FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report





All Episodes
Now displaying: Category: compliance know-how
May 21, 2018

Leadership’s Conduct at the Top 

Under the Evaluation of Corporate Compliance Programs, Prong 2, it states: 

Senior and Middle Management

Conduct at the Top – How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behavior? How has senior leadership modelled proper behavior to subordinates? 

Moving Compliance Tone Down Through an Organization 

  • Muddle in the middle
  • Tone at the bottom 

The Board and Operationalizing Compliance 

What is the role of a company’s Board of Director as laid out in the Evaluation of Corporate Compliance Programs?In an area of inquiry entitled, “Oversight” the DOJ asked three basic questions. Under Prong 2, Senior and Middle Management, the Evaluation posed three questions directed at the Board, OversightWhat compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?  

  • Compliance Committee on the Board
  • Compliance Expertise on the Board
  • Compliance Oversight by the Board

There are some specific areas of inquiry by a Board of Directors around the compliance. I have adapted 20 questions which reflect the oversight role of directors. These are questions which the Board should ask of both senior management and the Board itself. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper as necessary.

To purchase a copy of The Complete Compliance Handbook on click here

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.


May 21, 2018

The Code of Conduct 

What is the value of having a Code of Conduct? 

“First and foremost, the standards of conduct demonstrate the organization’s overarching ethical attitude and its “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” They go on to state, “The code is meant for all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. This includes management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.” From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” 

The substance of your Code of Conduct should be tailored to your company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. Your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it. 

Policies and Procedures

There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The 2012 FCPA Guidance made clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” 

The Evaluation of Corporate Compliance Programs builds up on the requirements articulated in the 2012 FCPA Guidance. Under Prong 4, Policies and Procedures, there are two parts: Design and Accessibility and Operational Integration. This Part A has the following components. 

Designing Compliance Policies and ProceduresWhat has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out? 

 Applicable Policies and ProceduresHas the company had policies and procedures that prohibited the misconduct? How has the company assessed whether these policies and procedures have been effectively implemented? How have the functions that had ownership of these policies and procedures been held accountable for supervisory oversight? The Evaluation then goes on to ask about both accessibility and effectiveness of the compliance policies and procedures by stating, 

The specific written policies and procedures required for a best practicescompliance program are well known and long established. The 2012 FCPA Guidance stated, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation for conduct in your company. Procedures are the documents that implement these standards of conduct. 

Internal Controls and Compliance

What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. 

The DOJ and SEC, in the 2012 FCPA Guidance, stated, “Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.” 

This was supplemented in the Evaluation of Corporate Compliance Programs with the following:

ControlsWhat controls failed or were absent that would have detected or prevented the misconduct? Are they there now? 

The whole concept of internal controls is that companies need to focus on where the risks are, whether they be compliance risks or other, and they need to allocate their limited resources to putting controls in place that address those risks, and in the compliance world, of course, your two big risks are the assets or resources of a company. Not just cash but inventory, fixed assets etc., being used to pay a bribe, and then the second big element would be diversion of company assets, such as unauthorized sales discounts or receivables and write offs, which are used to pay a bribe. 

There are four significant controls that I would suggest the compliance practitioner implement initially. They are: (1) Delegation of Authority (DOA); (2) Maintenance of the vendor master file; (3) Contracts with third parties; and (4) Movement of cash / currency.

To purchase a copy of The Complete Compliance Handbook on click here.

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.


May 21, 2018

CCO Authority and Independence 

The role of the Chief Compliance Officer (CCO) has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance, under Hallmark Three of the 10 Hallmarks of an Effective Compliance Program, the focus was articulated by the title of the Hallmark, Oversight, Autonomy, and Resources. 

The DOJ’s Evaluation of Corporate Compliance Programs, made the following query about the CCO position: Prong3. Autonomy and Resources  

Stature– How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions?  

Autonomy Have the compliance and relevant control functions had direct reporting lines to anyone on the board of directors? How often do they meet with the board of directors? Are members of the senior management present for these meetings? Who reviewed the performance of the compliance function and what was the review process? Who has determined compensation/bonuses/raises/hiring/termination of compliance officers? Do the compliance and relevant control personnel in the field have reporting lines to headquarters? If not, how has the company ensured their independence?  

In the Policy, the DOJ laid out additional factors around CCO authority:  

  1. The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
  2. The authority and independence of the compliance function and the availability of compliance expertise to the board;
  3. The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and
  4. The reporting structure of any compliance personnel employed or contracted by the company.  

This new language would seem to signal the death knell for the dual GC/CCO role. 

Compliance Function in an Organization 

Autonomy and Resources 

Compliance Role – Was compliance involved in training and decisions relevant to the misconduct? Did the compliance or relevant control functions (e.g., Legal, Finance, or Audit) ever raise a concern in the area where the misconduct occurred?  

Empowerment – Have there been specific instances where compliance raised concerns or objections in the area in which the wrongdoing occurred? How has the company responded to such compliance concerns? Have there been specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns?  

Funding and Resources – How have decisions been made about the allocation of personnel and resources for the compliance and relevant control functions in light of the company’s risk profile? Have there been times when requests for resources by the compliance and relevant control functions have been denied? If so, how have those decisions been made?  

The Evaluation added one new set of queries based upon the evolution of corporate compliance programs since 2012. 

Funding and Resources 

You will now have to justify your corporate compliance spend. 

You now have to justify your compliance budget request denials. 

To purchase a copy of The Complete Compliance Handbook on click here

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.



May 21, 2018

How to Perform a Risk Assessment 

One cannot really say enough about risk assessments in the context of an anti-corruption programs. Since at least 1999, in the Metcalf & Eddyenforcement action, the DOJ has said that risk assessment which measure the likelihood and severity of possible FCPA violations the manner in which you should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” 

This language was supplemented in the 2017 in both the Evaluation and the new FCPA Corporate Enforcement Policy. Under Prong 4 of the Evaluation, Risk Assessments, the following issues were raised: Risk Management ProcessWhat methodology has the company used to identify, analyze, and address the particular risks it faced?Manifested RisksHow has the company’s risk assessment process accounted for manifested risks?In the FCPA Corporate Enforcement Policy it stated, “The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment”. 

What Should You Assess? 

  1. Geography-where does your Company do business.
  2. Interaction with types and levels of Governments.
  3. Industrial Sector of Operations.
  4. Involvement with Joint Ventures.
  5. Licenses and Permits in Operations.
  6. Degree of Government Oversight.
  7. Volume and Importance of Goods and Personnel Going Through Customs and Immigration. 

How Do You Evaluate a Risk Assessment? 


Likelihood Rating


Evaluation Criteria


Almost Certain

High likely, this event is expected to occur



Strong possibility that an event will occur and there is sufficient historical incidence to support it



Event may occur at some point, typically there is a history to support it



Not expected but there’s a slight possibility that it may occur



Highly unlikely, but may occur in unique circumstances

 ‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.


Priority Rating


 Evaluation Criteria



Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans



Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans









Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups. 

At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used to continuously monitoring risk going forward.  However, you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

To purchase a copy of The Complete Compliance Handbook on click here

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.


