Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2018
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: Category: general
Jun 20, 2018

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt Kelly and I take a deep dive back into the issue of the ZTE monitorship announced recently as a part of the settlement with the Department of Commerce on the death penalty sanctions levied on the company in April.  

That sanction was an export denial which barred American companies from selling components to ZTE and its subsidiary. American companies, such as the San Diego-based chipmaker Qualcomm supplied critical parts for ZTE’s its networking gear and smartphones. This sanction came on the heels of a $891 million fine and penalty the company agreed to in March 2017 for its first round of export control violations. The second sanction was for failing to live up to the terms of the DPA the company agreed to in 2017.

In the 2017, the company agreed to a monitor, who was appointed by the District Court which accepted the company’s guilty plea. Under the May 2018 supplemental sanction, ZTE agreed to pay an additional $1 billion in penalties, put $400 million in escrow, and accept a U.S.-appointed compliance department. According to the Department of Commerce Press Release, the new agreement requires ZTE "to retain a team of special compliance coordinators selected by and answerable to" the Commerce Department for ten years. This new compliance function will essentially serve as the Department of Commerce’s monitor at ZTE as the Press Release noted, "Their function will be to monitor on a real-time basis ZTE’s compliance with U.S. export control laws.”

Matt and I take a deep dive into the DOC resolution, the monitorship and how it might work and the use of a sanctions regime by the administration as a tool to brow beat other countries. We discuss in detail on this bizarro arrangement of U.S. regulators appointing an in-house compliance executive to act as a monitor to the Chinese telecom firm. The concept is intriguing, and the job could be the professional challenge of a lifetime — except for all those pesky details, including the ones this settlement still leaves unaddressed.

For more reading: see Matt’s piece on “FAQs on ZTE’s Compliance Settlement” and “Trade War! Trade War! Man the Barricades!”,both on Radical Compliance. See Tom’s piece, “The ZTE Department of Commerce Monitor: unchartered waters” in Compliance Week.  

Jun 15, 2018

With both VW and ZTE having very bad weeks, Jay Rosen and myself are back in the saddle  again to take a look at some of the top compliance stories from the past week.

  1. Having a bad week-Part 1, Volkswagen. First the head of its Audi unit is announced to be under investigation (here). Then Germany fines the company €1 bn for the emissions-testing fraud (here). Finally German prosecutors rejct the myth of “rogue engineers” in the scandal, saying the company is responsible as a whole (here). All reported in the New York Times.
  2. Having a bad week-Part 2, ZTE. After having reached a settlement between ZTE and the Department of Commerce, Congress moves to block the settlement. Michael C. Bender,  Siobhan Hughes and  Kate O’Keeffe report on the political perspective in the Wall Street Journal. From the compliance angle, many questions abound. Gerry Zack, writing in the FCPA Blog, says don't call the persons reporting to the DOC mandated compliance officers as they are monitors. Matt Kelly offers up informative FAQs on the monitorship in Radical Compliance. Tom considers the uncharted waters of the settlement in Compliance Week(sub req’d)
  3. The court evisserates the DOJ’s argument against the AT&T purchase of Time Warner. Henry Cutter uses the merger go-ahead from Judge Leon to explore the compliance challenges in mega-mergers (and small ones too). In the WSJ Risk & Compliance Journal.
  4. Bill Steinmann says (yet again) that FCPA enforcement is not dead. It’s not that he’s tired of saying it, he just wishes the nay-sayers would unplug their ears and start to listen. On the FCPA Blog.
  5. Goldman Sachs made $600 peddling 1MDB bonds. The new Malaysian government wants some of that money back. Alexandra Stephenson and Hannah Beech report in the New York Times.
  6. CCO’s behaving badly. The Standard Chartered CCO has left the bank for inappropriate behavior. Sam Rubenfeld reports in the WSJ Risk & Compliance Journal.
  7. Looking to do business with Trump’s newest buddy North Korea? Dick Cassin says be careful, be very careful in the FCPA Blog.
  8. Anti-piling on is a two-way street, as it requires responsible actions by companies as well. Michael Griffiths reports in GIRon remarks by Justice Department FCPA Unit Chief Dan Kahn.
  9. Need some CLE or Compliance know-how? Join Tom’s Compliance Master Class, which next week Houston on June 21 & 22. Just a couple of seats left. Information and registration is available here. Learn about compliance from the guy who wrote the book on compliance.
  10. Support your local book sellers! River Oaks Bookstore, 3270 Westheimer, in Houston is now stockingThe Complete Compliance Handbook. Tom will be on hand for a book signing on Thursday, June 28 from 5:30 to 7.
  11. Tom’s new book The Complete Compliance Handbookremains a hot seller. It is available oncom. Purchase an autographed copy here. It is reviewed in the FCPA Blog, Radical Complianceand Corruption, Crime and Compliance.
  12. Serving up some Breakfast and Compliance. Join Tom in Boston on June 25 at the offices of Affiliated Monitors to learn here about show the story of compliance is the story of innovation. For more information and registration, click here.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

May 29, 2018

The call, e-mail or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward. 

This scenario was driven home in a FCPA enforcement action brought by the SECin July 2015 involving Mead Johnson Nutrition Company. In that case, the company performed two internal investigations into allegations that its Chinese business unit was engaged in conduct which violated the FCPA. Unfortunately, the first investigation, performed in 2011, did not turn up any evidence of FCPA violations. It was not until 2013, when the SEC made an inquiry to the company that it performed an adequate internal investigation which uncovered FCPA violations.

Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hotline, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties, once an allegation is made. This allows the Compliance Department to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here.

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.

 

Apr 27, 2018

After being joined by Jay’s girls to celebrate our 100th  anniversary episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

  1. Dun & Bradstreet settles FCPA with first declination under new DOJ FCPA Corporate Enforcement Policy. Dick Cassin reports in the FCPA Blog. Henry Cutter reports in the WSJ Risk and Compliance Journal.
  2. Will there ever be transparency in the corporate monitorship process with the DOJ? There will be if Dylan Tokar gets his way. Veronica Root reports in the NYU Compliance and Enforcement Blog.
  3. What is ISO 37001 certification worth? Not much in the eyes of SEC FCPA unit chief Charles Cain. Kelly Swanson reports in GIR Investigative(sub req’d)
  4. SEC fines Yahoo $35 million for failing to disclose data breach. Dick Cassin reports in the FCPA Blog.
  5. Former Justice Department FCPA unit chief Pat Stokes hits back on DOJ requests for statute of limitations tolling. Kelly Swanson reports in GIR Investigative(sub req’d)
  6. Starbucks took a huge black eye for its treatment of two African-American men waiting on a friend. Matt Kelly considers from the policy angle in Radical Compliance. Tom considers from the risk management perspective in the FCPA Compliance & Ethics Blog. They debate these and other topics in Episode 79 of Compliance into Weeds.
  7. Was Facebook’s monitor(s) asleep on the job? Does FB’s repeat misconduct even matter? Tony Romm explores the former question in the Washington Post. Veronica Root explores the latter question in the NYU Compliance and Enforcement Blog.
  8. What is Brady laundering? Dan Portnov explores this question on Grand Jury Target.
  9. Tom announces presales of his next book, the Complete Compliance Handbook, which will be published by Compliance Week in May 2018. It is available for PreSale here.
  10. Tom has a busy May planned. Join him at Brazil’s largest compliance conference, the 6th International Compliance Congress, held by LEC – Legal, Ethics and Compliance, May 8 to 10, in São Paulo, Brazil. Registration and information here; Hear him speak to the Houston chapter of ACAMS, from 11:30 -2 PM on Thursday May 17thin Houston on “Driving Compliance and Ethics through Data Analysis”. Information and registration here;and join in a session on Using Frameworks to Prove Compliance Competency at Compliance Week 2018 in Washington DC, May 20-23. Information and registration are here.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Apr 16, 2018

In March the SEC made its biggest-ever whistleblower award. It gave one person more than $33 million and in the same case split nearly $50 million between two others. The previous high for an SEC award to a single whistleblower was $30 million in 2014. All three whistleblowers were represented by the law firm of Labaton Sucharow and the awards were based upon SEC enforcement actions against Merrill Lynch. Today, I have with me Steve Durham, a partner at the firm to talk about the awards and its implications in light of the recent Supreme Court decision in Digital Realty Trust v. Somers. 

