Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2019
May


2018
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: 2017
Oct 23, 2017

 

Do FCPA considerations come into play for customers? How should you think about your obligations under the FCPA for a group not traditionally associated with FCPA liability or even FCPA risk? These questions and perhaps others are raised by the FCPA investigation into certain transactions in Venezuela by Derwick Associates and a US company ProEnergy Services. ProEnergy Services supplied turbines that Derwick Associates resold to the Venezuelan government and then installed in that country. This investigation demonstrates why businesses need to be more concerned with not only who they do business with but how their customers might be doing business. In banking and financial services parlance, you now need to ramp up your Know Your Customer (KYC) information to continue throughout a seller-purchaser relationship, in the context of the FCPA. 

A good starting point is the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) rules on customer due diligence. While they deal specifically with banks, brokers-dealers, and mutual funds, they inform the broader number of US commercial enterprises doing business outside the United States. They emphasize that AML programs should have four elements: 

  1. Identify and verify the identity of customers;
  2. Identify and verify the identity of beneficial owners of legal entity customers;
  3. Understand the nature and purpose of customer relationships; and
  4. Conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions. 

Clearly any anti-corruption compliance based due diligence would focus on point 2. A definition of “beneficial owner” should have two prongs: 

  • Ownership Prong: any individual who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25% or more of a legal entity customer, and
  • Control Prong: An individual with significant responsibility to control, manage, or direct a customer, including an executive officer or senior manager; or (ii) any other individual who regularly performs similar functions. 

Under point 3, company needs to “Understand the nature and purpose of customer relationships”. The regulation further explained “to gain an understanding of a customer in order to assess the risk associated with that customer to help inform when the customer’s activity might be considered “suspicious.”” Such an inquiry could help a business to “understand the relationship for purposes of identifying transactions in which the customer would not normally be expected to engage. Identifying such transactions is a critical and necessary aspect of complying with the existing requirement to report suspicious activity and maintain an effective AML (or anti-corruption compliance) program.” 

The final point 4 relates to ongoing monitoring. Once again consider the position of the US Company, ProEnergy Services, in the Derwick Associates FCPA investigation. What can or should it have done in the way of ongoing monitoring of its customer. The regulation stated, “industry practice generally involves using activity data to inform what types of transactions might be considered “normal” or “suspicious.”” It may be that the Derwick Associates types of transactions were suspicious. 

FinCEN understands that information from monitoring could be relevant to the assessment of risk posed by a customer. The requirement to update a customer’s profile because of ongoing monitoring, including obtaining beneficial ownership information for existing customers on a risk basis, is different and distinct from a categorical requirement to update or refresh the information received from the customer at the outset of the account relationship at prescribed periods. Lastly “the obligation to understand the nature and purpose of customer relationships, monitoring is also a necessary element of detecting and reporting suspicious activities”. 

There does not have to be a direct bribe or other corrupt payment made by a US company to have liability under the FCPA. FCPA enforcement is littered with companies that have paid bribes through third parties. However, as the Fifth Circuit said in Kay v. US, “[W]e hold that Congress intended for the FCPA to apply broadly to payments intended to assist the payor, either directly or indirectly,” [emphasis mine]. While at first blush, ProEnergy Services may appear to be at the edge of potential FCPA liability; if it knew, had reason to know, or should have taken steps to know about some nefarious conduct by its customer, it does not take too many steps to get to some FCPA exposure. The FinCEN rules on customer due diligence for financial institutions are a good starting point for other commercial entities to base their compliance program for customers around. 

Three Key Takeaways

  1. Non-banking and non-financial service entities need to consider their KYC obligations in the context of FCPA risk.
  2. FinCEN rules on customer due diligence are a good starting point for the non-financial institution.
  3. Ongoing monitoring should be used and the information incorporated into your customer risk profile going forward. 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 23, 2017

In this episode, I visit with Vin DiCianni, President and Founder of Affiliated Monitors, Inc. We discuss the recently announced strategic alliance between Affiliated Monitors, the US’s premier independent compliance monitoring/evaluation company and RS Legal Strategy Limited, a UK Q.C. led legal one stop shop white collar crime and fraud boutique.  We discuss the strengths that at party brings to this new business venture and what they hope to achieve. 

We use this new strategic alliance as a mechanism to discuss how companies can take a more pro-active approach to addressing their ethics and compliance deficiencies comprehensively, through the efforts of an independent advisor. When an independent monitor is utilized, there is a much greater likelihood that a successful outcome and improved practices will be achieved. 

Through the combination of RS Legal’s expertise in UK enforcement actions, taken with AMI’s pro-active global ethics and compliance approach, you begin to see how an independent review can facilitate the operationalization of compliance from the detect prong to the prevent prong into more of a prescriptive approach.  We explore how investigations and monitoring, when used pro-actively, can increase the likelihood of any of a corporate client securing a beneficial outcome resulting from ongoing investigations. 

This podcast continues the theme I have been following on the evolution of best practices compliance program, continually moving away from the simple paper program approach articulated by some. The Justice Department’s Evaluation of Corporate Compliance Programs is designed, in large part to get companies to think about and ask questions about their compliance program. The proactive use of a monitor is one of the key innovations in this path. 

For more information, Vin DiCianni can be reached at vdicianni@affiliatedmonitors.com.

Oct 20, 2017

In this episode, Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories, including: 

  1. We discuss our highlights from the recently concluded SCCE 2017 Compliance and Ethics Institute. See Tom’s blogs, here, here, here and here. Click here for a report from Matt Kelly.
  2. Mike Volkov explores ISO 37001 in a week-long series. See the full week’s series on his site, Corruption Crime & Compliance. Henry Cutter reports on the standard’s slow acceptance in the WSJ Risk and Compliance Report.
  3. What is the status of your Board’s training for compliance? Ben DiPietro reports in the WSJ Risk and Compliance Report.
  4. Italian prosecutor charges Shell and former execs with overseas bribery. Dick Cassin reports in the FCPA Blog.
  5. Revenue recognition rules change in December. Auditors are under orders to ‘show no mercy’ to companies which have not prepared for the changeover. Tammy Whitehouse reports in Compliance Week.
  6. Continued chaos in the Trump Administration. Matt Kelly is back with addition ethical considerations from HHS Secretary Tom Price in Radical Compliance.
  7. Astros come home down 3-2 to the NY Yankees. Will they overcome?
  8. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program. In October, I consider compliance with business ventures such as in the M&A context, joint ventures, distributors, channel ops partners, teaming agreements and all other manner of business venture. The third week I continue to take a deep dive into JVs under the FCPA. This month’s sponsor is the Volkov Law Group. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  9. The Everything Compliance gang recorded a podcast at the 2017 Compliance and Ethics Institute, with special guest Roy Snell sitting in for Mike Volkov. The podcast will go up Thursday October 26th.
  10. Tom premiers an exciting new service offering the Doing Compliance Master Class.
  11. AMI SVP Eric Feldman is speaking in Houston on November 2, at 1:30. If you are in Houston, please plan to join us. For more information see the GHBER website for details and registration.
  12. Jay previews the Rosen Weekend Report.
Oct 20, 2017

As I conclude this section on joint ventures, I want to emphasize again the risk they pose under the FCPA. Mike Volkov has stated, “A joint venture requires the integration of disparate company cultures. It can be successful, and is usually one of the significant reason for the joint venture itself.” Both parties should assess each other and decide that the joint venture is a good fit, meaning that each side will benefit. Too much time is spent on looking at the joint venture partner’s compliance toolbox (e.g. policies, procedures, and controls), and not enough time is spent on identifying compliance strengths and weaknesses. You must bring it all together with one format.

While the 2012 FCPA Guidance only provided that “companies should undertake some form of ongoing monitoring of third-party relationships”. This means that you must have an experienced compliance and audit team, actively engaged in the corporate office and in the business units, to ensure that financial controls and compliance policies are followed and that remedial measures for violations or gaps are tracked, implemented and rechecked, as additional detection and prevention. Caldwell noted it is a more encompassing “sensitization” to anti-corruption compliance that is needed. There are several ways for you to do so in a joint venture relationship. 

The starting point for the both the compliance and business management of a joint venture, is a Relationship Manager for every joint venture with which your company does business. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the joint venture. Some of the duties of the Relationship Manager may include:

  • Point of contact with the joint venture for all compliance issues;
  • Maintaining periodic contact with the joint venture;
  • Meeting annually with the joint venture to review its satisfaction of all company compliance obligations;
  • Submitting annual reports to the company’s Compliance Oversight Committee summarizing services provided by the joint venture;
  • Assisting the company’s Compliance Oversight Committee with any issues with respect to the joint venture.

Just as a company needs a subject matter expert in compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, joint ventures also need such access to such a resource. A joint venture may not be large enough to have its own compliance staff so a company should provide such a dedicated resource to joint venture, if so required. I do not believe that this will create a conflict of interest or that there are other legal impediments to providing such services. The US partner can also include compliance training for the joint venture, either through onsite or remote mechanisms. The compliance professional should work closely with the Relationship Manager to provide advice, training and communications to the joint venture. 

A company should have a Compliance Oversight Committee review all documents relating to the full panoply of a joint venture’s compliance program. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any joint ventures. In addition to the basic concept of process validation of your risk management of joint ventures, this is a manner to deliver additional management of that risk going forward.

After the commercial relationship has begun the Compliance Oversight Committee should monitor the joint venture on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplemental risk associated with any negative information discovered from a review of financial audit reports on the joint venture. The Compliance Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company’s of joint venture’s Code of Ethics. In addition to the above remedial review, the Compliance Oversight Committee should review all compliance-impacted payments by the joint venture to assure such payment are within the company guidelines and are warranted by the contractual relationship with the joint venture. Lastly, the Compliance Oversight Committee should review any request to provide the joint venture any type of non-monetary compensation and, as appropriate, approve such requests.