May 21, 2018

360 Degrees of Compliance Communications 

A 360-degree view of compliance is an effort to incorporate your compliance identity into a holistic approach so that compliance is in touch with and visible to your employees at all times. It is about creating a distinctive brand philosophy of compliance which is centered on your consumers. In other words, it helps a compliance practitioner to anticipate all the aspects of your employees needs around compliance your employees, who are the customers of your compliance program. This is especially true when compliance is either perceived as something that comes out of the home office or is perceived as the Land of No, largely inhabited by Dr. No. A 360-degree view of compliance gives you the opportunity to build a new brand image for your compliance program. 

The Use of Social Media in Compliance 

What is the message of compliance inside of a corporation and how it is distributed? In a compliance program, the largest portion of your consumers/customers are your employees. Social media presents some excellent mechanisms to communicate the message of compliance going forward. Many of the applications that we use in our personal communication are free or available at very low cost. Why not take advantage of them and use those same communication tools in your internal compliance marketing efforts going forward? 

What is Effective Compliance Training? 

Also raised in the Evaluation was the focus of your training programs, where the DOJ inquired into whether your training was “tailored” for the audience. The Evaluation, In Prong 6, Training and Communication, asked, in part: Risk-Based TrainingWhat training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred? What analysis has the company undertaken to determine who should be trained and on what subjects?  

The key going forward is that you have thoughtfully created your compliance training program. Not only in the design but who receives it, all coupled with backend determination of effectiveness. Finally, all of this must be documented. In Prong 6, Training and Communication, of the Evaluation it read, in part: 

Form/Content/Effectiveness of Training– Has the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training? 

  1. Figure out what you want to measure. Before you ever train an employee, you should have a goal in mind. What actions do you want employees to take? What risks do you want them to avoid? In compliance training, you want them to avoid non-ethical and non-compliant actions that would lead to potential violations. Your goal is to train employees to follow your Code of Conduct and your compliance program policies and procedures so you avoid liability related to actions.
  2. Were employees satisfied with the training? What is their engagement? The next step is to get a sense of whether employees feel that the training you provided is relevant and targeted to their job. If it’s not targeted, employees will likely not be committed to changing risky behavior. One way to obtain such data is through a post-training survey. This should give you insight into determining if employees thought the training was beneficial and effective in answering their questions and concerns.
  3. Did employees actually learn anything? A critical part of any employee training is the assessment. You must know whether they actually learned anything during training. You can collect this data in a number of ways, but for compliance training, the best way is to measure pre- and post-training understanding over time. Basically, each time you train an employee, measure comprehension both before and after training.
  4. Are employees applying your training? A survey should be used to determine employee application and their implementation of the training topics. To do so, you must conduct surveys to understand whether they ceased engaging in certain risky behaviors or better yet understand how to conduct themselves in certain risky situations. These surveys can provide a good sense of whether the training has been effective.

To purchase a copy of The Complete Compliance Handbook on click here

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.

May 7, 2018

I continue my five-podcast exploration of working with monitors. I am joined by Don Stern, Managing Director, Corporate Monitors and Consulting Services at Affiliated Monitors, Inc. (the sponsor of this five-part series) on working with monitors. Today we consider how monitors work.

Stern explained that there are variety of tasks and roles a monitor uses when engaging in an independent monitorship. A monitor should understand type of approaches they will take to make an organization more compliant, starting with understanding the work plan. Many times, the monitor must push the organization along by getting buy-in and building consensus. Finally, there should be an awareness of helping the company being compliant in the future.

The starting point is understanding what is the mission of the monitorship. As Stern put it, “we really begin at the beginning.” We meet sometimes meet separately with the government agency to get an appreciation understanding as to why they think things have reached that point, what they see as the problems in the company, what they see as the problems in the industry. And then of course we do the same thing with the company.” Such meetings could also include “outside counsel who have been sort of living with the whatever the precipitating cause a problem which led to the settlement with the government or the investigation. They've lived with it for years. And in many cases, by the way, the company has already remediated significant portions of the problem.”

A monitor should have a particular focus on a particular goal, a particular set of tasks. Yet from there, Stern explained it is “very much a people exercise. The thing that is often obvious relatively early on, a one way or the other is whether the company has a paper program or real program.” Stern indicated that a monitor should spend time at both the higher levels of the company and at the middle and lower levels of the company. Some of the specific techniques can be one on one interviews, site visits to specific offices and with “focus groups where we get people at the same level so we don't get middle managers and upper managers together in one room.”

Stern emphasized it is critical that both company management and the regulators not be surprised by a finding. This means the monitor (and team) should literally “pour through the company” to come up an honest final assessment or report for the organization. It is important to give the company credit where it has remediated or shown improvement and this means emphasizing to the government the wins a company’s compliance program may have sustained.

Interestingly, Stern emphasized that in monitorships as with compliance programs in general, one size does not fit all. A monitor should test whether there is sufficient training on the Code of Conduct, compliance policies and procedures and other issues such as Conflicts of Interest policy. There should also be inquiries into hotline overview and use. Yet there can also be recommendations which arise from the employee interviews, which the monitor may raise to senior management for implementation.

Here Stern presented a simple yet powerful example. It was around having a compliance moment once per week at company meetings. The organization was an engineering company and they took safety very seriously, opening each company meeting with a safety moment. This led to the suggestion of opening meetings with a compliance moment, which employees used not simply to state ethics and compliance issues but to describe situations they faced daily.

A situation arose where an employee was offered tickets to a baseball game by a vendor. The company policy on conflicts of interest prevented the employee from accepting the tickets and he felt conflicted because he wanted to go to the game. More importantly he did not know what to tell the vendor to make them understand he could not accept the tickets. Through discussing this issue after a compliance moment in a company meeting, there was a dialogue allowed the company employees to feel that they have an opportunity to be part of the process. It demonstrated that ethics and compliance is not something imposed on them, but something that is part and parcel of their job and part and parcel of their responsibility.

A monitor must literally work with groups as diverse as the Board of Directors to employees on the shop floor. It is incumbent to use a variety of tactics and techniques to fulfill the mission of a monitor. An independent and experienced monitor is required to use a variety of tools to help an organization move forward with a compliance regime. Stern noted, “a monitor should also have the experience to come in and not only look at how your company is doing, but also benchmark against what is happening not only in your industry but in other industries. And at the end of the day it's a little bit like the making of sausage. At the end of the day we're going to have some recommendations and the expectation is that your company is going to be top of the heap, that you will have a state of the art compliance and ethics program and you will have contributed to making it better.”

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at

May 7, 2018

Over the next five podcasts, I will visit with Don Stern, Managing Director, Corporate Monitors and Consulting Services at Affiliated Monitors, Inc. on working with monitors. Over this series we will consider, in Part I-Fears and Concerns in Working with Monitors; in Part II-the Impact Monitors Can Have for an Organization; in Part III-How Monitors Do Their Jobs; in Part IV-Regulators Using Monitors; and in Part V-Attorneys Using Monitors. At the end of this series you will have a much broader appreciation on the benefits of an independent monitor, how monitors work and how the different types of monitorships can benefit a wide variety of businesses, transactions and business relationships.

There can be a wide variety of concerns for those considering or being required to work with a monitor, both from the corporate perspective and individual employees. From the corporate perspective, the concerns can include the costs of a monitorship and that impact on the bottom line; opening up books the books to an outsider and interference with business operations. These are acerbated by a fear the monitor does not understand the business of the organization or even how business in done in the real world. Things that tend to bring more fear are that the monitor will engage in slow but sure mission creep and exceed the boundary of the charge. Many see monitors as an extension of the government and believe that monitors are  junior G-men and investigators, tasked by the by the government to investigations ongoing. Employees tend to be more afraid the monitor will come in dictatorial powers and exercise them. Employees are usually more concerned with the company’s reputation and business credibility with employees and subcontractors.