There are several key points to take away from the awards which we discuss. Initially the awards were divided into two separate awards; one to two individuals for $50 million and a second of $33 million to one individual. We discuss what is original information in the eyes of the SEC which can qualify for an award. In the award, the SEC noted the initial two whistleblowers could have received a higher amount if their information had been more timely delivered to the SEC, which is as soon as they were learned of the misconduct. This timing issue is critical not only to help set the amount of the award but also to establish a whistleblower is qualified to receive an award as there were other individuals who stepped forward later with the same or similar information.

We also explore where the SEC is in its overall whistleblower award program. Durham believes there are several large whistleblower awards in the SEC pipeline and that the SEC Whistleblower program has been an overall success. Even with the Congressional attacks on Dodd-Frank, there is no call to reform this part of the law.

Apr 5, 2018

The top compliance roundtable podcast is back with a wrap up of the some of the top compliance stories over the first quarter of 2018. Stayed tuned to the end for rants in this edition. 

  1. Matt Kelly considers the moves by the Congress to amend Dodd-Frank, considering the approaches by both the House and the Senate. He explores a couple of interesting side notes. First the Senate bill requires the Department of Treasury consider cybersecurity risks. Second, he notes the lack of movement against the Consumer Financial Protection Board. He also considers the Trump Administration’s claim of regulatory reduction; exploring my question: Is it real or is it Memorex? Matt rants on the manner of the firing of the Secretary of the Department of Veteran’s Affairs. 
  1. Mike Volkov considers the recent pronouncements by the Justice Department that it may extend the reach of the declination program first laid out in the new FCPA Corporate Enforcement Policy. Would such an approach work for other laws? If so, which ones are likely candidates? Is this a sop to big business or is there something else going on? What might be the reaction of the Congress? Mike rants on the corruption and conflicts of interest present in the current Administration.

 

  1. Jonathan Armstrong considers the Facebook/Compliance Analytica imbroglio from the UK/EU angle. He discusses where the EU and UK investigations currently lie, what the potential penalties might be, including criminal sanctions and next steps for all involved. It turns out the EU has been investigating Cambridge Analytica for over one year. Armstrong gives a shout out to the SCCE European Compliance and Ethics Institute and rants on travels who still don’t know to bag their liquids and take their shoes off at security in airports. 
  1. Jay Rosen considers the current state of monitorships. He begins with a review of monitorships over the past few years to explore whether the Justice Department and SEC cutting back on their use? If so, what are the implications for enforcement and compliance going forward? What are some of the tangible steps a company can take to make the case they do not need a monitor even after a FCPA violation? Jay explains remediation through a proactive monitorship can be a key step. Jay gives a shout out to the state Attorney’s Generals who brought the Emolument Lawsuit against the President. 

I take the opportunity to give a Happy Trails shout out to one of my boyhood heroes; Rusty Staub who recently passed away and rant on the New York Times for waiting almost a full week before running an Obituary on Phillp Kerr. 

The members of the Everything Compliance panel include:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com
Mar 17, 2018

March Madness is upon us, with the first ever #16 knocking off a Number 1 see. In the midst of this true madness, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

 

  1. March Madness is here. So is corruption in NCAA basketball. Tom considers both stories in Compliance Week.
  2. Former FCPA Unit Head Chuck Duross says that self-reporting is still “probably not worth it”. See article in GIR (sub req’d)
  3. Elizabeth Holmes and Theranos were engaged in massive, years long fraud. She is fined, must return her Theranos stock and is banned from running public companies for 10 years. Sam Rubenfeld reports in the WSJ Risk and Compliance Journal. See SEC Complaint for full details.
  4. What are some of the compliance lessons to be learned from the Novartis journey? Jaclyn Jaeger considers them in Compliance Week. (Sub req’d)
  5. First DPA granted under new French anti-corruption law, Sapin II. See article in NYU Compliance and Enforcement Blog.
  6. SFO Director David Green pushed back on the myth that DPAs are sweetheart deals in the FCPA Blog.
  7. Are corporate monitorships on their way out? Adam Dobrik reports in GIR (Sub req’d)
  8. The Trace Global Enforcement Report is out.
  9. On Tuesday, March 20, Tom will premier an exciting new podcast Innovation in Compliance. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  10. Tom announces presales of his next book, the Complete Compliance Handbook, which will be published by Compliance Week in April 2018. It is available for PreSale here.
  11. Jonathan Armstrong will be in Houston on April 10 to put on a half-day GDPR workshop. You can find out more and register at the Greater Houston Business and Ethics Roundtable website, org.
  1. March Madness is here. So is corruption in NCAA basketball. Tom considers both stories in Compliance Week.
  2. Former FCPA Unit Head Chuck Duross says that self-reporting is still “probably not worth it”. See article in GIR (sub req’d)
  3. Elizabeth Holmes and Theranos were engaged in massive, years long fraud. She is fined, must return her Theranos stock and is banned from running public companies for 10 years. Sam Rubenfeld reports in the WSJ Risk and Compliance Journal. See SEC Complaint for full details.
  4. What are some of the compliance lessons to be learned from the Novartis journey? Jaclyn Jaeger considers them in Compliance Week. (Sub req’d)
  5. First DPA granted under new French anti-corruption law, Sapin II. See article in NYU Compliance and Enforcement Blog.
  6. SFO Director David Green pushed back on the myth that DPAs are sweetheart deals in the FCPA Blog.
  7. Are corporate monitorships on their way out? Adam Dobrik reports in GIR (Sub req’d)
  8. The Trace Global Enforcement Report is out.
  9. On Tuesday, March 20, Tom will premier an exciting new podcast Innovation in Compliance. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  10. Tom announces presales of his next book, the Complete Compliance Handbook, which will be published by Compliance Week in April 2018. It is available for PreSale here.
  11. Jonathan Armstrong will be in Houston on April 10 to put on a half-day GDPR workshop. You can find out more and register at the Greater Houston Business and Ethics Roundtable website, org.
Mar 1, 2018

In this episode I visit with Joel Solomon, author of “The Clean Money Revolution”. Solomon has worked in the investment community for many years, both in the United States and Canada. He heads Renewal Funds, which is Canada’s leading mission venture capital investment firm, with $98 million of assets under management in early growth stage Organics and EnviroTech companies in Canada and the USA. The Fund has over 150 individual, family, and foundation investors mostly split between Canada and the USA, with several in Europe and Asia. The goal is above market financial returns from a portfolio of companies offering positive societal advances. Renewal Funds dynamic team is led by Paul Richardson, President and CEO, and Joel Solomon, Chair, with crucial backing from Carol Newell. Renewal Funds has been named a "Best for the World Funds" by B the Change Media, for setting the measurement and management bar for impact investing. It has also been named a B Corp for "Best for the World Company."

We discuss what is mission venture capitalism and Solomon’s leadership in this field. We discuss his book, The Clean Money Revolution and explore how clean money investing is different than other types of investing. We explore the role of money managers in the clean money revolution and explore the broader role of money managers in environmental, social and governance investing and management. We consider the role of the Boards of Directors in public companies in contributing to the clean money revolution. We conclude with a fascinating exploration of the role of US government pull back in ESG and clean money investments; leaving a very large role for corporations to step in and fill going forward.