A key tool in managing the affiliation with a joint venture post-contract execution is auditing. Audit rights are a key clause in any compliance terms and conditions and must be secured. Your compliance audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. 

In addition to monitoring and oversight of your joint ventures, you should periodically review the health of your joint venture management program. The robustness of your joint venture management program will go a long way towards preventing, detecting and remediating any compliance issue before it becomes a full-blown FCPA violation. As with all the steps laid out, you need to fully document all steps you have taken so that any regulator can review and test your metrics. The Evaluation of Corporate Compliance programs lays out what the DOJ will be reviewing and evaluating going forward for your compliance program. You should also use these metrics to conduct a self-assessment on the state of your compliance program for your joint ventures. 

Three Key Takeaways

  1. It all starts with a Relationship Manager.
  2. Have company oversight of all joint ventures. Couple this with a Compliance Oversight Committee for a second set of eyes.
  3. Audit, monitor and remediate (as appropriate) your joint ventures on an ongoing basis.

What is your process for managing the compliance risk in international joint ventures.

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 19, 2017

Joint ventures provide many FCPA risks that other types of business relationships do not bring. For instance, the joint venture may interact with foreign government officials or employees of a state-owned enterprise; then leverage those relationships for an improper benefit either contracts, regulatory licenses, permits or customs approvals. It is difficult to regulate a joint venture’s interactions with foreign government officials when you partner is a state-owned enterprise, or where your company is relying on the local company for its local contacts and expertise for business development and/or regulatory knowledge and experience.

The risks are compounded when the US company does not exercise control of the joint venture. This is further compounded by the fact there is no minimum threshold for a FCPA enforcement action against a US company for the actions of a joint venture in which it holds an interest. If a company holds something less than majority rights, it must to urge, beg and plead for the majority partner to adhere to anti-corruption compliance standards and controls. Often, these requirements are established in the joint venture agreement but the success in securing such contract protections depends on the importance of the global company to the joint venture itself.

Another set of issues comes from the joint venture when it seeks to retain third party agents and/or distributors. Depending on the amount of control, the US company usually can impose its set of standards for conducting due diligence of third party agents and distributors. These risks become more difficult when the joint venture partner brings to the joint venture a proposed third party agent or distributor and vouches for the agent or distributor. If the joint venture partner is a state-owned enterprise, the issues become even more complicated as such referral creates an obvious red flag for a government-sponsored referral.

Now add on the fact that the foreign joint venture partner may not be proficient in English as a first language. The US company may not have financial personnel with requisite language skills in the foreign country. Some companies have a policy that English will be used throughout the world in its business dealings. However, even with such an English only policy in place, the risks represented by such lack of effective oversight by the multinational extend not only to potential FCPA violations, but to other corrupt acts, including kickbacks, fraud and theft.

At this point you have engaged in due diligence prior to the create of the joint venture agreement. The agreement itself has a robust set of compliance terms and conditions, including the right to audit. Mike Volkov has called the exercise of the right to audit one of the key elements in the risk management process around joint ventures. He advocates that any audit take a deep dive into the payments made by the joint venture to a wide range of persons and entities, including agents, suppliers, customers or any others. This would be particularly important for payments made to do business or otherwise operate legally in the joint venture’s locations. This means there should be an inspection of the joint ventures books and records to see if facilitation payments are properly recorded as facilitation payments.

Volkov noted that one interesting area which requires greater review is around payments to colleges or universities outside the US. If there are payments for research or other projects you need to audit the payments and services with an eye towards determining that the rate paid is not out of line with the local payment rate. The same holds true around gifts and entertainment as the local tradition of your foreign partner may be quite different than the expectations of an American company operating in a country such as China.

Another area for audit is if the foreign partner receives a management fee, which can be used for improper purposes. Several FCPA enforcement actions were based on this or similar payment schemes. Such fees may simply be based upon a percentage of joint venture revenue or profit, and often are not required to correspond to defined tasks, or specific efforts or hours. Most usually, there are no substantive billings associated with such fees, they simply become due. Under this type of arrangement, it is almost impossible to justify this fee if requested by the DOJ. If the foreign partner does receive such a fee, this will need to be closely scrutinized in the audit process.

Volkov advocates using a wide-range of investigation techniques in any audit of a foreign joint venture. He said that a trip to the joint venture headquarters is mandatory, as are onsite interviews with key joint venture personnel such as joint venture CEO, CFO, head of audit, head of HR and compliance. A key interview is always the head of sales for the joint venture and any head of sales who might deal with foreign governments or state-owned enterprises. Phone interviews can be used to supplement these in person interviews where appropriate.

Volkov stated that “what we were trying to put together was a product that can stand up to subsequent scrutiny, particularly by the Justice Department and the SEC.” Yet there are other key reasons for the audit; these include education, training and communication. Every time you meet with someone, you have the chance to not only listen to them but give them information on the compliance program and expectations thereunder. Equally important is the ease and (hopefully) comfort the participants in the joint venture will feel about your compliance efforts and their compliance obligations going forward.

As a baseline, I would suggest that any audit of a joint venture include, at a minimum, a review of the following:

  1. the effectiveness of existing compliance programs and codes of conduct;
  2. the origin and legitimacy of any funds paid to Company;
  3. books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
  4. all disbursements made for or on behalf of Company; and
  5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

If you want to engage in a deeper dive you might consider evaluation of some of the following areas:

  • Review of contracts with joint ventures to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the joint venture.
  • Review FCPA compliance training program; both the substance of the program and attendance records.
  • Does the joint venture have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
  • Does the joint venture have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review employee expense reports for employees in high-risk positions or high-risk countries.
  • Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
  • Review the overall structure of the joint venture’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report?
  • How is the joint venture’s compliance program designed to identify risks and what has been the result of any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the joint venture.
  • Regarding any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

Finally, is your follow up after the audit. If there are any red flags which were not fully investigated during the audit process, that must be accomplished in this phase. Additionally, if there were action items for remediation they should be completed in a timely manner. There may be some issues which may bear greater scrutiny during the year, such as gift, travel and entertainment expenses which can be noted as well. 

Three Key Takeaways

  1. Joint Venture present unique risks FCPA risks and must be managed accordingly.
  2. Your final report needs to consider the final viewer of the document, potentially the DOJ or SEC.
  3. Be sure to follow up on any red flags raised but not cleared and action items for remediation or additional scrutiny.
Oct 19, 2017

In this episode, I visit with branding expert Linda Justice. We discuss the role of a Board of Directors in corporate branding. We discuss ‘what is branding?’ 

  • Perception of a company?
  • The customer experience?
  • The stakeholders’ experience?
  • Investors experience?
  • Employees experience?
  • Is it found in print, advertising, word of mouth?
  • Or is it LIVE—as in Twitter, Customers complaining or praising in real time? 

Linda explains how branding is all of these things. She explains why a Board should care about branding as it helps to grow the company and protects (or harms) the company’s reputation. She also explains how With a STRONG BOARD and a STRONG ETHICAL BACKBONE and CULTURE, this enhances branding for Customers, Employees and other stakeholders. Justice also relates that a company grows on the strength of its employees and on customers buying their products and services and concludes on the note that ethics must be part of the brand to sustain and grow both.

Oct 18, 2017

Numerous US companies have come to FCPA grief for their overseas joint ventures and the continue to be a bane for many companies under the Act. There are some basic compliance terms and conditions which should be considered for any foreign joint venture agreement to help US companies manage these compliance risks.

As a starting point, it is important to have compliance terms and conditions, these reasons can include some of the following: (1) to set expectations between the parties; (2) to demonstrate the seriousness of the issue to the non-US party; and (3) to provide a financial incentive to do business in compliant manner.

  1. Prohibition of all forms of bribery and corruption. Many foreign joint venture partners may not understand that the FCPA applies to them if they partner in a business relationship with a US company. Further, they do not understand that they may be governmental officials under the FCPA. This all must be spelled out for them so you should have language regarding the following:
  • Prohibition of all forms of bribery and corruption, but you should be careful to make note that FCPA is broader than simple bribery; it includes hospitality/gifts/entertainment/travel as well.
  • Affirmation of FCPA compliance, this should be in writing and it should also require that the non-US party understand or have familiarity with the FCPA, as well as that they will comply with the tenets of the FCPA.
  • Agreement to comply with local laws and customs regarding anti-bribery and anti-corruption in the jurisdiction where it is located and/or does business. 
  1. Right to Cancel and Recoupment rights. These should include the following:
  • Right to cancel the contract if there is a compliance violation or breach of contract because that allows you maximum flexibility.
  • Withhold any payments due.
  • Allow for disgorgement of any monies previously paid under the agreement.
  • Take any other action you think necessary or appropriate. 
  1. Duties
  • Spell out exact duties and deliverables of the Joint Venture.
  • Employees of the joint venture have continuing duty to adhere to training.
  • There will be updated due diligence performed on the JV partner.
  • There is an ongoing duty to report changes in ownership structure of any non-US partner. This includes changes in corporate structure and/or corporate leadership. There must be immediate notification to the US company and it is particularly important when government changes.
  • Require that the joint venture follow generally accepted accounting principles (GAAP), and conduct an annual audit by an agreed upon independent accounting firm.
  • Prohibit the creation of any funds without the approval of the joint venture’s governing body (supermajority approval in the case of minority interest by the multinational).
  • If the foreign joint venture partner has day-to-day management responsibilities, require dual signatures for checks or electronic funds transfers drawn on joint venture bank accounts.
  • Require that the joint venture conduct investigative due diligence on agents, consultants and other third parties retained by the joint venture.
  • Require the implementation of a code of business conduct by the joint venture and implement an anonymous reporting mechanism for joint venture employees. 
  1. Audit Rights – these are an important tool in your joint venture risk management process and must be included in any joint venture agreement. In addition to putting your JV partner on notice that you are not simply willing to look the other way once the agreement is signed, it is an active acknowledgement that there will be ongoing transactional review during the term of the joint venture agreement. If any illegal payments are made or discovered the US company should retain full access to the audit trail which it can then turn over to the proper authorities. Additionally, the joint venture should have the right to audit any agent(s) it may hire for its own use. 