Stern believes some of the fears and concerns are understandable, particularly if a company, does not have experience with the positives of the use of an independent monitor and a monitor’s assisting a company in improving the compliance program. While some of it may have to do with the unknown, one area is simply the extra costs associated with a monitor. If the monitor is a part of a government settlement or resolution, there can be the fear, sometimes driven by war stories, that monitors will have mission creep and continue the investigation, even after a resolution. A company may fear that a monitor will come in and look under every nook and cranny. This feeds into both concerns of cost and mission creep.

Another concern is that many monitors are former prosecutors and still retain a prosecutorial mindset. This can lead many companies and their employees to fear a ‘got-cha’ mentality of a monitor who is looking for items to run back to the government or regulators with through their monitorship investigations.

Stern believes that all of these concerns can be handled if not fully alleviated, through thorough discussions with monitor candidates. . Stern noted that one of the areas a company needs to be asking during the monitor selection process is what is “the approach that the monitor is going to take? What's the approach in a meeting or an interview with a mid-level employee in a branch office. Is that person going to feel as if they're under attack or are they brought in a to explain all the good things and all the bad things that are going on so that the monitor can basically make some helpful recommendations.”

In addition to the monitor interview process, companies should understand that the terms of any monitorship are set in the resolution agreement. This is why it is important not only to address these issues during settlement discussions but also take care in the drafting of such agreements to try and remove as many ambiguities as possible. At times, the parties may not want to address what they believe are sensitive issues head on as part of the negotiation process, other times there is not a full understanding of how monitors works. Stern has been brought in as the parties have negotiating to simply educate people as to what monitors do and how they operate and, to demonstrate how the monitorship can be more successful for both sides, for the government side and the company. In drafting the resolution agreement, the key is to lay out the scope, properly and tightly designed. When there are ambiguities which come up in the process of the monitors work, the monitors should work with both sides, as a facilitator to have both parties basically come together and to resolve those issues.

The key is for companies to have a thorough understanding of the monitorship process, whether it is a post-resolution monitorship where the monitor is focused on the company’s compliance with its agreement in the resolution document, Deferred Prosecution Agreement, Non-Prosecution Agreement or other; or a pro-active monitorship. This understanding comes from discussions, reviewing and negotiating the scope of the agreement and hiring experienced monitors who understand their role and more importantly what is not their role going forward.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at

May 7, 2018

I conclude this five-podcast exploration of working with monitors, where I have been joined by Don Stern, Managing Director, Corporate Monitors and Consulting Services at Affiliated Monitors, Inc. (the sponsor of this five-part series) on working with monitors. In this final episode we consider lawyers using monitors, most typically where the clients are under investigation for some regulatory issue, such as a Foreign Corrupt Practices Act (FCPA) enforcement action.

Stern said the biggest mistake lawyers make is to wait too long before bringing in an independent monitor. His experience is that if  you wait until after the conclusion of a matter, you have lost valuable time and potentially cost yourself money, in the form or higher fines and penalties, by waiting. The government expects compliance shortcomings to be remediating during the pendency of an investigation. A monitorship can even begin before  self-reporting to the government. This is because a company should want to find the problem before it voluntarily reports the problem to the government. In this manner, the company could receive get the credit for having done so. It also allows the company to package the entire process “in a way to say not only we discovered the problem, not only are we reporting the problem, but we fixed the problem. We did with an independent third party and we may even want to keep that third party with us to independently assess how we do going forward. That's very persuasive to prosecutors and I've certainly seen situations where in some cases it's resulted in a declination or in a significantly diminished” fine and penalty.   

This is using an independent monitor in a pro-active manner which demonstrates how serious the company is about compliance. It can also be a way to demonstrate any illegal conduct may simply have been an outlier and does not reflect the values, culture and the way the company generally does business. This can provide quite a positive story to present to prosecutors, particularly under the new FCPA Corporate Enforcement Policy.

If your company is active in the remediation phase, particularly through an independent monitorship, it is looking at the problem in a holistic approach. It is more than assessing that problem, coming up with some solutions and then implementing the solutions. More importantly an organization is taking that information and looping it back in, in a literally a feedback loop so the companies can improve their compliance program. This is an approach which can be persuasive to regulators.

Stern noted this approach is even more critical for what he called ‘repeat customers’ or recidivist actors. He said government regulators are becoming much more sophisticated in understanding whether a compliance program is simply a paper program. The government wants to know if this a real program. One clear indicia is the feedback loop from an assessment by an independent monitor looping the information back to the company, making changes, testing to see whether the changes are real changes are working changes.

One final area that using an independent monitor is in the area of credibility. One thing I have consistently heard from white-collar practitioners perhaps the most important thing in any FCPA investigation or enforcement action is credibility with the prosecutors. By having a truly independent monitor who is even independent of the outside counsel, who may be heading up an investigation and assessing the compliance program; is one more way to bring that credibility to a, in front of the prosecutors. Stern noted that as the former US Attorney for Massachusetts, your reputation in representing clients before the government is absolutely critical. Having that independence as a monitor can aid a company by giving credibility to their compliance program efforts and this can pay off with real benefits in terms of lesser penalties all the way to a declination.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at

May 7, 2018

I continue my five-podcast exploration of working with monitors. I am joined by Don Stern, Managing Director, Corporate Monitors and Consulting Services at Affiliated Monitors, Inc. (the sponsor of this five-part series) on working with monitors. Today we consider the various manners in which regulators at all levels, from the federal, to state and local levels, use monitors. We also consider how monitors can be used outside the regulatory context in areas as diverse as mergers and acquisitions, business ventures, IP and licensing.  

Most compliance practitioners are aware of the role monitors play in the Foreign Corrupt Practices Act (FCPA) enforcement arena. However, the use of independent monitors is much broader than simply in criminal or civil enforcement actions involving a Deferred Prosecution Agreement, Non-Prosecution Agreement, Corporate Integrity Agreement or other form of resolution. Federal agencies use monitors for a wide variety of roles to ensure compliance with agreements.

At its most basic level, an independent monitor is a way for the government to extend its reach. Both in terms of lengthening out the time that you have true government oversight and in terms through many of the techniques we discussed earlier:  focus group meetings, review documents, talking senior and middle management. It is a very cost-effective way for federal, state and even local governments to extend out their reach. This cost-effectiveness is driven home by that fact that the cost is not borne by the governmental entity or the regulators. The cost is borne by the entity involved.

Stern pointed to the use of an independent monitor by the Federal Communications Commission (FCC) to ensure that the conditions around anti-competitive and other issues, the FCC approved for the merger between AT&T and Direct TV, were fulfilled. He went on to provide an example where “one of the conditions was  they had to offer a discounted broadband service to certain low-income households. The FCC  wanted access to broadband for low income families, particularly for school kids. The monitor assessed the marketing program on this issue, looking at their efforts to provide discounted broadband, low income households.”

Stern provided another example of regulator use of an independent monitors, this time by a state regulator, the Attorney General of Rhode Island in the area of hospital conversions. This is the situation where a non-profit hospital is purchased by a for profit chain. In such situations, the state attorney general in most states will have to approve that transfer of assets from charitable assets to for-profit assets, applying certain conditions. It could be in the area of recruiting  physicians or requiring the acquiring institutions to keep the mental health services open. You don't have to spend x millions of dollars on new equipment. It is generally around very specific metrics  and it is “increasingly being used by government agencies as a way of not only having confidence that the regulatory decisions are being followed but provides some comfort and confidence to the public knowing that who is looking over the shoulder of the organizations in the public’s interest.”