For more about Joel Solomon, check out his website, joelsolomon.org.

Feb 26, 2018

Last week the US Supreme Court issued its decision in Digital Realty Trust v. Somers (Somers). It was a closely watched case in the compliance community. Yesterday, I reviewed the Court’s decision. In this podcast, Roy Snell and I consider the impact of the Court’s decision on a variety of actors; including the SEC itself, Chief Compliance Officers (CCOs) and compliance practitioners, compliance programs and corporate America.

While we both agreed the Supreme Court came to the correct legal decision, there are several areas which this decision may well lead to negative impacts. The first is the message that it sends to potential whistleblowers; if you do not report to the Securities and Exchange Commission (SEC) you will not receive any legal protections against discrimination or retaliation.

Second, is the impact on every Chief Compliance Officer (CCO) or compliance practitioner. This decision will negatively impact attempts to create a best practices compliance program. A key part of any best practices compliance program is an internal reporting mechanism (Hallmark 8 of an Effective Compliance Program).

Third is that companies will be cut off from its best sources of information, that from its own employees, companies now will have less ability to detect and then remediate any problems before they become legal violations or keep legal violations from expanding.

Finally is the impact the decision will have on the SEC itself. Now there is no incentive to report internally because you are not eligible for any financial incentive nor will you receive any protections from discrimination or retaliation. It is possible the SEC will be literally inundated with potential securities-laws violations.

Feb 8, 2018

In this episode, Matt Kelly and I take a deep dive into the events which led to the resignation of Steve Wynn as the CEO and Chairman of Wynn Casinos for sexual harassment and misconduct. We consider how quickly the scandal escalated after it was initially reported by the Wall Street Journal and the response (or lack thereof) by the Board of Directors to Wynn’s conduct which had been an open secret for almost 20 years. We review what structural inputs a company should have in place when it has a true charismatic leader. We consider the role of the Board of Directors in light of the recent Wells Fargo penalty levied by the Federal Reserve to limit growth and require the Wells Fargo Board to refocus its efforts on more robust corporate risk management.

For more on the Wynn scandal and corporate governance, see Matt’s blog post So Much Wynning You Can’t Stand It

For more on the Federal Reserve’s penalty on Wells Fargo and the Board of Director’s need for a compliance profession on the Board, see Tom’s blog post, Wells Fargo, Put a Compliance Professional on Your Board

Jan 24, 2018

The role of the Chief Compliance Officer (CCO) has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance, under Hallmark Three of the 10 Hallmarks of an Effective Compliance Program, the focus was articulated by the title of the Hallmark, Oversight, Autonomy, and Resources. In it the 2012 FCPA Guidance focused on the whether the CCO held senior management status and had a direct reporting line to the Board; stating “In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively. Adequate autonomy generally includes direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors.”

This Hallmark was significantly expanded in both the Evaluation of Corporate Compliance Program (Evaluation) and the new FCPA Corporate Enforcement Policy (Policy). Over the next two blog posts, I will be considering how the Department of Justice (DOJ) has increased the prestige, authority and role of both the CCO and corporate compliance function.

The DOJ’s Evaluation of Corporate Compliance Programs, made the following query about the CCO position: 

  1. Autonomy and Resources 

Stature – How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions? 

 Autonomy Have the compliance and relevant control functions had direct reporting lines to anyone on the board of directors? How often do they meet with the board of directors? Are members of the senior management present for these meetings? Who reviewed the performance of the compliance function and what was the review process? Who has determined compensation/bonuses/raises/hiring/termination of compliance officers? Do the compliance and relevant control personnel in the field have reporting lines to headquarters? If not, how has the company ensured their independence? 

In the Policy, the DOJ laid out additional factors around CCO authority: 

  1. The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
  2. The authority and independence of the compliance function and the availability of compliance expertise to the board;
  3. The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and
  4. The reporting structure of any compliance personnel employed or contracted by the company.

There is a new requirement for compliance “independence”. The DOJ has not taken a position on whether a General Counsel (GC) can also be the CCO. However, this new language would seem to signal the death knell for the dual GC/CCO role. It may also signal the larger issue that the CCO should have a separate reporting line to the Board, apart from through the GC. While the DOJ’s stated position that it does not concern itself with whether the CCO reports to the GC or reports independently, it is more concerned about whether the CCO has the voice to go to the Chief Executive Officer (CEO) or Board of Directors directly not via the GC. Even if the answer were yes, the DOJ would want to know if the CCO has ever exercised that right. Yet the Evaluation comes as close to any time previously in articulating a DOJ policy that the CCO be independent of the GC’s office. Therefore, if your CCO still reports up through the GC, you must have demonstrable evidence of both CCO independence and actual line of sight authority to the Board.

The Evaluation and the Policy build upon the 10 Hallmarks of an Effective Compliance Program and demonstrate the continued evolution in the thinking of the DOJ around the CCO position and the compliance function. Their articulated inquiries can only strengthen the CCO position specifically and the compliance profession more generally. The more the DOJ talks about independence, coupled with resources being made available and authority concomitant with the CCO position, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance positions in their organizations.

Three Key Takeaways

  1. How can you show compliance really has a seat at the senior executive table?
  2. What are the professional qualifications of your CCO?
  3. Does your CCO have true independence to report directly to the Board of Directors? 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 12, 2018

In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

  1. Does Free Speech exist at the office? Can you tell your boss what you think of them? Ben DiPietro looks at a new Department of Labor approach in WSJ Risk and Compliance Journal.
  2. Are fraudsters like the rich (as in different than the rest of us)? Jonathan Marks explores the mind of the fraudster in his Board and Fraud blog.
  3. What can you do to manage your third parties more effectively? Rick Chapman provides his experiences in the SCCE Blog.
  4. Is there a unified theory of corruption? Professor Joseph Pazsgai explores the question in a guest post on the FCPA Blog.
  5. Mike Volkov gives his five top compliance predictions for 2018 in the Crime, Corruption and Compliance Blog.
  6. Oh thank Heaven? Feds raid 7-11 looking for criminals (IE undocumented workers). See story by Alicia Caldwell in the WSJ.
  7. Is there a real (or perceived) bias in the monitorship process? Several experts are cited in GIR piece sub. req’d
  8. Shearman & Sterling releases its annual report, the Recent Trends and Patterns in the Enforcement of the FCPA.
  9. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program. In January, I bring together the entire year of compliance program best practices with 31 days to a more effective compliance program. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  10. Tom announces his next Compliance Master Class, sponsored by Marcum LLP. It will be held on February 11 & 12 at Marcum’s offices in Miami, FL. More information or a copy of the agenda, or to register, will be available on my website, FCPA Compliance Report or at Marcum LLP.
  11. Jay Rosen previews the Jay Rosen weekend report.
  12. We preview this week’s NFL playoffs.

 

Jan 9, 2018

A 360-degree view of compliance is an effort to incorporate your compliance identity into a holistic approach so that compliance is in touch with and visible to your employees at all times. It is about creating a distinctive brand philosophy of compliance which is centered on your consumers. In other words, it helps a compliance practitioner to anticipate all the aspects of your employees needs around compliance your employees, who are the customers of your compliance program. This is especially true when compliance is either perceived as something that comes out of the home office or is perceived as the Land of No, largely inhabited by Dr. No. A 360-degree view of compliance gives you the opportunity to build a new brand image for your compliance program.

Previously, I had thought of communications really as a two-way street upward and downward, inbound and outbound, and side to side communications. However, you might choose to phrase it, a 360-degree approach to compliance communications is something different. You simply can no longer as effectively communicate in just two ways. You now communicate in a more holistic manner, and in multiple ways. If you are just thinking about communications in the classic form you are missing something that is happening around you.

