations: Upjohn Warnings, “Corporate Miranda,” and Beyond” Craig Margolis and Lindsey Vaala, of the law firm Vinson & Elkins, explored the pitfalls faced by counsel, both in-house and outside investigative, and corporations when an employee admits to wrong doing during an internal investigation, where such conduct is reported to the US Government and the employee is thereafter prosecuted criminally under a law such as the FCPA. Margolis and Vaala also reviewed the case law regarding the Upjohn warnings which should be given to employees during an internal FCPA investigation.
Employees who are subject to being interviewed or otherwise required to cooperate in an internal investigation may find themselves on the sharp horns of a dilemma requiring either (1) cooperating with the internal investigation or (2) losing their jobs for failure to cooperate by providing documents, testimony or other evidence. Many US businesses mandate full employee cooperation with internal investigations or those handled by outside counsel on behalf of a corporation. These requirements can exert a coercive force, “often inducing employees to act contrary to their personal legal interests in favor of candidly disclosing wrongdoing to corporate counsel.” Moreover, such a corporate policy may permit a company to claim to the US government a spirit of cooperation in the hopes of avoiding prosecution in “addition to increasing the chances of earning meaningful credit under the US Sentencing Guidelines or the FCPA Pilot Program.
Where the US Government compels such testimony, through the mechanism of inducing a corporation to coerce its employees into cooperating with an internal investigation, by threatening job loss or other economic penalty, the in-house counsel’s actions may raise Fifth Amendment due process and voluntariness concerns because the underlying compulsion was brought on by a state actor, namely the US Government. Margolis and Vaala note that by utilizing corporate counsel and pressuring corporations to cooperate, the US Government is sometimes able to achieve indirectly what it would not be able to achieve on its own – inducing employees to waive their Fifth Amendment right against self-incrimination and minimizing the effectiveness of defense counsel’s assistance.
So what are the pitfalls if private counsel compels such testimony and it is used against an employee in a criminal proceeding under the FCPA? Margolis and Vaala point out that the investigative counsel, whether corporate or outside counsel, could face state bar disciplinary proceedings. A corporation could face disqualification of its counsel and the disqualified counsel’s investigative results. For all of these reasons, we feel that the FCPA Blog summed it up best when it noted, “the moment a company launches an internal investigation, its key employees -- whether they're scheduled for an interview or not -- should be warned about the "federal" consequences of destroying or hiding evidence. With up to 20 years in jail at stake, that seems like a small thing to do for the people in the company.”
Let’s keep on skipping down the lane and see where we go. What if the company gets its investigation wrong and wrongfully identifies an employee? At least in a few states, a wronged employee can sue for defamation. Yet not in Texas and a recent Texas civil case demonstrates why companies and internal investigators need to be aware of local laws, regulations and requirements.
The Texas Supreme Court in Shell Oil Co. v. Writt, held that an internal investigation report Shell provided to the U.S. Department of Justice about potential FCPA violations is “absolutely privileged” in a defamation proceeding and cannot be used to form the basis of a defamation claim.
Writt had alleged that Shell defamed his character when the company "voluntarily” reported to the DOJ on the findings of an internal investigation the company conducted into its relationship with Panalpina -- an investigation that culminated in the company’s 2010 FCPA settlement with U.S. enforcement authorities. Writt claimed that Shell’s internal investigation report falsely implicated him in the payment of bribes and accused him of providing inconsistent statements during multiple interviews conducted in the course of the investigation.
The trial court initially granted summary judgment in favor of Shell, dismissing Writt’s suit on the basis that Shell enjoyed an "absolute privilege" to make statements to the DOJ regarding its internal investigation. The Texas Court of Appeals overturned this decision, refusing to characterize a “voluntary” pre-prosecution internal FCPA investigation as a judicial proceeding. Instead, the Court of Appeals held that Shell was only entitled to qualified privilege, under which a speaker can still be liable for defamation if the speaker "knows the matter to be false or does not act for the purpose of protecting the interest for which the privilege exists."
The Texas Supreme Court held “at all relevant times” Shell had been the target of a DOJ FCPA investigation and asserted that this investigation, which eventually resulted in a criminal settlement with Shell, satisfied the standard that “the possibility of a proceeding must have been a serious consideration at the time the communication was made.”