If you have audit rights you must exercise them. The same calculus is true for termination rights. If you have a good faith belief that your JV-US partner has violated the FCPA, you better exercise your right to terminate. If you do not do so, your US company will probably be in more hot water with the DOJ. 

  1. Prohibited Parties - the Joint Venture will not deal with US designated Prohibited Countries, Prohibited Parties or any other persons or entities on any such OFAC prohibited list.
  2. Certifications-you should specify that the foreign partners will annually, personally, certificate that they have not violated the FCPA on any matters relating to the joint venture, are aware of no FCPA violations by the joint venture which they have not previously reported and have received and understood annual FCPA training.

Lastly one area which is continuing to be problematic is that of how to make payments. Some of the tools to manage this risk are the following:

  • Always try to make payments via wire transfer.
  • No large upfront payments unless designated for legitimate start-up expenses.
  • Pay only to the named company, not unknown third parties.
  • Payment in local currency, however you can pay in USD. The key is consistency in how you are paying and your documentation.
  • Pay where the agent’s country of residence or where the work is done.

All the above steps should be taken only after extensive due diligence has been completed. After the contract is signed your company will have to work just as hard to keep the compliance program for any joint venture robust and meaningful. However, with these terms and conditions in place, you will have a chance to maintain your FCPA obligations and to manage the risk that is involved when working jointly with non-US companies.

Three Key Takeaways

  1. Failure to secure appropriate compliance terms and conditions in a JV agreement can cause great FCPA risk for a US company.
  2. Certifications are important requirements to obtain.
  3. Audit rights must be secured and equally importantly, exercised.

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 18, 2017

In this episode, I visit with Dan Norris, Director of Training for Holt Development Services. Dan Norris is a lively, energetic and effective presenter who specializes in the science of ethical influence. He is one of only a few individuals worldwide who currently hold the CMCT designation, a specialization in the psychology of persuasion–earned directly from Dr. Robert Cialdini, the leading authority on the subject. Dan helps organizations take the latest scientific research out of the laboratory and apply it in their own day-to-day sales, leadership, and customer service applications.  

Dan has a philosophy that focuses on employee development—investing only in tools, training, coaching, and outcome assessments that have been shown to positively change behavior. When not speaking and training, Dan is responsible for furthering Holt’s highly successful Values Based Leadership© programs. These programs evolved from over a decade of effective application within Holt companies and other client organizations, and Dan continues to play an integral role in its design and growth. 

We discuss the work of the Holt Development company and how it interacts with other organizations. He explains what makes the method work for such a disparate group of organizations: from non-profits to commercial businesses to sports franchises, including his work with the San Antonio Spurs. Dan discusses the work on influence by Bob Cialdini informs the work of Holt Development. 

Click here for more information on Holt Development Services and here for more information on Dan Norris.

Oct 17, 2017

When you bring two entities together to operate jointly, there are several difficult issues to analyze. For the US company operating under the FCPA, there must be an adequate business justification for a joint venture with a specific partner, all in writing and approved by an appropriate level of the organization. At this point, the US company must engage in a due diligence review of the proposed JV partner.

Mike Volkov has noted this is where the due diligence process comes into play. The due diligence process should be built on principles like those involving third parties. The procedure should be robust, documented and address all potential risks involved. A company should use its due diligence review of the JV partner to proper assess and uncover any corruption risk. Using this due diligence and its evaluation, you can then move to contractual clauses, certifications, representations and warranties from a JV partner or insist on other remedial measures to minimize its risk exposure.

Dennis Haist, the General Counsel and Chief Compliance Officer at Steele Compliance Solutions, Inc. in an article entitled, “Guilt by Association: Transnational Joint Ventures and the FCPA laid out some of the specifics that you should ask for in a due diligence review of prospective JV partners.

  1. Entity information
  • Entity name, DBA, previous names, physical address and contact information, website address.
  • Legal structure, jurisdiction of organization, date organized and whether the entity is publicly traded.
  • Entity registration number(s), and dates and places of registration; number of years in business.
  • Entity tax licenses, business licenses, or certificates or commercial registrations.
  • Description of business, customers, industry sectors.
  • Names, addresses and jurisdictions of formation for all companies or other affiliated entities, and ownership interest in each.
  • Names and contact information for main point of contact.
  • Names and contact information for entity’s outside accountants/auditors and primary legal counsel.
  1. Ownership information
  • Name, address, nationality, percentage of ownership and date of acquisition for each parent company up to ultimate parent.
  • Name, nationality, ID type/number, percent ownership and date of acquisition for all shareholders and owners.
  • Identity of any other persons having a direct or indirect interest in the entity’s equity, revenues or profits.
  • Identity of any other person able to exercise control over the entity through any arrangement or relationship.
  • Information on any direct or indirect ownership interest by any government, government employee or official; or political party, party official or candidate, and employee of any state-owned enterprise.
  1. Management information
  • Name, address, nationality, ID type/number and title for each member of the entity’s governing board.
  • Name, address, nationality, ID type/number and title for each officer of the entity.
  • Information on any other business affiliations of principals, owners, partners, directors, officers or key employees who will manage the business relationship.
  • Information on whether any principals, owners, partners, directors, officers or employees, currently or in the past, have been officials or candidates of a political party or been elected to any political office.
  1. Government relationships
  • Information on whether any principals, owners, partners, directors, officers or employees hold any official office or have any duties for any government agency or public international organization.
  • Information on whether any owners, directors, officers or key employees have an immediate family member who is an employee, contractor or official of the foreign government, or a public international organization.
  • Information on whether any employee of, or contractor or consultant to, any government entity or public international organization will benefit from the joint venture.
  • Approximate percentage of entity’s overall annual sales revenue derived from government sales.
  1. Business conduct
  • Information on whether the entity has ever been barred or suspended from doing business with a government entity. Information on whether any principals, owners, partners, directors, officers or employees are identified on any government designated nationals, blocked persons, sanction, embargo or denied persons lists.
  • Information on whether the entity, its principals, owners, partners, directors, officers or employees have ever been charged with, convicted of, or alleged to have been engaged in fraud, bribery, misrepresentation and/or any other criminal act.
  • Information on whether the entity, its principals, owners, partners, directors, officers or employees have been investigated for violating the FCPA or any other anti-corruption law.
  • Information on whether the entity has a compliance program which includes the prevention of bribery and information on the training of employees.
  1. References
  • Three or more unrelated business references, including a bank and existing client.
  1. Certification/authorization/declaration
  • Certification of accuracy.
  • Authorization to conduct due diligence, authorization for third parties to release data and consent to collection of data.
  • Anti-corruption compliance declaration.

In addition to asking for all this information, you must take care to document the entire process that your company goes through in the investigation and creating a foreign joint venture. (Dcoucment Document Document) It is equally important to remember that obtaining this information is only one step. A company must evaluate the information and follow up if responses to such inquiries warrant such action. A paper program is simply not good enough and can lead to serious consequences if Red Flags are not reviewed and cleared. This evaluation should also be documented so that if a regulator ever comes knocking you can demonstrate what you asked for, why, the response, your follow up and the details of your evaluation.

Finally, never forget the human factor. It is important to perform an in-person interview of your proposed joint venture partner. It is important that you meet them, see their facilities and assess them up close and personal. A US business looking to engage a joint venture partner must consider the people who make up its joint venture partner. As Mike Volkov has noted, “These people, in turn, act together or can be influences together, as part of the joint venture’s culture. This is what I mean by the human factor. A global company cannot ignore the human factor of its joint venture partner. It has to assess the culture, and more importantly, the key personnel who are part of the joint venture partner – the leaders, the go-to-people who get the job done, and the overall environment in which they operate.” As you will have to mesh what may be two very different cultures and understandings of compliance, it is important to assess how your potential joint venture partner will take these obligations before, rather than after you ink the JV agreement.

Three Key Takeaways

  1. Joint Venture due diligence must focus on the unique risks.
  2. Ask for a detailed list of information from your potential JV partner.
  3. Be sure to do onsite investigation of your potential joint venture partner.

 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 16, 2017

In this episode, Jay and I are joined by Louis Sapirman, CCO at Dun & Bradstreet for a look the the 2017 SCCE Compliance and Ethics Institute. We discuss the pro-conference events, what we hope to achieve at this year's event and why it is important to give back to the compliance community. We end with a discussion on why the Harvey Weinstein affair may well change the face of compliance going forward. 

Oct 16, 2017

Just as the FCPA enforcement field is covered with actions centering around mergers and acquisitions, there are multiple actions involving joint ventures (JVs). JVs continue to plague many US companies up to this day. In many ways, JVs present more difficult issues for the compliance practitioner than mergers and acquisitions because of the control issues present in JVs with foreign governments or state owned enterprises ownership. 

In an article in the Virginia Law & Business Review, entitled “Traversing the Minefield: Joint Ventures and the Foreign Corrupt Practices Act Daniel Grimm explained that JVs can provide a variety of benefits to a company desiring to enter an international market. Some of the benefits can include; satisfying a local content or partner requirement, a method of international expansion under “which outside investors benefit from the knowledge of local firms while retaining “some operational and strategic control” over the enterprise”; all with a lower overall cost for both resources and integration than required through a traditional corporate merger. Yet these same benefits can also bring greater FCPA risks. 