360-degrees of compliance communication is not just a classic form of communication but rather it is a communication in the concept of every interaction, whether they be planned interactions or whether they be into or accidental interactions. It is all a form of communication. This is particularly true if you are a compliance professional, a chief compliance officer or a compliant practitioner. The things you do, the way you act, and the way people see you are always communicating. It is not simply communicating to one another as often you may well be communicating to a group across siloed boundaries, to the constituencies with whom you had not even planned to initially communicate.

There are several concepts which should be included in your 360-degree view of compliance communications. Begin with an objective so you identify the purpose of your communication and the target of whom you are going to communicate to. Identify as clearly as you can the purpose and reason to ensure your message is aligned with your objectives. For instance, are you implementing a 360-degree view of communication to educate, inform, change perceptions or build trust and commitment?

Next, who is your audience? To communicate effectively you need to understand your audience. In any corporation, there are multiple audiences who are the key stakeholders in the 360-degree process. How much do they know? Some of the stakeholders include the Board of Directors, senior management, middle management, employee teams, committees, coaches, facilitators, customers, business partners, vendors, sales agents and representative, strategic alliances and business ventures. What are your distribution channels and how do you track your messaging? You should create a comprehensive spreadsheet to track the messages the intended audience and the delivery mechanism. Another key ingredient of the 360-degree approach is feedback. This is a key component of the 360-degree experience and educate each stakeholder on the benefits of feedback from the 360-degree approach.

Finally, you need to evaluate what you have done. You can monitor your communication activities by tracking attendance at the events, website statistics, open rate of emails, downloads of materials, video hits; in other words, the same techniques that your marketing folks would use to determine their messaging’s effectiveness. The objective is to build trust for the 360-degree process by determining if the goal achieved. You can utilize surveys or focus groups to assess the impact on your target audience. By focusing on your customer customers of compliance, I.E. your employees, it allows you to identify gaps and improve the communication process for your compliance program.

Using such a 360-degree approach to communication, allows a CCO to “see around corners” and can be one of the greatest strengths of a best practices compliance program. The reason is listening. Listening is a key leadership component and there are certainly many ways to listen. You can sit in your office and wait for a call or report on the hotline or you can go out into the field and find out what challenges employees are facing. From this you can work with them to craft a solution that works for the company and holds to the company’s ethical and compliance values.

Three Key Takeaways

  1. Remember the definition of 360-degrees of compliance communications. It is an effort that includes the compliance identity into a holistic approach so compliance is in touch and visible to your employees at all times.
  2. What is your objective? What are you trying to do with your 360-degrees of compliance communications and how are you using that mechanism to deliver the objectives of your compliance program.
  3. Evaluate. You need to evaluate three factors: (a) has the message been delivered; (b) has it been heard; and (c) is it being implemented.

 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Dec 31, 2017

Jay and I take things in a different direction this week. We take the top five podcasts from 2017 and each of us, gives a highlight from that episode to highlight some of the key compliance issues from 2017, for our year end wrapup edition.

1. Episode 55-The Covfefe Edition, for the week ending June 2

 From Jay- Compliance is making its way into Boards of Directors. See article by Ben DiPietro in the WSJ Risk and Compliance Journal.

From Tom- Samuel Mebiame, sentenced to two years behind bars for paying bribes to help Och-Ziff with lucrative mining deals in Africa. See article by Sam Rubenfeld in WSJ Risk and Compliance Journal. Judge asks why no one else was criminally prosecuted. See article in Bloomberg.

2. Episode 53-The I Left My Heart in SF Edition, for the week ending May 19 

From Jay- Should compliance and ethics be wedded? New report by Institute of Business Ethics and the Ethics Institute considers the issues. See article in WSJ Risk and Compliance Journal.

From Tom- Astros lead the MLB with the best record in baseball. Will they regress to the mean?

3. Episode 52-The Firing the Investigators Edition, for the week ending May 12

 From Jay- ECI Report Finds Use of Corporate Monitors is on the Rise. For a copy of report, click here. For a webinar replay with Affiliated Monitors’ Eric Feldman and Nasdaq’s Michael Kallens click here.

From Tom- Why the judgment of CEOs and their actions really do matter. See James Stewart considers Barclays’ Jes Staley in his Common Sense column in the New York Times.   

4. Episode 54-The Rubber Match Edition, for the week ending May 26

From Jay-he recaps the SCCE San Francisco event he attended last week. See Jay’s recap in his article I Left My #SCCE Heart in San Francisco or I Love It When A Plan Comes Together!

From Tom-Was the individual enforcement against the MoneyGram CCO significant or much ado about nothing? See article by Dick Cassin in the FCPA Blog and by Sara Kropt in her Grand Jury Blog.

5.  Episode 77-The Home for the Holidays Edition, for the week ending November 17

 From Jay-

1a) Wal-Mart reserves $283MM to settle its outstanding FCPA matter. See article by Dick Cassin in the FCPA Blog. Henry Cutter reports in the WSJ Risk and Compliance Journal.

1b) The Everything Compliance gang put together an eBook of their reflections from the recent SCCE 2017 Compliance and Ethics Institute. It is available for download free on JDSupra. It is also available on the Affiliated Monitors site by clicking here.

From Tom- Tom visited with Marc Havener and Bryan Belknap about using movie clips to expand your compliance training classroom. See Tom’s blog post here

Dec 31, 2017

This entry provides a wrap up on written standards, with a discussion on policies on cybersecurity. Regarding policies on cybersecurity, it has become so critical for corporation that the CCO and many compliance practitioners are now required to deal this issue.

Cybersecurity policies are the newest area to fall into the lap of the compliance professional. Fortunately, the state of New York's Department of Financial Services has issued the first state level regulations on cyber security for financial institutions. They became effective March 1, 2017 and while they are designed to protect financial services industries and consumers, they have application to and provide guidance for, a wider variety of non-financial service companies and commercial enterprises. It mandates your overall cybersecurity policy should be designed to meet the goals to prevent, detect and remediate a cybersecurity event.

While the regulation is obviously geared towards financial services firms, there were several points that any non-financial services compliance practitioner should consider. The overall cybersecurity program should be designed to meet the three goals of any best practices compliance program: (a) preventing any cybersecurity breaches or failures; (b) detect cybersecurity events; (b) remediate through responding to identified or detected cybersecurity events to mitigate any negative effects, recovering from them and restore normal operations and services. An added requirement for cybersecurity will be notification of appropriate regulatory authorities.

Your written policy should be based on a risk assessment, taking the following factors into consideration: “(a) information security; (b) data governance and classification; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; (j) physical security and environmental controls; (k) customer data privacy; (l) vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response.”

There should be a corporate officer position which reports to the Board of Directors, who should report to the Board on the following topics: (1) the confidentiality and the integrity and security of the information systems; (2) the cybersecurity policies and procedures; (3) material cybersecurity risks; (4) overall effectiveness of the cybersecurity program; and (5) any material cybersecurity events. The cyber compliance team must all show proficiency in the discipline and keep abreast of cybersecurity developments.

For ongoing monitoring, there should be annual penetration testing and biennial vulnerability assessments. Finally, there must be annual risk assessments designed to test: (1) identified cybersecurity risks and threats; (2) criteria for the assessment of the confidentiality, integrity, security, availability and adequacy of existing controls in the context of identified risks; and (3) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.

If a company allows a third-party provider to have access to or hold its data, it must perform an evaluation of that third-party provider in the following areas: (1) identification and risk assessment of the third-party provider; (2) minimum cybersecurity practices required to be met by third-party provider in order for them to do business; (3) due diligence processes used to evaluate the adequacy of cybersecurity practices of third-party provider; and (4) periodic assessment of third-party provider based on the risk they present and the continued adequacy of their cybersecurity practices. There should also be effective training and ongoing monitoring requirements for employees of impacted third-party providers.