Yet an independent monitor can be used in non-regulatory areas. One that certainly comes up is pre-acquisition due diligence in the FCPA realm. An independent monitor can be used to assess whether a target or takeover candidate has a robust compliance program. These same concepts also work in the licensing area in pre-acquisition work and even for company which want to test the audit compliance of customers.

The bottom line is independent monitors can come in and look at the system of controls in a wide variety of regulatory and legal areas. This is true because there is no substitute for having somebody independent of the company with some expertise and common sense and practical reality coming in and asking, how are you doing? Stern concluded, “You don't have to do this all the time. It isn't something you need to do even every year, but every once in a while, have somebody come in and take a hard look at how you're doing and then reporting back internally to the company. It is money well spent because you have established that the organization being reviewed has a good program and if you need to fine tune your program in certain ways. Here again, I think that's all to the good.”

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at

May 7, 2018

I continue my five-podcast exploration of working with monitors. I am joined by Don Stern, Managing Director, Corporate Monitors and Consulting Services at Affiliated Monitors, Inc. (the sponsor of this five-part series) on working with monitors. Today we take up the impact using a monitor can have on an organization.

Interestingly many of the benefits of a company in working with a monitor come from answering the employees fears and concerns. Many employees are intimidated by attorneys and some even fell guilty about themselves and their work even though they have done nothing wrong. Often employees do not feel like them can trust the company, particularly if the company does not employ the Fair Process Doctrine or institutional justice as a core value of the organization. Other employees feel validated and when they can open up to outsiders it can be a cathartic experience for employees. For the larger organization, the monitor can tell the company what it does not know and provide a much needed “Big Picture” impact; delivering insight on how the company can be run more efficiently and profitably. The bottom line is that the benefits in using an independent monitor can be as behavioral and psychological as compliance and legal.

Stern described the impact of working with a monitor is present at several different levels. The first is a very personal, at the employee level. He said, “I've seen this time and time again when we will sit with either an individual employee at different levels, it could be at a lower level, it could be at the CEO level. The employee will feel validated and in some ways innocent. It sounds odd to say that because you would think that if the company was working properly that each employee would have an opportunity to sort of say their piece, describe observations and things that they were experienced. Unfortunately, that is not the way the real world works when people have concerns and fears of retaliation and the like.”

Stern has found after doing an interview or a focus group, they will sometimes say, “ I have been wanting to say these things to somebody and I hope that, this is not attributed this to me. I'm not looking for you to go back ono anybody and say that I said this, but I hope that you will take what I have said and what others have said and make some suggestions to the company.” The bottom line is that a key impact from working with a monitor is that the monitor listens and “I do think that employees feel better kind of explaining their perspective on what's happening internally in the company.”

Another important reason all of this works is if an organization uses a truly independent monitor. This means one which is not the lawyer for the firm or with the company’s regular outside counsel. This is something most employees more fully appreciate talking to “outsiders who were being were coming in, who they do not interact with on a day to day basis.” Even if the monitorship is required under an enforcement action and in the in the context of a government settlement, Stern has found that if the monitor makes it clear they are independent from the government, employees are more likely to not only open up but also appreciate the experience.  

These concepts tie directly into the Fair Process Doctrine, which most generally holds that if the process is fair, people are more likely to accept undesired outcomes. An independent monitor, who does not perform ongoing work with the company, will certainly be perceived as more fair. As Stern noted, “it’s just human nature.”

This independent nature also gives the monitor the ability to impact the company by helping it turn the page on any conduct which may have gotten it into trouble in the first place. This is particularly true where a company has gone through an enforcement action and resolved the matter with the government and is now ready to move on in a positive way. Stern said that employees typically want to feel good about the organization they work for, they want to be proud of who they work for. Stern said, “time and time again, people aspire to work for a company that they feel good about. They want to tell their spouse that wants to tell their children. They want to feel good. When the neighbors asked them, who do they work for and when companies get into trouble, um, they liked the fact that the pages being turned in that once again, that can be very proud of where they work.”

This independence from the government also works to positively impact the work of a monitor. Stern noted that although an independent monitor has “an obligation to report to the government faithfully as to what we are seeing; the good, bad and the ugly; an independent monitor is not beholding to the government.” Stern’s experience has been “at the end of the day respect us and they recognize that it's in their interest for us to be independent. If we're in the company's pocket and we do whatever the company wants it at the end of the day, the government will see right through that and it's not going to be a good outcome.”

The bottom line is that the positive impacts of working with a monitor can happen on many levels. Obviously for a company which has recently concluded an enforcement action, a monitor can yield many benefits to improve a compliance program. Yet some of the greatest benefits may be more behavioral and psychological to the company’s employees. Not only can talking to a truly independent outsider be cathartic for employees but the entire process can help to reinstill a sense of pride in who they are, who they work for and what the organization means.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at

Apr 25, 2018

In this episode, Matt Kelly and I go into the weeds to consider the recent racial incident at Starbucks store in Philadelphia where two African-American males were arrested for criminal trespass while waiting for a third colleague to join them for a business meeting. They had not purchased any products but were not engaging any type of disruptive behavior. They were released with no charges filed.

We consider several points around this incident from the compliance perspective, including the lessons for compliance officers are really about the challenges of policy and procedure at large organizations. The gap between those two requirements is filled by employee judgment — and that is where things went awry. We consider if a single solution, such as  all seats and bathrooms are reserved for patrons who have already purchased a product, create more problems than they solve. We also review the underlying premise of ‘what is Starbucks’ to see if a more robust risk assessment process might have helped identify these gaps.

This week’s discussion is literally torn from recent headlines. It provides an excellent example of the many compliance challenges every business and CCO face.

For more reading, see Matt’s blog post Starbucks and Policy Management Perilsand Tom’s blog post Starbucks and Lessons for the Compliance Practitioner in Risk Management

Apr 23, 2018

In this episode of the FCPA Compliance Report, I visit with Laura Perkins, a partner at Hughes Hubbard & Reed. Perkins formerly worked with the Department of Justice, FCPA Unit, departing in September 2017. We discuss the decision to self-disclose a potential FCPA violation to the Justice Department. Some of the highlights include:

  • What should a company expect after it makes a decision to self-disclose the to DOJ? What information should be in the initial self-disclosure?
  • What should be in the initial investigation plan they present to the DOJ?
  • When should remediation begin and how much information does the government want to know about in this area?
  • What should a company do to satisfy the government it has secured all documents and communications?

We next turned to the resolution phase and discussed several topics including:

  • When is a company ready to present information to the DOJ that it believes the matter should be closed?
  • Whether through declination or charging document?
  • How is the final penalty decided? and
  • Is it through negotiation or simply presented to the company?

For more information on Laura Perkins and Hughes Hubbard & Reed, check out the firm’s website, here.