The Supreme Court also highlighted “the DOJ’s leverage over Shell vis-à-vis the FCPA and its somewhat draconian penalties…,” which “compelled [Shell] to undertake its internal investigation and report its findings to the DOJ.” The court specifically pointed to the dramatic increase of FCPA enforcement actions before mid-2007 when the DOJ notified Shell of its investigation, noting that “businesses that chose not to cooperate were subject to substantially greater punishments….”
At a time when the DOJ and SEC have become increasingly vocal in calling for companies under investigation to secure and provide evidence of individual culpability, a decision that did not provide Shell with absolute privilege could have had a far-reaching impact on how companies conduct internal investigations and cooperate with enforcement authorities.
As it stands, the Texas Supreme Court’s decision in Shell Oil Co. v. Writt may incentivize cooperation by companies in the early stages of the enforcement process by providing certainty to potential corporate defendants, particularly those located in Texas, that good faith efforts to disclose the results of internal investigations and expose individual culpability will not leave them open to defamation claims.
Three Key Takeaways
In this episode, Mike Volkov and I discuss how blockchain has the potential to transformation compliance and may facilitate some truly revolutionary modifications in key businesses processes. I see some great value propositions for the compliance function.
For further reading, see:
Blockchain and the Future of Compliance, by Mike Volkov.
Will Blockchain Transform Compliance? by Tom Fox
Blockchain Explained, by Zach Church in MIT Sloan Management Review.
When then Assistant Attorney General Sally Yates, announced the Memo that bears her name, she said the following, “we have revised our policy guidance to require that if a company wants any credit for cooperation, any credit at all, it must identify all individuals involved in the wrongdoing, regardless of their position, status or seniority in the company and provide all relevant facts about their misconduct. It’s all or nothing. No more picking and choosing what gets disclosed. No more partial credit for cooperation that doesn’t include information about individuals.” This statement ties directly into the first point of the Yates Memo, which stated, “To be eligible for any cooperation credit, corporations must provide to the Department all relevant facts about the individuals involved in corporate misconduct.”
The Yates Memo and Yates’ remarks indicated a transition to a new era of FCPA enforcement. The Yates Memo required that the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) to investigate individuals immediately at the start of investigations. She stated, “the department instructed its attorneys that, going forward, they are to focus on individuals from the start of an investigation, regardless of whether the investigation begins civilly or criminally. Moreover, once a case is underway, the inquiry into individual misconduct can and should proceed in tandem with the broader corporate investigation. Delays in the corporate case will no longer suffice as a reason to delay pursuit of the individuals involved.” Even though these remarks were directed at government lawyers, corporations are now required to initially change the focus of their investigations from attempting to perform any type of root cause analysis to obtaining evidence against individuals and turning it over to the government as soon as possible.
For the Chief Compliance Officer (CCO) or compliance practitioner, this means the entire focus of your investigative protocol has changed. Previously an investigation was to determine how conduct that might have violated the FCPA had occurred, then focus on how to remedy it. The first step a CCO or compliance practitioner would take when sufficient evidence was developed was to fix the problem so that it did not re-occur going forward. If there were compliance program or internal control weaknesses, they would be immediately fixed so that neither the original perpetrators could continue the conduct but also so others could not take advantage of any such structural weakness.
After the Yates Memo, that is no longer the case. The DOJ now expects you to bring them information about potentially culpable individuals who can be prosecuted going forward. This means employees are going to immediately stop talking to you if they were inclined to do so in the first place. It will require performing an essential root cause analysis more difficult and the attendant remedy that is a part of any best practices compliance program.
But Yates went further than simply saying the DOJ expects you to turn over your own employees. She made clear that both she and the DOJ want companies to give up senior executives involved in illegal conduct. She said “We’re not going to be accepting a company’s cooperation when they just offer up the vice president in charge of going to jail.” Here the difficulty is around the FCPA requirement for a criminal prosecution or intent. How do you determine intent in a manner where senior executives may never have been involved directly in a transaction? Does this mean insufficient tone at the top will somehow morph into intent for a FCPA prosecution? Whatever it may mean going forward, at the very least I think it means that high heads in an organization could very well start to roll.