All of the above should sound quite familiar to any anti-corruption compliance professional. Yet this DFS regulation should also be studied as a roadmap for the inevitable cybersecurity and InfoSec compliance which is just down the road for non-financial services industries. The third-party providers are particularly critical as many major data breaches occurred through connected third parties. One need only think of the Target data breach to the looting of the Central Bank of Bangladesh through the New York Federal Reserve Bank.

Three Key Takeaways

  1. CCOs and compliance professionals need to be ready to take on cybersecurity policies and procedures.
  2. Cybersecurity policies and procedures should strive to prevent, detect and remediate cybersecurity events and failures.
  3. Do not forget the lesson from the Target data breach; you are only as secure as your weakest third-part link.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 30, 2017

The next area for policies is extortion payments, which are completely exempted out of the FCPA. Extortion payments are made for any action which threatens or demands payment for life, liberty, or health. These should be exempted out from your facilitation payments and your compliance program through specific language. You need to do this for a variety of reasons. First and foremost, your employees must understand that the company will support them if they are in any way threatened with harm, with arrest, physical detention or their health/safety is threatened.  As a compliance professional, you need to make sure employees understand they need to do whatever they must to get themselves out of such a situation.

Some of the situations your employees might face are along the lines of the following:

  • Employees are stopped by police, military or paramilitary personnel, or militia (uniformed or not) at designated or other checkpoints or other places and a payment is demanded as a condition of passage of persons or property;
  • Employees are threatened with arrest or detainment; or
  • Employees are asked by persons claiming to be security personnel, immigration control, or health inspectors to pay for an allegedly required inoculation or other similar procedure.

I once had a situation where an employee was threatened with receiving a vaccination for yellow fever when they were departing a west African country. The employee paid some $85 to get out of that situation. I instructed him to submit it as a travel expense, writing out in a four sentence paragraph the event, attached to his expense report. The documentation proved that payment was not a facilitation payment. It was clearly an extortion payment.

The key though is that it be properly documented. But more than simply the documentation is that you must specifically list extortion payments in your books and records so you will in compliance with the books and records requirement of the FCPA to accurately record your expenses. You need to train your employees specifically on the actions to take both when they are put in the situation and what to do when they return to their office. In your policy state that if there is a threat to health safety or liberty, it is not a facilitation payment but an extortion payment. Make sure that they understand what their rights are and what their obligations are to report it when they come back to the corporate office or their office. Always remember, an extortion payment is not a FCPA violation.

Three Key Takeaways

  1. Extortion payments are not illegal under the FCPA?
  2. Was the action an extortion or some other type of situation?
  3. Document Document Documents your extortion payments both the financial component and a description of the underlying events.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Nov 15, 2017

Welcome to Episode 5 of Compliance Man Goes Global podcast of FCPA Compliance Report International Edition. In this episode, we focus on typical concepts (or probably myths) of ways a Compliance professional might become a more valuable member of the management team rather than becoming most hated person in the organization.

Tom: To start with, Tim, probably we should explain to our listeners why we called our today’s episode ‘You Really Like Me’?

Tim Khasanov-Batirov:  We call today’s episode “You Really Like Me!” remembering Sally Field’s gushing acceptance speech at Oscar ceremony. The funny thing is that sometimes even in-house Compliance people have a strong wish to exclaim after her something like: “I haven't had an orthodox career, and I've wanted more than anything to have your respect. The first time I didn't feel it, but this time I feel it—and I can't deny the fact that you like me, right now, you like me!"      

Tom: OK, Tim, let’s see if this is possible in reality or would remain just a dream of Compliance officers globally.

Myth #1 There is a chance that Compliance officer could avoid being named the most hated person in the organization.  Tim, do you agree with this statement?

Tim Khasanov-Batirov: Let’s try. I think we have some pros here:  

Argument #1.

A Compliance professional can avoid being the most hated person if personnel along with top management understand the role of Compliance function in the organization. Unless a Compliance professional delivers a clear message about risks he or she manages and value they bring, they are dependent on subjective views of other team members. We have depicted this situation in the attached release of Compliance Man illustrated series.    

Argument #2.

You might think about setting KPIs based on respective regulatory requirements referring for instance to 10 Hallmarks of the Effective Compliance Program or the Evalution of Corporate Compliance Programs. This will allow you to set criteria, which could be used for unbiased and verifiable evaluation of your efforts.  

Tom:  I think, Tim that there are some cons here as well:

Argument #1

As we know, there is no way people will like a Compliance officer all the time. Subject to particular situation or position, the Compliance professional’s managers might change their minds. So we should not have illusion of being most loved person constantly.

  

Argument #2

There is a big risk if Compliance person becomes too friendly with the employees and becomes co-opted by the business folks. This could lead to losing impartiality. Therefore, there is a very thin line between being business-oriented ethics professional and attempts just to ‘get likes’ from management.   

Tim: Tom, I agree with you.

Tom: Let’s go, Tim. We can formulate the next concept or maybe misconception in the following way:

Myth #2. In real life, Compliance officer de-facto is not able to become a member of managerial team (or just “team” so to say) being isolated from it by virtue of his “business prevention” mission. Tim, will you agree with this concept?

Tim: I strongly disagree with this concept.

Argument #1.

In my view, Compliance department in many cases is called a “Business prevention unit” not because of being very strict and picky. It is because of not fully understanding the business processes involved. As soon as compliance officer starts to hear other team members, he will be able to suggest solutions, which are compliant, and business oriented in the same time.      

Argument #2.

It is about priorities. Management team should clearly see that Compliance officer is focusing on real regulatory risks and priorities rather than creating a useless bureaucracy regarding minor issues, which in many cases could be easily resolved.    

What are your views, Tom?

Tom: I have some pros to support the concept that in reality Compliance officer is not just another member of the business team.

Argument #1.

We have a special mission to assess business from external, in majority of cases regulatory prospective. Thus, many things, which at first glance might look as being good for business, could pose regulatory risk in the future. Thus, Compliance person is in charge of demonstrating a high-level or strategic view rather than solely looking at momentary business advantages.

Argument #2.

Compliance is a relatively new job in comparison to well established corporate functions such as  a  Legal Department or even Internal Audit. So even just by mere fact of being a “newcomer” the Compliance Officer differs from almost all members of the management team which represent “traditional” occupations.  

Tim: Agreed, Tom. As key takeaways from today discussion, I think we can mention the following:

  • Compliance officer should be a business-oriented person with good understanding of business processes along with clear views on how to structure them in line with regulatory expectations.
Nov 1, 2017

Welcome to Day One of 360-degrees of communication in compliance. This month you will learn about techniques that the CCO can use to provide you not only a well-rounded role as a CCO but also facilitate a much more holistic approach to compliance in your organization. Best of all the techniques, discussed are largely available to you at little to no cost. There are things that you can do both in your method of running the CCO positions and innovations that you can bring to the compliance function in your organization. 

A 360-degree view of compliance is an effort to incorporate your compliance identity into a holistic approach so that compliance is in touch with and visible to your employees at all times. It is about creating a distinctive brand philosophy of compliance which is centered on your consumers. In other words, the customers of your compliance program; I.E., your employees it helps to anticipate all the aspects of your employees needs around compliance especially when compliance is either perceived as new perceived as something that comes out of the home office or is perceived as the Land of No. It gives you the opportunity to build a new brand image for your compliance program. 

Social media is a big part of a 360-degree view so there will be a focus on the use of social media in compliance and how it can facilitate your compliance program through your compliance messaging. I will discuss some specific techniques of social media tactics that have been successfully used by companies. We will consider the culture of compliance and the clash of different cultures that an organization may have, particularly through mergers and acquisitions but also internally, through organic growth and how a 360-degree view can help overcome this. Storytelling and compliance is another mechanism which is facilitated through a 360-degree. 