Mike Volkov in an article entitled, “Digging Down on Joint Ventures and FCPA Compliance” noted that when you create a JV, there are a number of difficult issues to analyze. Initially, is the requirement of adequate due diligence. This is more difficult than in a traditional merger. Next is the set of governance issues surrounding control of the JV. If your JV partner is a state-owned enterprise, the issues become even more complex.  The interactions between the company and the state-owned enterprise within the joint venture itself should be regulated so that they are not perceived as intended to improperly influence the state owned enterprise, “either directly or in other areas of interaction.” Even if JV involves a private, as opposed to state-owned partner, the compliance issue then becomes the controlling the actions of the JV sales people, JV staff responsible for regulatory interactions, and JV-retained third party agents and distributors. 

A new JV creates a new set of risks for the company subject to the FCPA. In the JV context, the company has, by definition, less control.  As a result, these issues need to be addressed in the formation of the JV. The issue becomes even more difficult when the company entering the JV has less than 50 percent control.  Grimm noted that “An issuer with a minority stake in another entity is required to “proceed in good faith to use its influence, to the extent reasonable under the issuer’s circumstances,” to cause the entity to comply with the books and records and internal controls provisions of the FCPA. Relevant circumstances include “the relative degree of the issuer’s ownership” and “the laws and practices governing the business operations of the country” in which the entity is located.”

As early as 2002, in the SEC FCPA enforcement action involving BellSouth, which owned only 49% of a JV in in Telefonia Celular de Nicaragua, S.A. (“Telefonia”), a Nicaraguan corporation that relinquished operational control to an indirect, wholly-owned BellSouth subsidiary. Relying on the FCPA’s good faith influence requirement for an issuer holding a minority stake in another entity, the SEC alleged that BellSouth “held less than 50 percent of the voting power of Telefonia, but through its operational control, had the ability to cause Telefonia to comply with the FCPA’s books and records and internal controls provisions.” 

There are multiple types of FCPA liability to a parent for the actions of a JV in which it is a partner. These can include directly liability such as with Halliburton and its former subsidiary KBR in the TSJK JV involved in bribery and corruption in Nigeria. Halliburton paid a total FCPA penalty of $579MM to the US and $25MM to the Nigerian government of the actions of its subsidiary, KBR. 

In addition to the traditional direct liability, JVs can be a source of vicarious liability. Grimm noted that “A business entity may, depending on the circumstances, be held vicariously liable for FCPA violations committed by a joint venture, a joint venture partner, or an agent acting on behalf of a joint venture. Vicarious liability traditionally applies in situations where a business entity authorized, directed, or controlled acts that violate the FCPA’s anti-bribery provisions.” It could also violate the accounting provisions around keeping accurate books and records and effective internal controls. This was the situation involving 2016 enforcement action involving Anheuser-Busch InBev, in India, where the company paid $6 million to settle charges that it violated the FCPA and impeded a whistleblower who reported the misconduct. 

Mike Volkov identified other risks that a company must seek to avoid. These include the transfer of things of value to a state-owned enterprise for benefits of someone outside the joint venture. A company must avoid payments for which there is no legitimate business purpose to the state-owned enterprise in the joint venture itself; as they will be deemed to be illegal benefits to the state-owned enterprise outside the joint venture. In this case, the joint venture becomes a vehicle by which to disguise bribery payments for benefits to those outside the joint venture. 

Any company which operates a JV with foreign governments or state-owned enterprises holds the same FCPA risk as the JV partner itself; the risks become apparent relating to the operation of the joint venture itself. This means that if the joint venture interacts with foreign government officials or employee of a state-owned enterprise and leverages its state-owned enterprise relationships for an improper benefit either contracts and/or regulatory licenses, permits or customs approvals; it could well be subject to FCPA scrutiny. Unfortunately, it is often difficult to regulate a JVs interactions with foreign government officials, particularly when your partner is a state-owned enterprise, or where your company is relying on the local company for its local contacts and expertise for business development and/or regulatory knowledge and experience in the country where the JV operates. 

The bottom line is JVs present a unique set of FCPA risks for the compliance practitioner. You will need to incorporate risk manage techniques in all phases of the JV relations; pre-formation, the JV agreement and in operations after the JV has begun operation. The compliance obligations and compliance process are ongoing. 

Three Key Takeaways

  1. Joint Ventures present unique FCPA risks.
  2. Control is only one issue a compliance practitioner must consider in evaluating joint venture risks.
  3. Companies continue to have significant FCPA risks from joint ventures. 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 16, 2017

In this episode, I visit with Doreen Edelman, a partner at Baker Donaldson on the top FCPA enforcement action of 2017, the Telia Company matter. We discuss the background facts of the case; we explore the amount of the fines and penalties, were they too high or were they too low; we consider the involvement of senior management right up to the CEO and the Board’s role; we explore the multiple lessons for the compliance professional, the CCO, senior management and the Board of Directors. We conclude with what the enforcement action means going forward and the increase in international enforcement, cooperation and investigation in anti-corruption. 

Doreen Edelman can be reached at dedelman@bakerdonelson.com.

 Doreen blogs at Export Control Matters.

Oct 13, 2017

One of my favorite words in the context of Foreign Corrupt Practices Act (FCPA) enforcement is dis-link. It a useful adjective in explaining how certain conduct by a company must be separated from the winning of business and more broadly it works on many different levels when discussing the FCPA. This concept of dis-linking was most prominently laid out in Opinion Release 14-02 (14-02). It provided one of the most concrete statements from the DOJ on the unidimensional nature of compliance in the mergers and acquisition context; both in the pre-acquisition and post-acquisition phases.

In this Opinion Release the Requestor was a multinational company headquartered in the United States. The Requestor desired to acquire a foreign consumer products company and its wholly owned subsidiary (collectively, the “Target”), both of which were incorporated and operated in an un-named foreign country. It never issued securities in the United States and had negligible business contacts in the US, including no direct sale or distribution of their products. During its pre-acquisition, due diligence of the Target, Requestor identified several likely improper payments by the Target to government officials of Foreign Country, as well as substantial weaknesses in accounting and recordkeeping. Considering the bribery and other concerns identified in the due diligence process, Requestor also detailed a plan for remedial pre-acquisition measures and post-acquisition integration steps. Requestor sought from the DOJ an Opinion as to whether the Department would then bring an FCPA enforcement action against Requestor for the Target’s pre-acquisition conduct. It was specifically noted that the Requestor did not seek an Opinion from the Department as to Requestor’s criminal liability for any post-acquisition conduct by the Target. 

Pre-Acquisition Due Diligence

In preparing for the acquisition, Requestor undertook extensive due diligence aimed at identifying, among other things, potential legal and compliance concerns at the Target. Requestor retained an experienced forensic accounting firm (“the Accounting Firm”) to carry out the due diligence review. This review brought to light evidence of apparent improper payments, as well as substantial accounting weaknesses and poor recordkeeping. The Accounting Firm reviewed approximately 1,300 transactions with a total value of approximately $12.9 million with over $100,000 in transactions that raised compliance issues. The clear majority of these transactions involved payments to government officials related to obtaining permits and licenses. Other transactions involved gifts and cash donations to government officials, charitable contributions and sponsorships, and payments to members of the state-controlled media to minimize negative publicity. None of the payments, gifts, donations, contributions, or sponsorships occurred in the US, none were made by or through a US entity and none went through a US bank.

The due diligence showed that the Target had significant recordkeeping deficiencies. Further, the records which did exist did not support the clear majority of the cash payments and gifts to government officials and the charitable contributions. There were expenses that were improperly and inaccurately classified. The accounting records were so disorganized that the Accounting Firm was unable to physically locate or identify many of the underlying records for the transactions. Finally, the Target had not developed or implemented a written code of conduct or other compliance policies and procedures, nor did the Target’s employees show an adequate understanding or awareness of anti-bribery laws and regulations.

Post-Acquisition Remediation

The Requestor presented several pre-closing steps to begin to remediate the Target’s weaknesses prior to the planned closing in 2015. Requestor aimed to complete the full integration of the Target into Requestor’s compliance and reporting structure within one year of the closing. Requestor presented an integration schedule of the Target into the acquirer which included various risk mitigation steps, communications and training on compliance procedures and policies, standardization of business relationships with third parties, and formalization of the Target’s accounting and recordkeeping in accordance with Requestor’s policies and applicable law.

DOJ Analysis

The DOJ noted black-letter letter when it stated, ““It is a basic principle of corporate law that a company assumes certain liabilities when merging with or acquiring another company. In a situation such as this, where a purchaser acquires the stock of a seller and integrates the target into its operations, successor liability may be conferred upon the purchaser for the acquired entity’s pre-existing criminal and civil liabilities, including, for example, for FCPA violations of the target. However, this is tempered by the following from the 2012 FCPA Guidance, “Successor liability does not, however, create liability where none existed before. For example, if an issuer were to acquire a foreign company that was not previously subject to the FCPA’s jurisdiction, the mere acquisition of that foreign company would not retroactively create FCPA liability for the acquiring issuer.””

As none of the payments were made in the US, none went through the US banking system and none involved a US person or entity that this would not lead to a creation of liability for the acquiring company. Moreover, there would be no continuing or ongoing illegal conduct going forward because “no contracts or other assets were determined to have been acquired through bribery that would remain in operation and from which Requestor would derive financial benefit following the acquisition.” Therefore, there would be no jurisdiction under the FCPA to prosecute any person or entity involved after the acquisition.

The DOJ also provided this additional information, “the Department encourages companies engaging in mergers and acquisitions to (1) conduct thorough risk-based FCPA and anti-corruption due diligence; (2) implement the acquiring company’s code of conduct and anti-corruption policies as quickly as practicable; (3) conduct FCPA and other relevant training for the acquired entity’s directors and employees, as well as third-party agents and partners; (4) conduct an FCPA-specific audit of the acquired entity as quickly as practicable; and (5) disclose to the Department any corrupt payments discovered during the due diligence process. See FCPA Guide at 29. Adherence to these elements by Requestor may, among several other factors, determine whether and how the Department would seek to impose post-acquisition successor liability in case of a putative violation.”