The Yates Memo, when read in conjunction with the Frederic Bourke conviction, make clear that senior management, as well as other individuals, are now directly in the DOJ’s sights to prosecute for FCPA violations. This means that even if lower level employees are engaging in conduct which senior management did not know about or even told them not to engage in; senior management may be deemed by the DOJ to have engaged in conscious indifference by not engaging in ongoing monitoring as a part of an overall best practices compliance program. Simply expecting that employees will not violate the FCPA is no longer enough. Companies must monitor transaction to detect and prevent violations. With the Yates Memo now the effective policy of the DOJ, senior management who do not actively monitor their organizations may subject themselves to personal FCPA criminal liability.
Given the scrutiny of the Standard Bank Deferred Prosecution Agreement (DPA) in the UK, I think it may well be the time where enforcement authorities begin to look at those responsible for an activity where a violation of anti-bribery/anti-corruption laws take place in addition to those committing the legal violation. Bourke was found guilty for conscious avoidance. How much of a stretch will it be for those senior managers who allow such behavior to be seen as either the norm or indeed expected? John Kay, writing in the Financial Times (FT) in an article entitled “Ignorance is no defence for financial misconduct”, wrote in the context of financial institution misconduct “If it is a criminal offence to be in charge of a den of thieves, the prosecution need only establish that you were in charge of it, not that you were yourself a thief. It is no defence that you thought the organisation was a monastery, which is broadly the argument employed by those made ‘physically ill’ by the discovery of what their subordinates had been doing.” After the Yates Memo, the same may hold true for senior management in companies which violate the FCPA.
The impact of the Yates Memo was magnified by Attorney General Jeff Sessions through his remarks at the Ethics and Compliance Initiative (ECI) in April 2017. He reiterated that the DOJ would focus on individual criminal misconduct in the context of enforcing the FCPA. This continued emphasis will mean that there is even more pressure on corporate compliance programs to get it right and get it right sooner rather than later.
Three Key Takeaways
This week, as their tribute to their Dad, we are guest hosted by Jay’s daughters, Millie and Michela. They lead us through a wide-ranging discussion on some of the week’s top compliance related stories, including:
What are the characteristics of a good interview in the context of an internal investigation? Is there one technique you can use which will provide you the results you want to achieve? How should you think through your questions and document review prior to the investigation? In this episode, I explore these and other questions, in an interview with noted internal investigation expert Jonathan Marks, a partner at Marcum LLP for this piece.
Marks began by making it clear there is no one right way to prepare for and conduct an interview. What is important is that you have a plan and execute on that plan. He said he begins by obtaining an understanding of what the various stakeholders want answers to. This could include the Board of Directors, C-Suite executives, the General Counsel and legal department, the Chief Compliance Officer and compliance function or up to government regulators such as the SEC or Justice Department.
Marks feels it is important to interview witnesses as soon as you can reasonably do so to prevent multiple witnesses from getting together and coordinating their stories. You should recognize you are never going to have perfect information so you should try and tie down the story. If the witness is not an English speaker, you should have a translator present. Marks suggests having a second person with you to take notes so you can watch the witness’s facial expressions and body language, noting, “There have been a lot of situations where I have found that being an effective listener is much more critical than being an effective note taker. Listening to what the interviewee is saying when you ask them the question is critical because it sets everything up. Having somebody there to take notes gives me the opportunity to really focus in on a couple of different things. It allows me to focus in on their verbal cues. It allows me to focus in on their body language. It allows me to focus in and listen to what they're saying, or a lot of times what they're not saying.” He cautioned that the note taker should be free from bias and subjectivity, simply taking down a detailed recitation of the witness’ testimony.
Interestingly Marks does not view his interviews as putting the witness “in the box”. He attempts to establish a rapport with the witness so they will be more forthcoming in their responses. Marks said, “I don't view this as a contentious exercise. I never have and I never will. I view this, like I said before, as building rapport. If somebody feels like you're cross-examining them, or it's a very structured and not free-flowing conversation, allowing them to answer the questions in a comfortable and a secure environment.” It is all an effort to garner an understanding of what facts the witness has, what the witness may not be aware of and determining others, both inside the organization and outside, who might be potentially involved.