Other issues to be considered include how can a 360-degree view of communication facilitate your role as a leader in your company and in your compliance program? What are the techniques which can provide a holistic approach to your compliance function? What is the two-way street approach wedded to the benefit of 360-degrees of compliance and communication? Communication is much more powerful when it is a two-way street. Such a view also allows you to information from your customer base, once again your employees back up to your compliance program and incorporate that feedback loop directly into your compliance program going forward. 

There are several concepts which should be included in your 360-degree view of communications in compliance. Begin with an objective so you identify the purpose of your communication and the target of whom you are going to communicate to. Identify as clearly as you can the purpose and reason to ensure your message is aligned with your objectives. For instance, are you implementing a 360-degree view of communication to educate, inform, change perceptions or build trust and commitment? 

Next,  who is your audience? To communicate effectively you need to understand your audience. In any corporation, there are multiple audiences who are the key stakeholders in the 360-degree process. How much do they know? Some of the stakeholders include the Board of Directors, senior management, middle management, employee teams, committees, coaches, facilitators, customers, business partners, vendors, sales agents and representative, strategic alliances and business ventures. What are your distribution channels and how do you track your messaging? You should create a comprehensive spreadsheet to track the messages the intended audience and the delivery mechanism. Another key ingredient of the 360-degree approach is feedback. This is a key component of the 360-degree experience and educate each stakeholder on the benefits of feedback from the 360-degree approach. 

Finally, you need to evaluate what you have done. You can monitor your communication activities by tracking attendance at the events, website statistics, open rate of emails, downloads of materials, video hits; in other words, the same techniques that your marketing folks would use to determine their messaging’s effectiveness. The objective is to build trust for the 360-degree process by determining if the goal achieved. You can utilize surveys or focus groups to assess the impact on your target audience. By focusing on your customer customers of compliance, I.E. your employees, it allows you to identify gaps and improve the communication process for your compliance program. 

Three Key Takeaways 

  1. Remember the definition of 360-degrees of compliance communications. It is an effort that includes the compliance identity into a holistic approach so compliance is in touch and visible to your employees at all times.
  2. What is your objective? What are you trying to do with your 360-degrees view of compliance communications and how are you using that mechanism to deliver the objective your compliance program desires.
  3. Evaluate. You need to evaluate has the message been delivered has it been heard and is it being implemented. 

This month’s podcast series is sponsored by Dun & Bradstreet.  Dun & Bradstreet’s compliance solutions provide comprehensive due diligence reporting and analysis to reduce your risk of working with fraudulent companies by accessing a company’s beneficial ownership, reputation risk and more.  For more information, go to dnb.com/compliance.

Oct 12, 2017

Your company has just made its largest acquisition ever and your Chief Executive Officer (CEO) says that he wants you to have a compliance post-acquisition integration plan on his desk in one week. Where do you begin? Of course, you think about the 2012 FCPA Guidance but remember that it did not have the time lines established in the recent enforcement actions involving Johnson & Johnson (J&J), Pfizer and Data Systems & Solutions LLC.

While there are time frames listed in these Deferred Prosecution Agreements (DPAs) are a guide of timeframes; many compliance professionals struggle with is how to perform these post-acquisition compliance integrations. An article from the Harvard Business Review, entitled “Two Routes to Resilience”, Clark Gilbert, Matthew Eyring and Richard Foster wrote about business transformation which speak directly to the compliance practitioner to help create post-acquisition integration game plan.

The authors, reviewed the situation where an entity must transform itself, leading to a transformation the authors call “establishing a ‘capabilities exchange’- a new organizational process that allows the two efforts to share resources without interfering with each other’s operations.” That is what a compliance practitioner must accomplish through a post-acquisition integration in the compliance context.

Anyone who has gone through a large merger or acquisition knows how terrifying it can be for the individual employee. Many people, particularly at the acquired company will be fearful of losing their jobs. This fear, mis-placed or well-founded, can lead to many difficulties in the integration process. The creation of a Compliance Capabilities Exchange process which allows “the two organizations to live together and share strengths” and will coordinate “the two transformational efforts so that each gets what it needs and is protected from [unwanted] interference by the other.” There are five steps in this process.

  1. Establish Compliance Leadership. While this may be the “simplest step but also the one most open to abuse.” The process should be run by just a few top people, which I believe are the Chief Executive Officer, Chief Financial Officer and Chief Compliance Officer of the acquiring company and a similar counter-part from the acquired company.
  2. Identify the compliance resources the two organizations can or need to share. Hopefully the acquiring organization will have some idea of the state of the compliance program before the deal is closed. It may be that there is some or all of a minimum best practices compliance program in place. If so, attention needs to turn to what can continue and how will need to be integrated.
  3. Create Compliance Capability Exchange Teams. In many “synergy efforts, everyone is expected to think about ways resources might be shared.” In Compliance Capability Exchanges, the responsibility should be “carefully confined to a series of teams.” Senior leadership should create compliance teams by assigning a small number of people from both entities with the responsibility of allocating resources used in the integration project.
  4. Protect Boundaries. This one is tricky as employees from the former target may not want to move forward with the integration; for fear of losing their jobs or some other reason. There may be internal disputes as to which group may handle an issue going forward. This area is tricky because it is important not to alienate new employees who might have good ideas on the integration or how to move forward. Once again, the Leadership Team must step in and referee disputes decisively if required.
  5. Scale up and promote the new compliance program. It is important to celebrate and promote the new entity to both the acquiring company, others in the company and even external stakeholders. It is important that markets and others in the same or similar industry see this evolution and growth. Take the time to publicize the integrated compliance function with the internal customer; IE., company employees. This would include all other compliance stakeholders, including third party representatives, both on the sales and supply chain side of the house and even customers. Finally, be sure to inform your management, Board of Directors and regulators, such as the Department of Justice (DOJ), as appropriate.

Whatever compendium of steps you utilize for post-acquisition integration, they should be taken as soon as practicable.  The earlier you can deploy these steps the better off your company will be at the end of the day. In an Ernst & Young white paper, entitled “Increased Oversight of M&A: An Expanding Role for Audit Committees”, it stated “Failed M&A can destroy a company's market value, destabilize its financial position and credit ratings, impair its strategic position, weaken the organization and damage the company's reputation”. This is particularly true for failed M&A compliance. One need only consider the Latin Node FCPA enforcement actions where the acquiring company had to write off its entire investment.

Three Key Takeaways

  1. Planning is critical in the post-acquisition phase.
  2. Build upon what you learned in pre-acquisition due diligence.
  3. You literally need to be ready to hit the ground running when a transaction closes. 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 10, 2017

Today I want to look at what you should do with the information that you obtain in your pre-acquisition compliance due diligence. Jay Martin, Chief Compliance Officer (CCO) at BakerHughes, a GE company. suggests an approach that reviews key risk factors to move forward. Martin has laid out 15 key risk factors of targets under a FCPA analysis, which he believes should prompt a purchaser to conduct extra careful, heightened due diligence or even reconsider moving forward with an acquisition under extreme circumstances.