Apr 23, 2018

In this episode of the FCPA Compliance Report, I visit with Laura Perkins, a partner at Hughes Hubbard & Reed. Perkins formerly worked with the Department of Justice, FCPA Unit, departing in September 2017. We discuss the decision to self-disclose a potential FCPA violation to the Justice Department. Some of the highlights include:

  • What should a company expect after it makes a decision to self-disclose the to DOJ? What information should be in the initial self-disclosure?
  • What should be in the initial investigation plan they present to the DOJ?
  • When should remediation begin and how much information does the government want to know about in this area?
  • What should a company do to satisfy the government it has secured all documents and communications?

We next turned to the resolution phase and discussed several topics including:

  • When is a company ready to present information to the DOJ that it believes the matter should be closed?
  • Whether through declination or charging document?
  • How is the final penalty decided? and
  • Is it through negotiation or simply presented to the company?

For more information on Laura Perkins and Hughes Hubbard & Reed, check out the firm’s website, here.

Apr 9, 2018

In this episode of the FCPA Compliance Report, I visit Hogan Lovells partner Stephanie Yonekura on the always difficult decision on whether a company should self-disclose a potential FCPA violation or even allegations of a potential FCPA violation to the Justice Department. We consider such questions as:

  • What should a company do to prepare for a multi-national multi-jurisdictional anti-corruption enforcement action?
  • What should a company do to prepare when an internal investigation determines there may be instances of ABC violations in multiple countries, all of which have ABC laws.
  • How should a company prepare for self-disclosure? To US authorities only or to multi-jurisdictions at once?
  • Do evidentiary standards differ across the globe and how should a company prepare or respond?
  • How should a company prepare for multiple fines and penalties from multiple jurisdictions?
  • How can a company negotiate one pie in the context of an international anti-corruption enforcement action?

Yonekura is the Former Acting US Attorney for the Central District of California so she brings a wealth of knowledge to the topic. We consider all of these questions and more in light of the new FCPA Corporate Enforcement Policy and whether it has changed the calculus for self-disclosure or not. We also visit on whether the recent lack of monitors required under DOJ/SEC FCPA enforcement actions is an omen of things to come or not.

She ends with one of the great pieces of advice you can receive, “You don’t want to poke the bear, whether there is no bear to be poked.”

Apr 2, 2018

This week, in a five-part podcast series, I have been exploring the role of corporate monitorships in compliance and some of the key issues which companies and compliance professionals may face in dealing with monitors. I have been joined in this exploration by Vincent DiCianni, founder and President of AMI and Eric Feldman, Senior Vice President and Managing Director of Corporate Ethics and Compliance Programs for Affiliated Monitors, Inc. (AMI), who is the sponsor for this series. Today, for our final episode in this series, we consider the always controversial topic of monitorship costs and expenses.

DiCianni noted that in any post-resolution monitorship, the monitor is coming in at the end of a long process. If it was a Foreign Corrupt Practices Act (FCPA) enforcement action, it could have been a years-long process with a lengthy investigation, coupled with an extensive remediation and then long negotiation with the government over the final penalty. Yet there is an approach that a company can use to help the final leg of this process more palpable.

DiCianni breaks the process down into three key areas. The first is the scope of the monitorship. You must understand the settlement documents so that you can fully appreciate the scope of the monitor’s remit and what the government expects from the monitor. DiCianni noted that some resolutions can have a narrow focus, with a finite number of records or other documents to review. With such information, you can work to scope out a range of what your costs might be. Conversely the settlement documents can literally be wide-open, which obviously will have a dramatic impact on potential costs and even estimating.

DiCianni related the next factor to consider is frequency. By this he meant how often is the monitor actually engaging in monitorship activities for the company. Is it daily? Is it weekly? Is it quarterly? The frequency of monitoring will have a significant role on your overall monitorship costs. The final factor to consider is duration. Tied to this question of frequency is the length of the monitorship. How long will the monitorship last, one-year, two-years, three-years or even five years; is a critical element.

The final factor is the experience of the monitor. As we explored in Episode 4 of this series, you really need to have a very direct conversation with monitor candidates to determine if they have the experience to work with other individuals or teams of individuals. Does the monitor understand their role, as prescribed by the four corners of the settlement document(s). Are they going to reinvent the wheel for each new part of the monitorship? DiCianni said, “as they are going along which is going to add to the cost of the monetization so that's a factor that I think companies should consider”. This brings up another important factor on costs is the not only the scope of the monitorship but also the efficiency of the monitor.

DiCianni noted a key document for cost control can be the monitor’s workplan, which lays out the monitor’s anticipated services. This gives the monitor, the company and the government a set of expectations for the tasks to be accomplished. Even though it may turn out to be a preliminary document, it does help to provide a level of certainty. Equally important is for the monitor to understand they do not have to look at everything during the monitorship. You can randomly sample and drill down to test if you need to do so. A monitor does not have to interview all persons in a high-risk location but can select certain employees for a focus group and then perform a round of interviews if required. The workplan and its execution can be a powerful tool to help not only estimate the total cost but also keep them down.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at

Apr 2, 2018

This week, in a five-part podcast series, I am exploring the role of corporate monitorships in compliance and some of the key issues which companies and compliance professionals may face in dealing with monitors. I am joined in this exploration by Vincent DiCianni, founder and President of AMI and Eric Feldman, Senior Vice President and Managing Director of Corporate Ethics and Compliance Programs for Affiliated Monitors, Inc. (AMI), who is the sponsor for this series. Today, we consider what is a post-resolution monitorship.  

Feldman explained that most generally, a “post resolution monitor ship is essentially a situation where a government agency and a private organization, it could be a corporation it could be a nonprofit organization, as a requirement of settling some kind of a dispute or a matter between those two entities the company; the regulator agrees they are going to use a monitor to ensure that any specific conditions of the agreement to settle the matter are met.” He went on to note it is usually an independent third-party who is brought in for this purpose.

Post-resolution monitorships are well-known to the compliance community through the Foreign Corrupt Practices Act (FCPA) enforcement. Yet Feldman stressed they are use in a much wider area of practice than simply FCPA. He said, “Other kinds of enforcement scenarios would involve state Attorneys Generals that perhaps are investigating and settling cases with companies involving consumer protection or even civil rights cases. State regulatory boards medical boards and other types of licensing institutions and various states they could sign agreements that require a monitor to monitor the conditions of those agreements.” Of course, there are situations where there is court ordered enforcement as a result of a court ordered settlement and “a monitor is required to report to the court and both parties’ compliance with that particular agreement.”

Yet monitorships have been employed in anti-trust scenarios to ensure compliance not with Consent Decrees but with Federal Trade Commission or Federal Communications Commission-approved merger conditions. Here Feldman pointed to the example of the merger conditions between DirecTV and AT&T. In that case, the monitor was charged with reviewing and assessing compliance with certain merger conditions. Feldman noted there was no enforcement action and no wrongdoing but a recognition by all parties involved for the need of a truly independent third party to assess compliance with the acquisition conditions.

One thing about the post-resolution monitorship is that if viewed as a tool for compliance, a wider variety of uses can be envisioned. In the FCPA world, we have seen shareholder actions brought against Boards of Directors and companies for failing in their duties to put compliance programs in place. Occasionally, these actions are resolved before the conclusion of a FCPA investigation or enforcement action. If you had a post-settlement monitorship for the shareholder action, both the findings of the monitor and the monitor’s report could potentially help the recalcitrant company under the new FCPA Corporate Enforcement Policy. In such a scenario a post-resolution monitorship could have the impact of a pre-settlement monitorship.