Marks emphasized that an investigation should not be viewed as an interrogation. He avoids what he termed “loaded questions” such as “Why did you bribe the inspector?" Instead, he designs his questions to circle around such a point. He also notes the age old maxim to avoid compound questions. He concluded by noting you should try and develop facts during the interview, get to exactly what occurred, when did it happen, where did it happen, who, if anyone else, was present with you. He also added you can use other lines of inquiry such as “Who else may know well of an information? How did this happen, or do you know how it happened? Why did happen? Are there notes, documents, phone messages, emails or other evidence that you could provide to me that support what you're saying? A lot of times in an interview if somebody is willing to talk they usually have something that they could provide.” He concluded by intoning, “A lot of times if you don't ask you don't get.”
Marks believes it is a best practice is you get everything down immediately so “as soon as the interview is over I spend time with my partner in the interview with me going over all our notes, making sure that we both understood exactly what was said and how it was said. If there's any observations they I had during a question that may have not been in the write-up, we add those things.” He believes this is important because “the longer you wait, the more inaccurate your account of what happened becomes. I've always made it a practice that after the interview we get right to it, we write up our notes. We agree what was said, how it was said and add any other observations that we had during the interview process.”
Marks concluded by recalling another analogy he consistently refers to in any discussion of internal investigations, that it is a “chess match”. An interview is also a chess match as “When you're playing chess you have to think a couple of moves ahead if not three, four or five. We talked about in and out, out and in methods of conducting interviews when there's more than one individual or several people that might have information related to the allegations.”
Marks also discussed some strategies around the interview process. The first is what he termed the “inside-out” strategy which he would advocated using if allegations extend beyond the enterprise. In this technique, you interview people inside the organization first, and then maybe go out to third parties. The converse is an “outside-in” strategy and you can do a combination of both. He also noted one other technique which is conducting concurrent interviews. Marks advocates using this strategy “If you think people are going to talk or you think there's potential collusion. Conducting simultaneous interviews sometimes prevents those individuals from coordinating and collaborating on their story and what they're going to tell you.”
Three Key Takeaways
Today, I want to consider some of the challenges you may well face during an investigation. Beyond the basics, a company must consider the intake process as a starting point, however Marks noted one of the biggest challenges is in the intake process. Rather surprisingly, he noted there are still companies without a hotline or anonymous reporting system, stating “we still see organizations whereby there is no formal ethics hotline except for the fact that they might send an email to some member of management or some member of the board.”
The lack of an intake process immediately presents a challenge in beginning to work through an allegation of wrongdoing due to the inability to track when the allegation or information was received, who sent it, who received it, what did the company do when they received it? If a company has a formal ethics reporting system, with recordation of information “there’s some workflow, it’s a lot easier to kind of work through some of those things”, so there is an appropriate level of documentation to follow.
Yet Marks has seen failures in even these basic steps “many times people do not read their emails on a timely basis, and getting to the root of the issue quickly could be the difference between somebody allowing the company to investigate this the right way, or incentivizing an individual to go outside the organization such as to SEC whistleblower program.” This makes the intake process critical because it assures that things are not only received, “but they’re looked at on a regular and timely basis and there is a process.”
One area that still causes challenges is retaliation against whistleblowers. You might think that corporate America got the message that not only is retaliation incredibly idiotic and divisive but also illegal under both Sarbanes-Oxley (SOX) and Dodd-Frank but sadly that is not the case. Marks believes that avoiding retaliation is critical not only for an organization but also to foment a successful investigation. He stated, “Avoiding retaliation is very critical. I think there’s a real opportunity where human resources, if properly trained, can work with the rest of the team members and advise them on things that they should not be doing and things that they should be doing in order to avoid either the appearance of retaliation or the actual retaliation against the individual or individuals who reported or brought forth the potential of the alleged misconduct.”
Equally important is that a company wants to encourage a stand-up culture. When individuals are trying to do the right thing, you certainly want to inspire other to do so as well. Marks related, “When somebody reports an ethical lapse, it generally means to me that they’re doing their job. And so, the indirect impact, or sometimes the direct impact of that is sometimes people are looked at as snitches or not towing the company line or they’re just generally out of bounds can negatively impact the organization.”