  1. A presence in a high risk country, for example, a country with a Transparency International CPI rating of 5 or less;
  2. Participation in an industry that has been the subject of recent anti-bribery or FCPA investigations, for example, in the oil and energy, telecommunications, or pharmaceuticals sectors;
  3. Significant use of third-party agents, for example, sales representatives, consultants, distributors, subcontractors, or logistics personnel (customs, visas, freight forwarders, etc.)
  4. Significant contracts with a foreign government, state-owned or state-controlled entities;
  5. Substantial revenue from a foreign government, state-owned or state-controlled entity;
  6. Substantial projected revenue growth in the foreign country;
  7. High amount or frequency of claimed discounts, rebates, or refunds in the foreign country;
  8. A substantial system of regulatory approval, for example, for licenses and permits, in the country;
  9. A history of prior government corruption investigations or prosecutions;
  10. Poor or no anti-bribery or FCPA training;
  11. A weak corporate compliance program and culture, from legal, sales and finance perspectives at the parent level or in foreign country operations;
  12. Significant issues in past compliance audits, for example, excessive undocumented entertainment of government officials;
  13. The degree of competition in the foreign country;
  14. Weak internal controls at the parent or in foreign country operations; and
  15. In-country managers who appear indifferent or uncommitted to U.S. laws, the FCPA, and/or anti-bribery laws. 

In evaluating answers to the above inquiries or those you might develop on your own, you may also wish to consider some type of risk rating for the responses, to better determine is the amount of risk that your company is willing to accept to do so you will need to both assess risk and subsequently evaluate that risk. Risks should initially be identified and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the post-acquisition remediation plan going forward. A risk-rating guide similar to the following can be used.

LIKELIHOOD

Likelihood Rating

Assessment

Evaluation Criteria

1

Almost Certain

High likely, this event is expected to occur

2

Likely

Strong possibility that an event will occur and there is sufficient historical incidence to support it

3

Possible

Event may occur at some point, typically there is a history to support it

4

Unlikely

Not expected but there’s a slight possibility that it may occur

5

Rare

Highly unlikely, but may occur in unique circumstances

‘Likelihood’ factors to consider: The existence of compliance internal controls, written policies and procedures designed to mitigate risk, leadership capable to recognize and prevent a compliance breakdown; Compliance failures or near misses; and/or Training and awareness programs. Product of ‘likelihood’ and significance ratings reflects the significance of a particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

The key to such an approach is the action steps prescribed by their analysis. This is another way of saying that the pre-acquisition risk assessment informs the post-acquisition remedial actions to the target’s compliance program. This is the method set forth in the 2012 FCPA Guidance. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the mergers and acquisitions arena. The model is a reasoned approach and can provide the articulation needed to explain which steps were taken.

It is also important that after the due diligence is completed, and if the transaction moves forward, the acquiring company should attempt to protect itself through the most robust contract provisions that it can obtain, these would include indemnification against possible FCPA violations, including both payment of all investigative costs and any assessed penalties. An acquiring company should also include repsentations and warranties in the final sales agreement for the entire target company that its participation in transactions is permitted under the local law where the transaction took place; that there is an absence of government owners in company; and that the target company has made no corrupt payments to foreign officials. Lastly, there must be a representation that all the books and records presented to the acquiring company for review were complete and accurate.

To emphasize all of the above, the DOJ stated in the Pfizer Deferred Prosecution Agreement (DPA), in the mergers and acquisition context, that a company is to ensure that, when practicable and appropriate on the basis of a FCPA risk assessment, new business entities are only acquired after thorough risk-based FCPA and anti-corruption due diligence is conducted by a suitable combination of legal, accounting, and compliance personnel. When such anti-corruption due diligence is appropriate but not practicable prior to acquisition for reasons beyond a company’s control, or due to any applicable law, rule, or regulation, an acquiring company should continue to conduct anti-corruption due diligence subsequent to the acquisition and report to the DOJ any corrupt payments or falsified books and records.

Three Key Takeaways

  1. Create a list of key risk factors in your protocol.
  2. Create a forced risk ranking, but remember it is simply that, a forced risk ranking.
  3. Your pre-acquisition team should include a suitable combination of legal, accounting, and compliance personnel.

 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Sep 29, 2017

As I end this section on innovation, I want to conclude by laying out a road map which allows a CCO or compliance practitioner to make more effective and better operationalize a corporate compliance program. With the DOJ’s Evaluation of Corporate Compliance Programs emphasis of operationalizing your compliance regime, innovation is an important tool for you to use in this journey, yet one that I believe is too often overlooked.  One of the best recent roadmaps I have seen was suggested by LRN Corporation’s 2016 Ethics and Compliance Program Effectiveness Report.

The Report detailed four key findings which are symptomatic of an operationalized compliance program. Susan Divers, Senior Advisor at LRN Corporation, noted overarching theme in is that ethics and compliance “programs centered on values are more effective than ones that aren’t. A values-based approach toward shaping culture emphasizes and sets expectations, not just about what can and cannot be done according to rules, but rather what should and should not be done in alignment with core beliefs. In rules-based environments, that is, everyone’s job is to do the next thing right—to act correctly. In values based environments, in contrast, everyone’s job is to do the next right thing—to act morally.”

It is this drive to burn compliance into the DNA of an organization that fully operationalizes compliance. Think of any recent scandal, Volkswagen (VW), Wells Fargo, Valeant, Uber or you name the scandal, where if an employee had simply done the right thing instead of the illegal action, how much better off a company would have been. The four findings were:

The most effective E&C programs are embedded in business operations. Diver pointed out it is critical a company should think “about ethics and compliance and values as part of your brand.” By doing so, each level in a company will understand its role going forward, from the Board of Directors, senior management, middle management and the employee base. Moreover, the company will train, develop and promote an ethics and compliance program through each of these levels.

Susan Divers provided an insightful example, “I think if I were to use one word to characterize all of them together, it would be holistic. The first one of embedding your ethics and compliance programs in your business operations, one big piece of that is your brand. For example, Volkswagen used to have a fantastic brand. You thought of Volkswagen and you thought of basically a green car, and one that was well engineered. Now it’s a massive fraud. One headline I saw called it Hoaxwagen.”

The most successful ethics and compliance programs use a variety of channels to convert guidance into practice. An effective compliance program will communicate the corporate ethics and compliance values through multiple channels throughout the company, on an ongoing basis. This speaks not only to upward and downward communications within an organization but also inbound and outbound to the company as well. But more than simply saying there should be communication, the Report also assesses how communications occur through inquiring into the clearness and conciseness of messages and whether an organization uses more effective communication techniques such as shorter, more frequent training models or facilitated workshops as opposed to rote one hour lectures from lawyers.

Communications can be made in other, more subtle manners. Consider what are the actual behaviors that the conduct demonstrates? Divers said that at LRN, “We’re not so fond here of tone at the top. We’re more fond of actions at the top, because tone can be one thing and actions are another. Looking at whether managers’ ethical behavior counts in terms of promotion and bonuses, that’s really where the rubber meets the road in a lot of places, and that makes a huge difference. Another aspect of that is making middle managers accountable for ethics and compliance in their business, and the good programs coach people in that aspect. That’s really some of the key aspects we looked at for how you embed in business ops.”

High-performing programs proactively convert regulatory guidance into practice. I found this to be one not often enough discussed as many compliance practitioners struggle to convert DOJ pronouncements, comments or lessons learned from FCPA enforcement actions into practical guidance. The most effective compliance programs internalize such guidance from prosecutors and regulators and continuously improve. Here one might consider an example torn from the headlines: when the Wal-Mart corruption scandal in Mexico broke, I called one CCO the next day who told me he had already put a PowerPoint presentation in front of his senior management about the perils of finding your corporate name splashed across the front page of the New York Times alleging your organization of bribery and corruption.

Divers considered this finding from another perspective. She stated, “You have to look for the actual challenge the people view in the company, whether that’s sales force, or other disciplines. There in lots of different ways and in positive ways, not just negative ways. One of the things we did, which we didn’t just tell people that serious actions meant this, we looked at actual business cases where people had done the right thing and made the right choices to comply with regulations, and that’s very powerful for modeling. Another aspect of that is how you embed your Code of Conduct. Do you just put it out on the website and say, “Great, here it is. Read it,” or you have discussion? Obviously, those are more effective.”