Feldman concluded by noting, there are a number of applications and uses of an independent, credible third-party to facilitate the resolution of disputes. There are different ways having a third party come in and help to resolve issues; the number of ways is almost infinite or at the very least, limited to your imagination.  Often a monitor could come in collect information on what one or both of the parties are doing to help facilitate a settlement. Feldman discussed matters such as consumer protection issues. He noted that AMI has done monitorships where state agencies have done investigations of consumer protection and AMI would come in as a “secret shopper” to determine whether an organization is in fact doing what it is supposed to be doing.

The bottom line is that there is certainly no finite number of categories for the post-resolution monitorship. They can be utilized in a wide variety of ways to help facilitate not only resolution of enforcement actions but to satisfy compliance with a wider variety of cares, concerns and issues.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at

Apr 2, 2018

What is the role of a corporate monitorship? Is a corporate monitorship to be feared if your company is in the middle of a Foreign Corrupt Practices Act (FCPA)? Can a monitor be used in a manner other than post-settlement, such as in a pro-active manner to help forestall a government enforcement action, fine or penalty? If your company is in the market for a monitor what are some of the indicia you should consider? Finally there are lots of rumors about the alleged exorbitant costs of monitorship? Is this an urban myth or is it based on facts? If the former, what can a company do to protect itself. I will explore these and many other questions in a new podcast series I am putting on sponsored by Affiliated Monitors, Inc. (AMI).

In this five-part podcast series, I am exploring the role of corporate monitorships in compliance and some of the key issues which companies and compliance professionals may face in dealing with monitors. I am joined in this exploration by Vincent DiCianni, founder and President of AMI and Eric Feldman, Senior Vice President and Managing Director of Corporate Ethics and Compliance Programs for AMI. Today, we consider what is a corporate monitorship?

DiCianni explained that most generally, a corporate monitorship is “an individual or team of individuals that are independent of an entity that is subject to the monitoring group bring a level of expertise perhaps in that subject matter that has to be overseen.” The person or group would have the ability bring a level of expertise, training and learning to any task where a true independent is needed to assess the validity of the required criteria, as that criteria is defined in the four corners of the relevant document. In the FCPA world that could be a Deferred Prosecution Agreement (DPA), Non-Prosecution Agreement (NPA) or other document.

Monitors generally report to an oversight agency or regulator but work with a company or individual. The cost of the monitorship is borne by the company being overseen. It is a unique model that has been created where an unrelated, independent private person or entity who is still being overseen by a government agency or regulator monitoring a company but with specific terms for that third party. It is spelled out in the settlement documents which for the basis of the monitorship.

Another key for a successful corporate monitorship is in the area of subject matter expertise. Obviously first-rate knowledge of compliance and ethics is critical but as monitoring is used across multiple industries and businesses, a wider variety of technical experience is required. Monitors have been used in health care, financial services, police department just to name a few. A wide variety of subject matter experts may be needed to be a part of the monitorship team to successfully complete the assignment.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at

Apr 2, 2018

This week, in a five-part podcast series, I am exploring the role of corporate monitorships in compliance and some of the key issues which companies and compliance professionals may face in dealing with monitors. I am joined in this exploration by Vincent DiCianni, founder and President of AMI and Eric Feldman, Senior Vice President and Managing Director of Corporate Ethics and Compliance Programs for Affiliated Monitors, Inc. (AMI), who is the sponsor for this series. Today, we consider what issues a company should consider when hiring or retaining a corporate monitor. 

It is important to note right of the bat, that the selection of an appropriate monitor can either make or break the entire monitorship program for an organization. Feldman advises that the forestall such a problem a company needs to have a clear understanding of what it is trying to get out a monitorship. If you are at the end of a Foreign Corrupt Practices Act (FCPA) enforcement action, your goals may be different than attempting to engage in a pre-settlement monitorship. You also need to understand what might be required by the government in any post-resolution settlement.

After this initial self-assessment of the company’s goals, you can move to considering the monitor. Here you need to assess the what Feldman called the philosophy of potential candidates. Is the monitor coming in to simply investigate the company or help to prevent or resolve issues? This means staying away from the prosecutorial ‘gotch-ya’ mindset and move towards a monitor who is focused on remediation “to help you be a better company”.

The next line of inquiry is can the company obtain the maximum value it can get from the expertise, the independence and the viewpoints the monitor can provide. In other words, what is the value the monitor will deliver to your organization? Feldman suggests asking a question such as: “Can the Monitor help my business?”

Third is the expertise of the monitor. But this is more than being a subject matter expert in the area of law being applied such as the FCPA; it is being an expert in monitorships. It is also more than simple cost-effectiveness. It is also how the monitor will work without disrupting your organization or working to keep such disruptions to a minimum. Such expertise would include how to conduct an evaluation, how to create a work plan which is rigorous yet cost-effective, and to “socialize the work plan with the company and with the government.” This means the monitors should have experience in balancing the interests of the government and the company. Other skills necessary include interview skills, ability to conduct focus groups, together with data gathering and analytics are also critical. Finally is the writing of the report and communication of information, for as Feldman stated, “There's no value added if there's not a clearly written factually based monitoring report, at the end of the process, that makes recommendations that logically flow from the information gathered and are culturally appropriate for that particular company. There is no one size fits all for the reporting or for the recommendations.”

Feldman spoke about the different types of value a monitor can bring. Obviously, the situation where there is a Deferred Prosecution Agreement (DPA) or other enforcement action resolution document in place would suggest one type of value. Yet there are other more business-process focused values a monitor can add. In the area of internal controls, a monitor’s assessment can lead to more effective internal controls, often through a reduced number of overall internal controls.

Feldman spoke to another ‘soft’ factor when he noted, “There's also another interesting factor involving value in a company. That is that the actual methods that we use to do the monitoring to go in and talk to employees, to do employee surveys to do interviews. That alone can have something of a cathartic effect on the company's employees and on the mood and the morale in the company. And we've seen that over and over again, when employees see that the company cares enough to bring in a firm that asks their opinions on what works and what doesn't work and ask their opinions about whether their managers are creating and an open environment to communicate issues and to report issues. It helps improve the company and as we know better morale in the company improves the bottom line.”

Finally a company needs to consider whether monitor who is “independent and conflict free”. Feldman says this is important “Because if not, then the value of the findings the value of the entire effort can be at risk. And we've seen this over time in organizations that bring in monitors that you know may within their broader organizational structure have some kind of a conflict within the industry or within that company.”

Any company faced with the selection of a monitor should take care in the process. Use a deliberative process which allows you to understand not only your goals, but also your requirements back from a monitor.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at

Apr 2, 2018

This week, in a five-part podcast series, I am exploring the role of corporate monitorships in compliance and some of the key issues which companies and compliance professionals may face in dealing with monitors. I am joined in this exploration by Vincent DiCianni, founder and President of AMI and Eric Feldman, Senior Vice President and Managing Director of Corporate Ethics and Compliance Programs for Affiliated Monitors, Inc. (AMI), who is the sponsor for this series. Today, we consider what is a pre-settlement monitorship and how it can be such a powerful tool for the compliance professional.  

Feldman explained that most generally, a “pre-settlement monitorship is an organization using an independent body to conduct any kind of a third-party review or assessment.” It can also be considered as a proactive monitorship. It involves a company desiring to assess its implementation of a compliance and ethics program on a proactive basis. Such a monitorship does more than simply focus on whether there is a compliance program in place but more fully assesses its effectiveness. This assessment can be used by a wide variety of parties, such as the corporation itself, with its stakeholders, with regulators or even with the public to demonstrate compliance with a wide variety of issues.