Discussion

The DOJ communicated several important messages through 14-02. First it demolished the myths of springing liability to an acquiring company in the FCPA context and buying a FCPA violation, simply through an acquisition; there must be continuing illegal conduct for FCPA liability to arise. Most clearly beginning with the 2012 FCPA Guidance, the DOJ and SEC have communicated what companies need to do in any M&A environment. While many compliance practitioners had only focused on the post-acquisition integration and remediation; the clear import of 14-02 is to re-emphasize the importance of the pre-acquisition phase.

Due diligence must begin in the pre-acquisition phase. The steps taken by the Requestor in this Opinion Release demonstrate some of the techniques you can use in the pre-acquisition phase include (1) having your internal or external legal, accounting, and compliance departments review a target’s sales and financial data, its customer contracts, and its third-party and distributor agreements; (2) performing a risk-based analysis of a target’s customer base; (3) performing an audit of selected transactions engaged in by the target; and (4) engaging in discussions with the target’s general counsel, vice president of sales, and head of internal audit regarding all corruption risks, compliance efforts, and any other major corruption-related issues that have surfaced at the target over the past ten years.

Whether you can make these inquiries or not, you will also need to engage in post-acquisition integration and remediation. 14-02, taken together with the steps laid out in the 2012 Guidance, has provided the post-acquisition actions a compliance professions needs to take after the transaction is closed. If you cannot perform any or even an adequate pre-acquisition due diligence, the time frames you put in place after the acquisition closes will need to be compressed to make sure that you are not continuing any nefarious FCPA conduct going forward.

But it all goes back to dis-linking. If a target is engaging in conduct that violates the FCPA but the target itself is not subject to the jurisdiction of the FCPA, you simply cannot afford to allow that conduct to continue. If you do allow such conduct to continue your company will be actively engaging and participating in an ongoing FCPA violation. That is the final takeaway from this Opinion Release; it is allowing corruption and bribery to continue which brings companies into FCPA grief. Opinion Release 14-02 provided you a roadmap of the steps you can take to prevent such exposure.

Three Key Takeaways

  1. In the M&A context, the key is to dis-link any illegal conduct going forward.
  2. Opinion Release 14-02 provides the clearest roadmap for pre-and post-acquisition compliance actions in the M&A context.
  3. Never forget the Opinion Release procedure. It has been used successfully in two important M&A matters (08-02 and 14-02).

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 12, 2017

In this episode I visit with data and IT security expert Brad Davis, CEO of EverSolve, a company specializing in data security. We discuss the role of the Board of Director's in data and IT security in both oversight and going into the weeds. We consider how the corporate head of IT and security can educate their Board on their role in this burgeoning field. Finally, we consider how a Board should respond when the inevitable IT or security breach occurs.

Check out EverSolve by clicking here

Brad Davis can be reached at bdavis@goeversolve.com

Oct 12, 2017

Your company has just made its largest acquisition ever and your Chief Executive Officer (CEO) says that he wants you to have a compliance post-acquisition integration plan on his desk in one week. Where do you begin? Of course, you think about the 2012 FCPA Guidance but remember that it did not have the time lines established in the recent enforcement actions involving Johnson & Johnson (J&J), Pfizer and Data Systems & Solutions LLC.

While there are time frames listed in these Deferred Prosecution Agreements (DPAs) are a guide of timeframes; many compliance professionals struggle with is how to perform these post-acquisition compliance integrations. An article from the Harvard Business Review, entitled “Two Routes to Resilience”, Clark Gilbert, Matthew Eyring and Richard Foster wrote about business transformation which speak directly to the compliance practitioner to help create post-acquisition integration game plan.

The authors, reviewed the situation where an entity must transform itself, leading to a transformation the authors call “establishing a ‘capabilities exchange’- a new organizational process that allows the two efforts to share resources without interfering with each other’s operations.” That is what a compliance practitioner must accomplish through a post-acquisition integration in the compliance context.

Anyone who has gone through a large merger or acquisition knows how terrifying it can be for the individual employee. Many people, particularly at the acquired company will be fearful of losing their jobs. This fear, mis-placed or well-founded, can lead to many difficulties in the integration process. The creation of a Compliance Capabilities Exchange process which allows “the two organizations to live together and share strengths” and will coordinate “the two transformational efforts so that each gets what it needs and is protected from [unwanted] interference by the other.” There are five steps in this process.

  1. Establish Compliance Leadership. While this may be the “simplest step but also the one most open to abuse.” The process should be run by just a few top people, which I believe are the Chief Executive Officer, Chief Financial Officer and Chief Compliance Officer of the acquiring company and a similar counter-part from the acquired company.
  2. Identify the compliance resources the two organizations can or need to share. Hopefully the acquiring organization will have some idea of the state of the compliance program before the deal is closed. It may be that there is some or all of a minimum best practices compliance program in place. If so, attention needs to turn to what can continue and how will need to be integrated.
  3. Create Compliance Capability Exchange Teams. In many “synergy efforts, everyone is expected to think about ways resources might be shared.” In Compliance Capability Exchanges, the responsibility should be “carefully confined to a series of teams.” Senior leadership should create compliance teams by assigning a small number of people from both entities with the responsibility of allocating resources used in the integration project.
  4. Protect Boundaries. This one is tricky as employees from the former target may not want to move forward with the integration; for fear of losing their jobs or some other reason. There may be internal disputes as to which group may handle an issue going forward. This area is tricky because it is important not to alienate new employees who might have good ideas on the integration or how to move forward. Once again, the Leadership Team must step in and referee disputes decisively if required.
  5. Scale up and promote the new compliance program. It is important to celebrate and promote the new entity to both the acquiring company, others in the company and even external stakeholders. It is important that markets and others in the same or similar industry see this evolution and growth. Take the time to publicize the integrated compliance function with the internal customer; IE., company employees. This would include all other compliance stakeholders, including third party representatives, both on the sales and supply chain side of the house and even customers. Finally, be sure to inform your management, Board of Directors and regulators, such as the Department of Justice (DOJ), as appropriate.

Whatever compendium of steps you utilize for post-acquisition integration, they should be taken as soon as practicable.  The earlier you can deploy these steps the better off your company will be at the end of the day. In an Ernst & Young white paper, entitled “Increased Oversight of M&A: An Expanding Role for Audit Committees”, it stated “Failed M&A can destroy a company's market value, destabilize its financial position and credit ratings, impair its strategic position, weaken the organization and damage the company's reputation”. This is particularly true for failed M&A compliance. One need only consider the Latin Node FCPA enforcement actions where the acquiring company had to write off its entire investment.

Three Key Takeaways

  1. Planning is critical in the post-acquisition phase.
  2. Build upon what you learned in pre-acquisition due diligence.
  3. You literally need to be ready to hit the ground running when a transaction closes. 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 11, 2017

Previously many compliance practitioners had based decisions in the M&A context on DOJ Opinion Release 08-02 (08-02), which related to Halliburton’s proposed acquisition of the UK entity, Expro. In 2011, the Johnson & Johnson (J&J) DPA changed the perception of compliance practitioners regarding what is required of a company in the M&A setting related to FCPA due diligence, both pre-and post-acquisition. The 2012 Data Systems & Solutions LLC (DS&S) DPA which brought additional information to the compliance practitioner on what a company can do to protect itself in the context of M&A activity. 

The 2012 FCPA Guidance spoke about the post-acquisition phase of due diligence, noting that is a part of the compliance process for mergers and acquisitions. Both the “DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.” While the 2012 FCPA Guidance discussed mergers and acquisitions in the context of a best practices compliance program it did not specify a time frame for post-acquisition integration. 

Opinion Release 08-02 began as a request from Halliburton to the DOJ from issues that arose in the pre-acquisition due diligence of the target company Expro. Halliburton had submitted a request to the DOJ specifically posing these three questions: (1) whether the proposed acquisition transaction itself would violate the FCPA; (2) whether, through the proposed acquisition of Target, Halliburton would “inherit” any FCPA liabilities of Target for pre-acquisition unlawful conduct; and (3) whether Halliburton would be held criminally liable for any post-acquisition unlawful conduct by Target prior to Halliburton's completion of its FCPA and anti-corruption due diligence, where such conduct is identified and disclosed to the Department within 180 days of closing.

Halliburton Opinion Release

Halliburton committed to the following conditions in 08-02, if it was the successful bidder in the acquisition:

Within ten business days of the closing. Halliburton would present to the DOJ a comprehensive, risk-based FCPA and anti-corruption due diligence work plan which would address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. The Halliburton work plan committed to organizing the due diligence effort into high risk, medium risk, and lowest risk 

Within 90 days of Closing. Halliburton would report to the DOJ the results of its high risk due diligence.

Within 120 days of Closing. Halliburton would report to the DOJ the results to date of its medium risk due diligence.

Within 180 days of Closing. Halliburton would report to the DOJ the results to date of its lowest risk due diligence.

Within One Year of Closing. Halliburton committed full remediation of any issues which it discovered within one year of the closing of the transaction. 

Many lawyers were heard to exclaim, “What an order, we cannot go through with it.” However, we advised our clients not to be discouraged because 08-02 laid out a clear road map for dealing with some of the difficulties inherent in conducting sufficient pre-acquisition due diligence in the FCPA context. Indeed, the DOJ concluded 08-02 by noting, “Assuming that Halliburton, in the judgment of the Department, satisfactorily implements the post-closing plan and remediation detailed above… the Department does not presently intend to take any enforcement action against Halliburton.” 