An area where Marks has seen companies have difficulties in is what he termed threatened or pending litigation. Any investigation can morph into a much more serious situation and you must be ready to answer such questions as “(1) Does this gravitate itself into a class action lawsuit? Or (2) Does this gravitate to a regulatory review and subject to some punishment there?” The key is that as the investigation begins to uncover things and certain facts come to light, pending or threatened litigation is something that should always be discussed, but discussed very carefully and it should be discussed once those facts come to play. Sometimes you don’t have all those facts but sometimes it does make sense to kind of prognosticate and consider situations such as “This is what could happen. These are the issues that potentially could be uncovered.” Marks concluded, “I really do think that it’s important to think a couple of steps ahead and look at this as a chess match and never underestimate the fact that there could be pending or threatened litigation.”
Not surprisingly, another area of challenge is when the regulators will not accept the investigation or are not satisfied with the results. While I would submit that if you follow the strictures laid out by Marks, that will satisfy regulators, he noted that there must be an appropriate level of skepticism brought by the investigation. He said there can be regulator issues when “there was not proper skepticism, there was not proper independence or simply things were not looked at under the right lens.” But once again the answer is to go through the steps that Marks laid out, or any other well defined protocol and have an independent team handling the investigation.
Interestingly,a similar situation can arise if a company’s own auditors refuse to accept the results of an investigation. Marks said this is usually related to some type of unexpected development arises in an investigation. Marks noted, “when auditors are involved the element of surprise is never good.” He believes it is important to keep internal audit aware of developments as “they might want to do a shadow investigation, they might want to understand the scope of your expanded investigation and most certainly they want to understand the financial impact.” The reason is that if the company auditors do not accept your investigative results, “they may send you back to the drawing board. When that happens, all types of problems could manifest themselves or come out.”
Marks noted that at times the most difficult challenge is when the company itself is reluctant to accept the results of the investigation. This comes when a company is in denial, believing it has a robust compliance program and internal controls or, worse yet, it simply believes that it is an ethical company. One or more of these indicia usually manifest themselves as a company with paper compliance program, a Chief Compliance Officer (CCO) with a title but no authority and a weak compliance culture. Marks said, “When I say the company does not respect the investigation, it’s almost like they’re fighting with you because they believe that nothing could ever go wrong. That really does send a very, very clear message, not only internally, but should it get out externally as well. It’s an indication to us that there’s a problem with the culture, there’s a problem with the compliance program, there’s generally a problem with governance overall. There are probably bigger issues there other than the matter that’s generally on the table.”
Planning your investigation, having the right team members involved and meeting the challenges which inevitably arise during an investigation can be difficult. However, beginning with the Department of Justice’s (DOJ’s) Yates Memo and the Foreign Corrupt Practices Act (FCPA) Pilot Program and the release of the DOJ’s Evaluation of Corporate Compliance Programs (Evaluation), the pressure on every CCO and company to get an investigation done quickly, efficiently and, most importantly, done right is even greater now. Jonathan Marks has laid out a concrete way for you to think through how to plan an investigation, staff it properly and meet the inevitable challenges.
Three Key Takeaway
In this episode, I visit with Lauren Briggerman, a member at the firm of Miller & Chevalier. She discusses the latest edition of the firm newsletter, Executives at Risk: Navigating Individual Exposure in Government Investigations-Spring 2017. We discuss several recent developments in significant government investigations which highlight the tactics prosecutors are deploying and the risks faced by corporate executives:
In this episode I visit with Luciana Silveira, a PhD candidate who is studying the FCPA and how it is has affected international trade flows. Some of the questions she is considering include the following: Was US business abroad affected? Did US companies decide to change their foreign business strategy because of the FCPA? After so many years of the law, what is the private sector overall opinion about the FCPA?
Silveira believes the answers to these questions are neither straightforward nor simple. To that end, the PhD research she is developing will hopefully provide us with some new and updated answers, as well shed more light to the impacts of the FCPA to US international trade. Equally importantly, she is using the FCPA as reference to my studies on potential impacts of the Clean Company Act, a similar anticorruption legislation that came into force in Brazil in January 2014. To complement a quantitative analysis regarding merchandise trade flows, she is using a 15-questions survey (available at https://ldosilveira.typeform.com/to/uhtKYZ). It is confidential, and there is no question that requires strategic corporate information. She hopes that you will participate as all input is welcome and encouraged.