Feldman explained that a key piece of the pre-settlement monitorship is to assess the company’s culture of compliance. Using such a proactive monitorship can help an organization to assess not only where they might be at this point in time but also work to create a road map to improve and strengthen their culture of compliance and ethics. Finally, as Feldman noted, “Another reason for doing a pre-settlement monitorship might be when a company wants to explicitly demonstrate its due diligence to law enforcement or regulators should something occur in the future that would result in action against the company.”

He noted German enforcement authorities are now assessing if companies engage in sufficient investigations of not only whom they are doing business; which is traditional third-party due diligence, but these same authorities are inquiring if a company is putting the same effort into assessing itself. The pre-settlement monitorship is an excellent mechanism to do so. He stated, “in Germany there have there has been a move on the part of the governments to take into account all due diligence activities that a company has taken in the past which would include a pre-settlement kind of monitorship when there is any fine or penalty or action on any issue against the company in the United States.”

Another way to consider it might be as a “preemptive strike against more punitive action on the part of government agencies”. Feldman related that his company, Affiliated Monitors has had instances where companies subject to an action with one level of government, such as a US Attorney’s Office in one area of the country, will use the pre-settlement monitorship to avoid being suspended or barred by the federal government and from federal government contracts. The pre-settlement monitorship performed a complete review, then made recommendations for remediations. This led to positive resolution with the government in the form of no suspension or debarment.

When viewed in the light of the three prongs of any best practices compliance program, prevent, detect and remediate, the power of a pre-settlement monitorship comes more clearly into focus. A monitorship was traditionally viewed as an after-the-fact piece of an enforcement action. However through the pre-settlement monitorship, the tool becomes not only proactive but prescriptive as you are using as an ongoing monitoring solution. It is even more powerful because of the independent nature of the monitor, in bringing an unbiased eye to a compliance program.

Another use of the pre-settlement monitorship is in the mergers and acquisition arena. Feldman noted, “We have had situations where companies will, as part of the merger and acquisition pre-acquisition due diligence process, will hire an independent third-party monitor to review the target company to ensure that they in fact have the right kind of ethics and compliance posture and corporate ethical culture to be able to fully integrate into their organization if closing occurs.” Once again, this scenario speaks to the breadth and scope of the pre-settlement monitorship as a tool.   

Feldman concluded that it is critical that the monitor bring real value through the monitorship. He said the monitorship should provide insight through using a variety of investigative techniques, including interviews, document reviews and forensic auditing. All of this can provide solid information to not only a Chief Compliance Officer (CCO) but also the leadership of an organization.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at

Mar 19, 2018

In this episode, I welcome back Steve Durham, a partner with Labaton and Sucharow to discuss the continued reverberations from the recent Supreme Court decision narrow the definition of whistleblowers in Digital Realty Trust v. Somers. Durham discussed the impact the decision may portend for the SEC Office of the Whistleblower and both the quality and quantum of tips and information brought forward to the SEC after the decision.

Mar 5, 2018

In this podcast I welcome back John Hanson, founder and President of the International Association of Independent Compliance Monitors (IAICM) the only professional group for independent corporate monitors. The IAICM was announced one year ago in conjunction with the ABA White Collar Conference. At it's one-year anniversary, Hanson returns to the podcast to reflect on the growth the IAICM, assess the first year of IAICM, discuss of the highlights of the first year for you as President of the IAICM and then goes into some of the goals or initiatives for the IAICM in year 2.

With the announcement of the Justice Department’s Evaluation of Corporate Compliance Programs in February and new FCPA Corporate Enforcement Policy in November, the landscape for monitors will likely continue to evolve in 2018. Hanson and I consider what these and other DOJ announcements may portend, including the following questions:

  • How will the Trump administration impact corporate criminal liability and the Monitorships that accompany 30-40% of those matters?  
  • What will be the effect on the use of Monitors by DOJ's new position with regard to FCPA matters?  
  • How will the use of Monitors be impacted by new leaders at the SEC?  
  • Will Federal Judges continue to intervene in plea and deferred prosecution agreements?  
  • How much more will the use of Monitors continue to grow in the wake of changes internationally, including especially Canada, Brazil, Australia, the UK, and the EU?

As with all visits with Hanson, they are thoughtful, well-informed and very insightful. If you practice in the FCPA world or in the broader international anti-bribery/anti-corruption sphere, you will not want to miss this interview.

For more information on the IAICM, including membership, resources, its Code of Conduct and services, check out the website  

Feb 21, 2018

In this episode Matt Kelly and I go meta as we podcast about another podcast that Matt posted this week on his site, Radical Compliance, where he interviewed Paul Sobel, the incoming Chairman of COSO. We discuss how Sobel sees his new role at COSO, some of the initiatives that he has in mind for the organization and how companies can use the various COSO frameworks, including the Internal Controls and ERM frameworks to better manage risk some the strategic perspective. 

We use the Sobel interview as a starting point to consider how Boards of Directors can think about risk management for a wide variety of issues, from climate change to cybersecurity to sustainability. We also discuss how the COSO frameworks can be used in conjunction with more tactical forms to create a more robust overall risk management program. Join Matt and myself as we go meta this week and take going into the weeds to a new level. 

For Matt Kelly's interview with Paul Sobol click here.

For Matt Kelly's blog post on the COSO ERM Framework see, "COSO Debuts Final ERM Framework

For Tom Fox's blog post on the COSO ERM Framework see, "The COSO ERM Framework


Feb 14, 2018

In this episode, Matt Kelly and I go into the weeds on the fascinating subject relating to the intersection of compliance and technology: AI and hotlines. Matt blogged on and podcasted with Scott LaVictor, CEO of Neighborhood Watch for Corporations. His firm has been developing an app to help employees report harassment in a way that is secure and anonymous for them, but useful for compliance officers. We explore how this phone app can assist the compliance practitioner by using technology to overcome the inherent tension in an anonymous reporting system where the reporter may desire anonymity while the CCO wants and needs as much information as possible. 

The hotline app example would seem to incorporate several of these concepts starting with an incredible ease of use as a phone app. But the AI features allow it to inquire directly from the reporter additional information which will be important to the compliance professional. We discussed the following example from Matt’s blog post; “an employee might call a telephone hotline and leave a recorded message, “I saw my boss bribing some guy $500 the other day!” An app could be programmed to ask: 

  • What is your boss’s title?
  • Had he met with the other person before?
  • What time of day did the meeting happen? 

We also discuss why if there was one technology tool for compliance to be bullish about it is AI. There is an obvious cost savings but more importantly there is the opportunity for more effective compliance risk management simultaneously with greater business efficiencies. All of this will lead to more profitability that the compliance function can point to going forward. This can include overseeing routine transactions, answering routine questions and extracting data from documents can be moved to a more efficient and useful platform. 

For additional reading and listening, see 

Matt’s blog post and podcast

Better Whistleblower Reporting


Tom’s blog posts

Using AI in Compliance-Introduction

Using AI in Compliance-Design Challenges

Using AI in Compliance-Implementation Challenges

Using AI in Compliance-AI Projects for Compliance

Jan 31, 2018

I hope you have enjoyed this 31-day series on how to design, create and implement a best practices compliance program. These blog posts and podcasts over the past 13 months will form the basis of my next book The Complete Compliance Handbook which will be published by Compliance Week in April, 2018. It will be the most up-to-date handbook for every compliance practitioner, including the most recent Department of Justice pronouncements on what constitutes a best practices compliance program, in the FCPA Corporate Enforcement Policy and the Evaluation of Corporate Compliance Programs. I know you will find it useful.