Johnson & Johnson (J&J) Deferred Prosecution Agreement

In Attachment D of the J&J DPA, entitled “Enhanced Compliance Obligations”, there is a list of compliance obligations in which J&J agreed to undertake certain enhanced compliance obligations for at least the duration of its DPA beyond the minimum best practices also set out in the J&J DPA. Regarding the M&A context, J&J agreed to the following: 

J&J will ensure that new business entities are only acquired after thorough FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. Where such anti-corruption due diligence is not practicable prior to acquisition of a new business for reasons beyond J&J’s control, or due to any applicable law, rule, or regulation, J&J will conduct FCPA and anti-corruption due diligence subsequent to the acquisition and report to the Department any corrupt payments, falsified books and records, or inadequate internal controls as required by … the Deferred Prosecution Agreement.

J&J will ensure that J&J’s policies and procedures regarding the anti-corruption laws and regulations apply as quickly as is practicable, but in any event no less than one year post-closing, to newly-acquired businesses, and will promptly, for those operating companies that are determined not to pose corruption risk, J&J will conduct periodic FCPA Audits, or will incorporate FCPA components into financial audits.

Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to J&J, on the anticorruption laws and regulations and J&J’s related policies and procedures; and

Conduct an FCPA-specific audit of all newly acquired businesses within 18 months of acquisition. 

These enhanced obligations agreed to by J&J in the M&A context were less time sensitive than those agreed to by Halliburton in 08-02. In the J&J DPA, the company agreed to the following time frames:

18 Month - conduct a full FCPA audit of the acquired company. 

12 Month - introduce full anti-corruption compliance policies and procedures into the acquired company and train those persons and business representatives which “present corruption risk to J&J.” 

Data Systems & Solutions LLC (DS&S) Deferred Prosecution Agreement 

In the DS&S DPA there were two new items listed in the Corporate Compliance Program, attached as Schedule C to the DPA, rather than the standard 13 items we have seen in every DPA since at least November 2010. The new additions were found on items 13 & 14 on page C-6 of Schedule C and deal with mergers and acquisitions. They read in full: 

DS&S will develop and implement policies and procedures for mergers and acquisitions requiring that DS&S conduct appropriate risk-based due diligence on potential new business entities, including appropriate FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. If DS&S discovers any corrupt payments or inadequate internal controls as part of its due diligence of newly acquired entities or entities merged with DS&S, it shall report such conduct to the Department as required in Appendix B of this Agreement.

DS&S will ensure that DS&S's policies and procedures regarding the anticorruption laws apply as quickly as is practicable to newly acquired businesses or entities merged with DS&S and will promptly:

Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to DS&S, on the anti-corruption laws and DS&S's policies and procedures regarding anticorruption laws.

Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable. 

This language draws from and builds upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance and the J&J “Enhanced Compliance Obligations” incorporated into its DPA. While the DS&S DPA does note that it is specifically tailored as a solution to DS&S’s FCPA compliance issues, I believe that this is the type of guidance that a compliance practitioner can rely upon when advising his or her clients on what the DOJ expects during M&A activities. 

FCPA M&A Box Score Summary

Time Frames

Halliburton 08-02

J&J

DS&S

FCPA Audit

1.     High Risk Agents - 90 days

2.     Medium Risk Agents - 120 Days

3.     Low Risk Agents - 180 days

18 months to conduct full FCPA audit

As soon “as practicable

Implement FCPA Compliance Program

Immediately upon closing

12 months

As soon “as practicable

Training on FCPA Compliance Program

60 days to complete training for high risk employees, 90 days for all others

12 months to complete training

As soon “as practicable

The Guidance, coupled with the 08-02 and the two enforcement actions, speak to the importance that the DOJ puts on M&A in the FCPA context. The time frames for post-acquisition integration are quite tight. This means that you should do as much work as you can in the pre-acquisition stage. The DOJ makes clear that rigor is needed throughout your entire compliance program, including M&A. This rigor should be viewed as something more than just complying with the FCPA; it should be viewed as just making good business sense. 

Three Key Takeaways

  1. The Halliburton Opinion Release put some very tight dates into the post-acquisition due diligence and evaluation process.
  2. J&J and DSS added some specific post-acquisition requirements.
  3. The time deadlines require you to hit the ground running post-closing. 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 11, 2017

In this episode Matt Kelly and I discuss the Treasury Department’s recently released A Financial System That Creates Economic Opportunities-Capital Markets report. The report has multiple proposals, including multiple ideas about rolling back Sarbanes-Oxley compliance, especially for smaller public companies. In this podcast, we discuss the three most significant ones for the compliance practitioner.

  1. Exempt more companies from audits of internal financial control. Companies with market cap below $75 million are currently exempt from the SOX 404(b) requirement that an annual outside audit of internal control over financial reporting. The Trump Administration proposes raising that exemption ceiling to $250 million in market cap.
  2. Doubling the lifespan of Emerging Growth Companies. Congress created a new class of public filers in 2012, “emerging growth companies,” that are exempt from numerous corporate governance and compliance rules for the first five years of their lives; to 10 years.
  3. Ending “social disclosure rules” required under the Dodd-Frank Act. The Dodd-Frank Act imposed several required disclosures such as the Conflict Minerals Rule, the CEO Pay Ratio Rule, and the Mine Safety Rule.

For more on this subject, see Matt’s blog post Treasury Report Eyes SOX Compliance

Oct 10, 2017

Today I want to look at what you should do with the information that you obtain in your pre-acquisition compliance due diligence. Jay Martin, Chief Compliance Officer (CCO) at BakerHughes, a GE company. suggests an approach that reviews key risk factors to move forward. Martin has laid out 15 key risk factors of targets under a FCPA analysis, which he believes should prompt a purchaser to conduct extra careful, heightened due diligence or even reconsider moving forward with an acquisition under extreme circumstances.

  1. A presence in a high risk country, for example, a country with a Transparency International CPI rating of 5 or less;
  2. Participation in an industry that has been the subject of recent anti-bribery or FCPA investigations, for example, in the oil and energy, telecommunications, or pharmaceuticals sectors;
  3. Significant use of third-party agents, for example, sales representatives, consultants, distributors, subcontractors, or logistics personnel (customs, visas, freight forwarders, etc.)
  4. Significant contracts with a foreign government, state-owned or state-controlled entities;
  5. Substantial revenue from a foreign government, state-owned or state-controlled entity;
  6. Substantial projected revenue growth in the foreign country;
  7. High amount or frequency of claimed discounts, rebates, or refunds in the foreign country;
  8. A substantial system of regulatory approval, for example, for licenses and permits, in the country;
  9. A history of prior government corruption investigations or prosecutions;
  10. Poor or no anti-bribery or FCPA training;
  11. A weak corporate compliance program and culture, from legal, sales and finance perspectives at the parent level or in foreign country operations;
  12. Significant issues in past compliance audits, for example, excessive undocumented entertainment of government officials;
  13. The degree of competition in the foreign country;
  14. Weak internal controls at the parent or in foreign country operations; and
  15. In-country managers who appear indifferent or uncommitted to U.S. laws, the FCPA, and/or anti-bribery laws. 

In evaluating answers to the above inquiries or those you might develop on your own, you may also wish to consider some type of risk rating for the responses, to better determine is the amount of risk that your company is willing to accept to do so you will need to both assess risk and subsequently evaluate that risk. Risks should initially be identified and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the post-acquisition remediation plan going forward. A risk-rating guide similar to the following can be used.

LIKELIHOOD

Likelihood Rating

Assessment

Evaluation Criteria

1

Almost Certain

High likely, this event is expected to occur

2

Likely

Strong possibility that an event will occur and there is sufficient historical incidence to support it

3

Possible

Event may occur at some point, typically there is a history to support it

4

Unlikely

Not expected but there’s a slight possibility that it may occur

5

Rare

Highly unlikely, but may occur in unique circumstances

‘Likelihood’ factors to consider: The existence of compliance internal controls, written policies and procedures designed to mitigate risk, leadership capable to recognize and prevent a compliance breakdown; Compliance failures or near misses; and/or Training and awareness programs. Product of ‘likelihood’ and significance ratings reflects the significance of a particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

The key to such an approach is the action steps prescribed by their analysis. This is another way of saying that the pre-acquisition risk assessment informs the post-acquisition remedial actions to the target’s compliance program. This is the method set forth in the 2012 FCPA Guidance. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the mergers and acquisitions arena. The model is a reasoned approach and can provide the articulation needed to explain which steps were taken.

It is also important that after the due diligence is completed, and if the transaction moves forward, the acquiring company should attempt to protect itself through the most robust contract provisions that it can obtain, these would include indemnification against possible FCPA violations, including both payment of all investigative costs and any assessed penalties. An acquiring company should also include repsentations and warranties in the final sales agreement for the entire target company that its participation in transactions is permitted under the local law where the transaction took place; that there is an absence of government owners in company; and that the target company has made no corrupt payments to foreign officials. Lastly, there must be a representation that all the books and records presented to the acquiring company for review were complete and accurate.

To emphasize all of the above, the DOJ stated in the Pfizer Deferred Prosecution Agreement (DPA), in the mergers and acquisition context, that a company is to ensure that, when practicable and appropriate on the basis of a FCPA risk assessment, new business entities are only acquired after thorough risk-based FCPA and anti-corruption due diligence is conducted by a suitable combination of legal, accounting, and compliance personnel. When such anti-corruption due diligence is appropriate but not practicable prior to acquisition for reasons beyond a company’s control, or due to any applicable law, rule, or regulation, an acquiring company should continue to conduct anti-corruption due diligence subsequent to the acquisition and report to the DOJ any corrupt payments or falsified books and records.

Three Key Takeaways

  1. Create a list of key risk factors in your protocol.
  2. Create a forced risk ranking, but remember it is simply that, a forced risk ranking.
  3. Your pre-acquisition team should include a suitable combination of legal, accounting, and compliance personnel.

 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 10, 2017

Welcome to Episode 3 of Compliance Man Goes Global podcast of FCPA Compliance Report - International Edition. As always, I am joined by Timur Khasanov-Batirov, a practitioner who focuses on embedding compliance programs at high-risk markets.