I next want to take a deep dive and exploration of the levels of due diligence. Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is for you to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.

Under the Evaluation of Corporate Compliance Programs (Evaluation) it states in Prong 10. Third Party Management: Risk-Based and Integrated ProcessesHow has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes? 

The question becomes how do you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.

A three-step approach was discussed favorably in Opinion Release 10-02. In this Opinion Release, the Department of Justice (DOJ) discussed the due diligence that the requesting entity performed. This Opinion Release sets out a clear break which every compliance practitioner should use in considering an appropriate level of due diligence to engage with your third-party risk management process or when considering the level of due diligence required on a potential business venture partner. I break due diligence down into three stages: Level I, Level II and Level III. A very good description of the three levels of due diligence was presented by Candice Tal in an article entitled “Deep Level Due Diligence: What You Need to Know”.

Level I

First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering (AML), anti-bribery, sanctions lists, coupled with other financial corruption and criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. Tal believes that this basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements.

Level II

Level II due diligence encompasses supplementing these Global Watch lists with a deeper screening of international media, typically the major newspapers and periodicals from all countries plus detailed internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company; the third party’s key executives and associated parties. I believe that Level II should also include an in-country database search regarding the third party. Some of the other types of information that you should consider obtaining are country of domicile and international government records; use of in-country sources to provide assessments of the third party; a check for international derogatory electronic and physical media searches, you should perform both English and foreign-language repositories searches on the third party, in its country of domicile, if you are in a specific industry, using technical specialists you should also obtain information from sector specific sources.

Level III

This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation. I agree with Tal that a Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in-country investigation.” Further, the “Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English.  Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points.”

But more than simply an investigation of the company, critically including a site visit and coupled with onsite interviews, Tal says that some other things you investigate include “an in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other law suits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publically.” 

Further, you may need to engage a foreign law firm, to investigate the third party in its home country to determine their compliance with its home country’s laws, licensing requirements and regulations. Lastly, and perhaps most importantly, you should use a Level III to look the proposed third party in the eye and get a firm idea of his or her cooperation and attitude towards compliance as one of the most important inquiries is not legal but based upon the response and cooperation of the third party. More than simply trying to determine if the third party objected to any portion of the due diligence process or did they object to the scope, coverage or purpose of the Foreign Corrupt Practices Act (FCPA); you can use a Level III to determine if the third party is willing to stand up with you under the FCPA and are you willing to partner with the third party?

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II & III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to Document Document Document all your due diligence. 

Three Key Takeaways

  1. A Level I due diligence should be only used where there is a low risk of corruption.
  2. A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to clear.
  3. Level III due diligence is deep dive, boots on the ground investigation.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to

Jan 30, 2018

Welcome to Episode 9 of Compliance Man Goes Global podcast of FCPA Compliance Report International Edition. In this episode, we will focus on things, which actually could kill compliance in the organization. We will explore this matter in a plain language so to say and in the simple game form. Moreover, to make the podcast handy and more appealing we attach respective illustration from the Compliance Man illustrated series, created by Timur Khasanov-Batirov. 

For those of our listeners who are not aware about our format, in each podcast, we take two typical concepts or more accurately misconceptions from in-house compliance perspective. We check out if these concepts work at emerging jurisdictions. For each podcast, we divide roles with Timur, a practitioner who focuses on embedding compliance programs at high-risk markets. One of us will advocate the concept identifying pros. The second compliance man will provide arguments finding cons and trying to convince audience that that we face a pure myth. As a result, we hopefully will be able to come up with some practical solutions for in-house compliance practitioners.

Myth #1 Absence of support from top management could kill compliance as a concept in the organization. Tim, would you agree with this statement? 

Tim Khasanov-Batirov: I think we should define whom we consider a top management and what we mean by support. If we start with a question of top management, I would think that there is no need to expect appreciation or kind attitude to compliance from everyone among senior management. It will never happen. You obviously want to have an understanding of what you have been doing among your company’s decision-makers. Still it does not lead to full support in everything a compliance officer is proposing. I believe it is about values. If key stakeholders appreciate integrity and compliance that something which really matters for compliance officer.   


The second question is about support. Based on my practice there is no way to have daily support from everyone in the organization. If compliance person maintains good working relations with employees from different levels of corporate hierarchy, that makes operationalization of compliance program more effective. What is your opinion, Tom? 

Tom:  A couple of things come to my mind, Tim: First and foremost, There are several key issues why top management support is more than simply critical, it is mandatory. It is senior management that sets the priority of a company and if they are not committed to compliance and ethics, everyone in the organization will understand it. I often provide the example of Regional VP who said the following: If I violate the Code of Conduct, I may or may not be caught; If I violate the Code of Conduct and am caught, I may or may not be disciplined; If I miss my numbers for two quarters I will be fired. If senior manage focuses only on numbers, that will be communicated throughout the organization. 

Yet another key issue I would like to touch upon is the question of trust. When a compliance officer is promoting a compliance initiative across the organization, they could be successful if employees embrace it. He has to demonstrate that they have being doing right thing rather than just executing corporate compliance requirements. You can achieve this result if people trust you. If there is no trust neither senior management, nor employees will support compliance. What must a compliance officer should do to get trust? Just be risk oriented, try to suggest ethical solutions to achieve business tasks, be open-minded, and feel interested in corporate processes. In other words, you must operationalize compliance to make it a part of the very DNA of your organization. You have to become a trustworthy partner in order to get the level of support required for effective execution of the corporate compliance program.   

Myth #2. Bad corporate culture can kill Compliance in the organization. Tim, will you agree with this concept?

Tim: I agree that culture of non-compliance could kill the compliance idea in the organization. I believe that no matter if it is a big corporation or a small firm the culture starts from the CEO. There is always someone in the organization who is not a fan of compliance. It is fine, unless CEO himself does not support ethics. In this case, you have no chance to survive. In our attached issue of the Compliance Man illustrated series, we have depicted challenges, which compliance professionals face. However, in my view issues like decrease of the department’s headcount or budget are something, which cannot stop compliance officer.       

Tom: I believe that strong ethical culture is a key factor for building a solid compliance program. From practical perspective, I think surveying personnel about their attitude towards integrity could give you a real picture about state of culture in your organization. Another point to mention is the necessity to understand views of managers who due to their job responsibilities pose compliance risks, those in high-risk positions. This may be heads of construction or procurement teams as they interact with governmental officials. In ideal scenario, they share your values or at least strictly follow respective compliance procedures. In the worst case your efforts in embedding compliance program could be diminished by ignorance from actors which play critical role in its effectiveness.   

Thus, as key takeaways from today discussion, which is inspired by famous Unstoppable video of Sia, I think we can mention the following:

  • A compliance officer should be ready to overcome difficulties at all stages of compliance program execution. The best way to do it is to obtain trust from key stakeholders, win minds and hearts for compliance and never give up. Just be unstoppable.

Tom Fox and Tim Khasanov-Batirov are here for you. Join us for the next episode of Compliance Man Go Global episode of FCPA Compliance Report International Edition. Let’s bust more corporate compliance myths with us.

1 2 3 4 5 6 7 Next » 15