In this Episode, we will focus on organizational challenges, which сcompliance practitioner faces in the process of implementing corporate compliance program. To make the podcast handy and more appealing we attach respective illustration from Timur’s Compliance Man illustrated series which is posted with this podcast.

In each podcast, we take two typical concepts or probably misconceptions (conventional wisdom n Texan parlance) from in-house compliance perspective. We check out if these concepts work in emerging markets and jurisdictions. For each podcast, we divide the roles. One of us advocates the particular concept identifying pros. The second will provide arguments finding cons and trying to convince audience that that we face a pure myth. As a result, we hopefully will be able to come up with some practical solutions for in-house compliance practitioners can use in their company going forward. We tackle the following myths:

Corporate Concept #1. On practice compliance program is something, which is needed solely to compliance folks. Nobody else in corporation really cares

Corporate Concept #2- “In-house compliance team never possess sufficient resources

Oct 9, 2017

The compliance component of your mergers and acquisition regime should begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.

The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

Next is a five-step process on how to plan and execute a strategy to perform pre-acquisition due diligence in the M&A context.

  1. Establish a point of contact. Here you need to determine one point of contact that you can liaise with throughout the process. Typically, this would be the target’s Chief Compliance Officer (CCO) if the company is large enough to have full time position.
  2. Collect relevant documents. Obtain a detailed list of sales going back 3-5 years, broken out by country and, if possible, obtain a further breakdown by product and/or services; all Joint Venture (JV) contracts, due diligence on JVs and other third party business partners; the travel and entertainment records of the acquisition target company’s top sales personnel in high risk countries; internal audit reports and other relevant documents. You do not need to investigate de minimis sales amounts but focus your compliance due diligence inquiry on high sales volumes in high-risk countries. If the acquisition target company uses a sales model of third parties, obtain a complete list. It should be broken out by country and amount of commission paid. Review all underlying due diligence on these foreign business representatives, their contracts and how they were managed after the contract was executed; your focus should be on large commissions in high risk countries.
  3. Review the compliance and ethics mission and goals. Here you need to review the Code of Conduct or other foundational documents a target has to gain some insight into what they publicly espouse.
  4. Review the seven elements of an effective compliance program as listed below: 
  1. Oversight and operational structure of the compliance program. Here you should assess the role of board, CCO and if there is one, the compliance committee. Regarding the CCO, you need to look at their reporting and access - is it independent within the overall structure of the company? Also, what are the resources dedicated to the compliance program including a review of personnel, the budget and overall resources? Review high-risk geographic areas where your company and the acquisition target company do business. If there is overlap, seek out your own sales and operational people and ask them what compliance issues are prevalent in those geographic areas. If there are compliance issues that your company faces, then the target probably faces them as well.
  2. Policies/Procedures, Code of Conduct. In this analysis you should identify industry practices and legal standards that may exist for the target company. You need to review how the compliance policies and procedures were developed and determine the review cycles, if any. Lastly, you need to know how everything is distributed and what the enforcement mechanisms for compliance policies are. Additionally you need to validate, with Human Resources (HR), if there have been terminations or disciplines relating to compliance.
  3. Education, training and communication. Here you need to review the compliance training process, as it exists in the company, both the formal and the informal. You should ask questions, such as “What are the plans and schedules for compliance training?” Next determine if the training material itself is fit for its intended purpose, including both internal and external training for third parties. You should also evaluate the training delivery channels, for example is the compliance training delivered live, online, or through video? Finally, assess whether the company has updated their training based on changing of laws. You will need to interview the acquisition target company personnel responsible for its compliance program to garner a full understanding of how they view their program. Some of the discussions that you may wish to engage in include visiting with the target company’s General Counsel (GC), its Vice President (VP) of sales and head of internal audit regarding all corruption risks. You should also delve into the target’s compliance efforts, and any other corruption-related issues that may have surfaced.
  4. Monitoring and auditing. Under this section you need to review both the internal audit plan and methodology used regarding any compliance audits. A couple of key points are (1) is it consistent over a period of time and (2) what is the audit frequency? You should also try and judge whether the audit is truly independent or if there was manipulation by the business unit(s). You will need to review the travel and entertainment records of the acquisition target company’s top sales personnel in high-risk countries. You should retain a forensic auditing firm to assist you with this effort. Use the resources of your own company personnel to find out what is reasonable for travel and entertainment in the same high-risk countries which your company does business.
  5. Reporting. What is the company’s system for reporting violations or allegations of violations? Is the reporting system anonymous? From there you need to  turn to who does the investigations to determine how are they conducted? A key here, as well as something to keep in mind throughout the process, is the adequacy of record keeping by the target.
  6. Response to detected violations. This review is to determine management’s response to detected violations. What is the remediation that has occurred and what corrective action has been taken to prevent future, similar violations? Has there been any internal enforcement and discipline of compliance policies if there were violations? Lastly, what are the disclosure procedures to let the relevant regulatory or other authorities know about any violations and the responses thereto? Further, you may be required to self-disclose any FCPA violations that you discover. There may be other reporting issues in the M&A context such as any statutory obligations to disclose violations of any anti-bribery or anti-corruption laws in the jurisdiction(s) in question; what effect will disclosure have on the target’s value or the purchase price that your company is willing to offer?
  7. Enforcement Practices/Disciplinary Actions. Under this analysis, you need to see if there was any discipline delivered up to and including termination. If remedial measures were put in place, how were they distributed throughout the company and were they understood by employees?

5. Periodically evaluate the M&A review procedures’ effectiveness benchmarked against any legal proceedings, anti-corruption enforcement actions, Opinion Releases or other relevant information. 

Mike Volkov has noted there are multiple red flags which could be raised in this process, which would warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breach of policies and procedures. Obviously, a target which is in financial difficulty would bear closer scrutiny. Structurally, if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors level, this could present issues. From the CCO perspective, if the position did not have Board access, CEO access or if there were not regular reports to the Board, it could present an issue for compliance. Conversely if there were frequent requests to waive policies, management over-ride of compliance controls or no consistent consequence management for violations; it could present clear red flags for further investigation.

Three Key Takeaways

  1. The results of your pre-acquisition due diligence will inform your post-acquisition integration and remediation going forward.
  2. Periodically review your M&A due diligence protocol.
  3. If red flags appear in pre-acquisition due diligence, they should be cleared. 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 9, 2017

In this episode, I have back James Koukios, a partner in the law firm of Morrison and Foerster. We review some of the top FCPA and international anti-corruption cases and issues which have occurred over the summer of 2017. The topics are based on the firm’s most excellent monthly newsletter Top Ten International Developments for Anti-Corruption, which is available at no charge on the firm’s website. In this podcast, we discuss topics from the following newsletters: 

From the June newsletter 

  1. The Supreme Court decision in Kokesh-what does it mean for prosecutors, what does it mean for compliance practitioners and does it change the calculus around self-disclosure?
  2. DOJ Continues to Pursue “Declinations with Disgorgement.” What does this mean for companies going forward? Should it encourage or discourage self-disclosure?
  3. DOJ Files Forfeiture Complaint in connection with Alleged Malaysia Bribery Scheme. How does this tool relate to anti-corruption enforcement? Why is it such a powerful tool for prosecutors?

From the July newsletter

  1. The Halliburton FCPA enforcement action. What does it mean for the compliance practitioner?
  2. Three Long-Standing Corporate FCPA Investigations End without Charges. What can be learned from these cases about enforcement going forward?
  3. Dimitri Harder was sentenced to Five Years’ Imprisonment for FCPA Violations. What was the basis of the sentence? Do you see anything in this sentencing unusual?
  4. Was the Second Circuit decision in the FOREX trading case a setback for International Law Enforcement Cooperation? What is compelled testimony? What are the implications for international cooperation going forward? 

From the August newsletter

  1. Following Undercover Investigation, DOJ Charges Retired U.S. Army Colonel with Conspiring to Bribe Haitian Officials. How do undercover operations work in the FCPA and what they might mean going forward?
  2. UK Financial Reporting Council Announces Plans to Require Increased Anti-Corruption and Bribery Disclosures. What does this mean for US companies doing business in the UK?

Check out the firm’s newsletter or better yet subscribe to it.

Oct 6, 2017

Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories, including: 

  1. Roy Shell considers whether compliance officers should be liked or respected. See his article on the SCCE Compliance and Ethics Blog.
  2. What is the intersection of sports, corruption and compliance? Jaclyn Jaeger explores in Compliance Week.
  3. The Alere FCPA enforcement action emphasized the convergence of rev rec and corruption. Richard Bistrong considers in the FCPA Blog.
  4. Bill Coffin asks who will be the next compliance hero, see his article in Compliance Week.
  5. Ireland requested a review by the European Court of Justice of the legality of contracts governing data transfers between Europe and the U.S. Ben DiPietro reports in the WSJ Risk and Compliance Report. Jonathan Armstrong reports from the UK perspective on the Cordery Compliance website.
  6. More chaos from the Trump Administration as Secretary of HHS Tom Price resigns. Matt Kelly reports on the ethical considerations in Radical Compliance.
  7. Proving once again that he is not a mere mortal, Jose Altuve hits 3 home runs in the first division playoff game, which the Astros win 8-2. He becomes only the 9th player in MLB history to do so. Stephanie Apstein reports in SI.com.
  8. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program. In October, I consider compliance with business ventures such as in the M&A context, joint ventures, distributors, channel ops partners, teaming agreements and all other manner of business venture. The second week I continue to take a deep dive in M&A and begin JVs under the FCPA. This month’s sponsor is the Volkov Law Group. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  9. Jay and I will be podcasting a live episode of This Week in FCPA from the SCCE 2017 Compliance and Ethics Institute, stay tuned for details on time.
  10. The Everything Compliance gang is back with Episode 19. Check in with the top roundtable podcast in compliance by clicking on Everything Compliance.
  11. Tom premiers an exciting new services offering the Doing Compliance Master Class.
Oct 6, 2017

One of the clearest themes from the 2012 FCPA Guidance was around the importance of your pre-acquisition work in any merger or acquisition on a target company. In the section on Declinations, the 2012 FCPA Guidance provided an example of a company which had received a declination in large part because of its pre-acquisition work, which then served as a basis of its post-acquisition remediation. I find it appropriate to think of the process as a straight line, directly from the pre-acquisition phase through to closing and then to remediation, integration and self-reporting in the post-acquisition phase.

It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a mechanism through which to view the feasibility of the business strategy and help to value the potential target.

The first step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

One of the difficulties in the pre-acquisition phase is that there is never enough time or resources to do all the assessment and analysis that you might desire. This means that if you do not have the time, resources or support to conduct a worldwide risk assessment, you must take a different approach. You might try assessing other areas through a more limited focused risk assessment. 

Some of the areas that such a pre-acquisition risk assessment could begin with an inquiry into the following areas: 

  • Are the target’s resources adequate to sustain a culture of compliance?
  • How are the compliance risks being addressed in the C-Suite and the Boardroom?
  • What are the compliance risks related to the supply chain?
  • How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
  • Is the documentation adequate to support the compliance program for regulatory purposes?
  • Is culture, attitude (tone from the top), and knowledge measured?
  • Disciplinary guidelines – Do they exist, have they been publicized at the target and has anyone been terminated or disciplined for a violating policy?
  • Are escalation protocols appropriate? 

There are a variety of materials that you can review from or at a company that can facilitate such a Pre-acquisition Risk Assessment. You can review the target’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities. 

You could assess the target’s senior management support for the target’s compliance efforts through interviews of high-level personnel such as the CCO, CFO, General Counsel, Head of Sales, CEO and Board Audit or Compliance Committee members to assess “tone from the top”. You can examine resources dedicated to compliance and also seek to understand the compliance expectations that top management is communicating to its employee base. Finally, you can gauge operational responsibilities for compliance.           

Such a review would lead to the next level of assessment, which is how well does that target communicate about compliance within its organization and to key third-parties such as sales agents. You can do this by assessing compliance policy communication to company personnel but even more so by reviewing such materials as compliance training and certifications of employees and third-parties. You should also take consider statements by senior management of the target regarding compliance, such as actions relating to terminating employees who do business in compliance but do not make their quarterly, semi-annual or annual numbers set in budget projections. 

A key element of any best practices compliance program is internal and anonymous reporting. This means that you need to review mechanisms on reporting suspected compliance violations and then actions taken on any internal reports, including follow-ups to the reporting employees of the target. You should also assess whether those employees who are seeking guidance on compliance for their day-to-day business dealings are receiving not only adequate but timely responses. 

As there is no dispute that third parties represent the highest risk to most companies under the FCPA, as assessment of the target’s third party due diligence program is certainly something that should be a part of any pre-acquisition risk assessment. But more than simply a review of procedures for due diligence on third party intermediaries; there should be an assessment if there has been management of the third-party after the contract is signed. 

Another area for review in any pre-acquisition risk assessment is to consider the target’s employee commitment to its compliance regime. But just as you look at the carrots to achieve compliance, you should also look at the stick, in the form of disciplinary procedures for violations. This means you should see if there have been any disciplinary actions for employee compliance violations and then determine if such discipline has been applied uniformly.   

The pre-acquisition risk assessment can be a critical element in any M&A work for compliance. Use this opportunity to see where the target might stand on compliance. Your risk assessment can evolve as you obtain greater information. Finally use this pre-acquisition risk assessment as a base document to plan, resource and budget for your post-acquisition remediation, integration and reporting. 

Three Key Takeaways

  1. One never has enough time to engage in all the pre-acquisition review you might want to do, so optimize your time and resources.
  2. Consider what you can review to put together a preliminary risk assessment on the target.
  3. As with most compliance initiatives, you are only limited by your imagination so if you are limited in time and scope try something new and different.

 

 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Oct 5, 2017

As a general legal matter, when a company acquires another company, the successor company cannot be liable for the acquired company’s activities prior to acquisition. In FCPA jurisprudence, there is no case law precedent directly on point. However, the DOJ and SEC have commented extensively on “successor liability.” Opinion Release 03-01, from the DOJ first suggested that an acquiring company could be liable for pre-acquisition FCPA violations. In that case, an acquiring company determined a target had engaged in conduct which potentially violated the FCPA. The DOJ opined that if the acquirer halted the illegal conduct, extensively remediated, disciplined the offending officers and employees of the target and continued to provide information and cooperate with the government, the DOJ would not prosecute under the FCPA. 

In addition to 03-01, there are a few FCPA enforcement actions which suggest that if a company makes good faith efforts to conduct due diligence, integrate compliance programs and take extensive remedial actions by and if all that is done on a quick basis, the DOJ will give the acquiring entity strong credit. One of the best examples of this approach was the 2009 purchase by Pfizer of Wyeth. Pfizer could do limited due diligence before the acquisition but because both were massive organizations it was not possible to do complete due diligence prior to acquisition. After the acquisition, but within 180 days, Pfizer had identified much of the wrongdoing at Wyeth and halted it. Pfizer was not held criminally liable for any of the conduct at Wyeth. 

Most of what Pfizer was held responsible for in its DPA was because of a previous acquisition of Pharmacia, which they acquired in 2002 and 2003. At the time of the Pharmacia acquisition, purchasers did not typically conduct pre-acquisition due diligence on acquisition targets. And during the investigation most of the violations of FCPA for which Pfizer was held criminally liable; began prior to the acquisition of Pharmacia. Pfizer was held responsible for the misconduct at Pharmacia both before and afterwards. The Pfizer case is interesting because it shows both the sides of the equation.

In 2008, DOJ Opinion Release No. 08-02 provided additional information for a safe harbor for successor liability based upon a very specific fact scenario. The Opinion Release is known as the “the Halliburton Opinion Release.” In the Halliburton Opinion Release, the DOJ indicated that it would not take enforcement action based on specific circumstances that allowed for limited pre-acquisitions due diligence and aggressive post-acquisition schedule for a risk audit and disclosures to the government. Thereafter in the Johnson and Johnson and DSS DPAs, the DOJ further refined the requirements and time frames to obtain this safe harbor. 

The 2012 FCPA Guidance advanced the information for the compliance professional. It provided the clearest argument for a safe harbor to companies if companies invest reasonable effort in due diligence and post-acquisition compliance; they may well be able to avoid major liability. The DOJ and SEC noted, “in a significant number of instances, DOJ and SEC have declined to take action against companies that voluntarily disclosed and remediated conduct and cooperated with DOJ and SEC in the merger and acquisitions context.” Furthermore, DOJ and SEC provided that “a successor company’s voluntary disclosure, appropriate due diligence, and implementation of an effective compliance program may also decrease the likelihood of an enforcement action regarding an acquired company’s post-acquisition conduct when pre-acquisition due diligence is not possible.” 

The 2012 FCPA Guidance provided literally a roadmap for a Buyer to limit compliance risk in the mergers and acquisition context. It emphasized the importance of pre-acquisition due diligence and post-acquisition integration of compliance programs and internal controls. This type of integrated approach would reduce risk of future bribes and allow the purchaser and target to address potential violation(s) through negotiation of costs and responsibilities for investigation/remediation. Finally, and as with all effective compliance, it will assist the purchaser to accurately value the target company. 

In 2014, the DOJ issued Opinion Procedure Release 14-02 which provided further guidance on successor liability. This release reiterated the DOJ’s willingness to recognize a safe harbor where the acquiring company makes sufficient efforts to conduct due diligence and post-acquisition integration and concluded that acquisition of a company does not create FCPA liability where it did not exist before, such as for jurisdictional reasons. In the Release, the requesting company had acquired a company with significant anti-corruption compliance program deficiencies, including: lack of documentary records to support gifts to government officials or charitable donation, incomplete and inaccurate records for expenses, and lack of written compliance policies and procedures. 

Three Key Takeaways

  1. Opinion Release 03-01 was the first to provide a safe harbor concept in the M&A context.
  2. The Halliburton Opinion Release expanded the safe harbor concept to the situation where a company could not engage in substantive pre-acquisition due diligence.
  3. The 2012 FCPA Guidance brought together the various strands of a safe harbor position.

 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 5, 2017

The top compliance roundtable podcast is back with a wealth of new topics.

  1. Matt Kelly opens with a discussion of the Equifax data breach and its implications for the compliance profession.

For Matt Kelly’s posts on the Equifax data breach and cybersecurity, see the following:

Vendor, Cybersecurity Risk, Ugh

Clayton, Congress Talk Cybersecurity

  1. Jonathan Armstrong considers the Uber situation in London where it recently lost it license to do business from the regulator Transportation for London (TfL). He discusses a prior case that he handled which had similar issues.
  2. Jay Rosen considers the massive FBI undercover operation resulting in 10 arrests in college basketball for corruption regarding high school recruits.
  3. Tom Fox sits in for Mike Volkov, who is on assignment this week. He discusses the top FCPA enforcement action of all-time, the recently announced Telia enforcement action.

For Tom Fox’s posts on the Telia enforcement action, see the following:

The Telia FCPA Resolution, Part I - Introduction

The Telia FCPA Enforcement Action: Part II - The Bribery Schemes

The Telia FCPA Enforcement Action: Part III - The Individuals

Telia FCPA Enforcement Action: Part IV - Getting Some Monies Back

Telia FCPA Enforcement Action: Part V-Lessons Learned 

The gang is back with rants which follow the discussions.

The members of the Everything Compliance panel include:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com
1 « Previous 2 3 4 5 6 7 8 Next » 20