High-performing programs spread their impact broadly, recognizing that it is the whole organization that needs to be engaged in ethics. This finding considers whether an organization has moved away from a “silo-based approach to ethics and compliance.” It did so by reviewing how the different corporate functions work as catalysts for imbuing your organization values in their specific corporate discipline. Here Divers related that “high performing programs aren’t sitting in a closet somewhere, only visited when there’s an ethics issue. High-performing programs are out there. They work across the corporation with human resources, with internal audit, with legal, and even with sales and marketing, and finance and accounting, to make sure that ethics are a part and parcel of business operations.”

This month I have reviewed a variety of innovations in compliance; from innovations in structure, use of social media tools and concepts, to new and different ways to consider your internal resources as ways to innovate in your compliance regime. The DOJ has consistently said that a compliance program must evolve. It must evolve to meet new or updated risks, new opportunities or different regulations. Innovation is one of the best ways to evolve. Finally and perhaps most importantly as a compliance practitioner, always remember that you are only limited by your imagination.

Three Key Takeaways

  1. Innovation is one of the most overlooked and under-utilized tools in compliance.
  2. Operationalizing your compliance program will require innovation in your compliance program going forward.
  3. As with most CCO initiatives, you are only limited by your imagination.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 15, 2017

Jay and I return for a wide-ranging discussion on some of the week’s top compliance and ethics related stories, including: 

  1. Equifax continues to be in the news. Ben DiPietro reports from the compliance perspective in two articles from the WSJ Risk & Compliance Journal, see here and here.
  2. Julie DiMauro interviews Philip Urofsky on the US commitment to enforcing the FCPA. See her article in the FCPA Blog.
  3. A new scorecard is out on the amounts of money paid as bribes by the Brazilian construction company, Odebrecht. See article by Dick Cassin the FCPA Blog.
  4. On the intersection of Uber and Hell. See article by Tom Fox in Compliance Week (sub req’d).
  5. Sushi and money-laundering. The increasing intersection of AML and anti-corruption compliance. Sam Rubenfeld reports in the WSJ Risk & Compliance Journal.
  6. Matt Kelly joins us for an emergency rant and to announce the birth of the latest addition to the Kelly Clan.
  7. Want to be a Kleptocrat? The Mintz Group has developed an app “Kleptocrat” available in the Apple app store. Sam Rubenfeld reports in the WSJ Risk & Compliance Journal.
  8. Cleveland Indians set the AL mark for consecutive wins, now go for the MLB record.
  9. Is Thursday night football dead? It might be after the Texans deliver one of the ugliest wins ever on the Thursday night national stage.
  10. This month’s podcast series on One Month to a More Effective Compliance Program is in full production. In September, I am reviewing innovations for your compliance program. This week’s topics include embracing in your agile compliance program, design thinking in compliance, how Kaizen can improve your compliance program, disruption in compliance and superforecasting to better risk management. Oversight Systems is this month’s sponsor. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  11. The Jay Rosen weekend report preview-story telling in compliance.
Sep 8, 2017

One of the most constant things that I have observed in my 10+ years of practice in the compliance space is its constant evolution. Compliance techniques and practices, which were considered cutting edge when I began, have moved to standard fare and are now largely minimum practices. The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have mirrored this evolution in not only how they view compliance programs but also in their own enforcement regimes and protocols. Today I want to consider agile innovations methods for your compliance program. 

According to a Harvard Business Review (HBR) article “Embracing Agile, by Darrell K. Rigby, Jeff Sutherland and Hirotaka Takeuchi, agile methodologies “involve new values, principles, practices and benefits and are a radical alternative to command-and control-style management.” It is accomplished by taking employees “out of their functional silos and putting them in customer-focused multidisciplinary teams”. As the customers of the compliance function are the company’s employees, I think the transition can be made. 

One of the most basic problems is that business executives basically understand only enough about agile to be dangerous but they do not understand the comprehensive approach that needs to be taken. This means that senior management will continue to the same management practices that in fact work to undermine the agile process. The authors suggest the solution is that executives learn the basics of the agile process and understand the conditions in which it does or does not work. They should begin with a small team and project and let the operation spread organically. 

Some of the right conditions for the success of an agile initiative in the compliance arena are as follows. You should have the right market environment for the project. This means you need to have your internal customers involved and allow feedback to change any proposed solution. You must be willing to innovate, particularly if there are complex compliance problems involved. You will need to break down the solutions into digestible junks, which may actually change the scope but through cross-functional employee collaboration, you can have appropriate creative breakthroughs. 

Digestible junks will allow you have incremental developments, which can be tested and then rolled out for use by your employee base. As your internal customers use the innovations, the work cycles can be broken down further so both testing and innovation can continue unabated. This allows a continual feedback loop so that late changes in the innovation can be managed and incorporated going forward. Finally, if there are interim mistakes, it can be a valuable source of lessons learned going forward. 

An example might be around compliance training, a topic oft-times commented upon as rote and something employees simply have to get through. Some commentators have characterized such training as a basic ‘tick the box’ exercise simply to get government credit. While such commentary fails to understand the benefits of communication through training, it does point up the issue of the stiltedness of compliance training.

An approach to this might be to put together an agile team to look at training so that compliance could create topical training, in a few days to respond to market or other conditions, separated out by the challenges met in various product lines or geographic areas. This innovation can include budgets as well, making your compliance function more cost effective through innovation. 

Another concept is to start small and let the word spread. This is antithetical to many large companies that “launch change programs as massive efforts” largely because the project sponsors feel that if they do not do so, the rest of the company will divine that the effort is not really supported by senior management and respond accordingly. However, the authors suggest “agile might spread to another function, with the original practitioners acting as coaches. Each success seems to create a group of passionate evangelists who can hardly wait to tell others in the organization how well agile works.” 

The C-Suite has a role as well by practicing agile at the top of the organization so not only could senior management provide new techniques through an agile exercise, they could learn how to support more fully the compliance function which might engage in an agile review. “Senior executives who come together as an agile team and learn to apply the discipline to these activities achieve far-reaching benefits. Their own productivity and morale improve. They speak the language of the teams they are empowering. They experience common challenges and learn how to overcome them. They recognize and stop behaviors that impede agile teams. They learn to simplify and focus work. Results improve, increasing confidence and engagement throughout the organization.”

There are three succinct benefits. First by having senior management involved in an agile exercise, it would allow them to “catch up with the troops” and to reprioritize their efforts going forward to be better aligned with the real-time nature of agile. Second, it allows a speedier corporate transition as it can allow the employees to know if management is in tune with what the employees care about going forward. Finally, it can present clear alignment of departments and functions on a common vision. I can think of no greater strength for the compliance function to rely upon. This can be used to expose senior managers to break out of their “silos in today’s overspecialized organizations-for general management roles.” 

The authors conclude by noting the need to destroy barriers to agile. They list five pointers. First “get everyone on the same page” which they believe is the key responsibility of management. Second is not to change structures but to change roles so that internal company disciplines “can learn to work together simultaneously, rather than separately and sequentially.” Next is to name only one boss for each decision as in the agile operating model it must be “crystal clear” who can make the final decision. Penultimately, your agile exercise should focus on teams not individuals because it is the team’s collective intelligence that brings the power to an agile exercise. Finally, lead with questions not orders. Here the authors cite to General George S. Patton, who “famously advised leaders never to tell people how to do things: “Tell them what to do, and they will surprise you with their ingenuity.”” 

The agile exercise will probably not work in a compliance function under the thumb of the corporate legal department, as innovation is typically not in the remit of legal. However for a compliance function that desires to bring new and unexpected ways of doing compliance to your organization, going through an agile exercise might be just the thing to move compliance into the very DNA of your organization. 

Three Key Takeaways

  1. Agile compliance involves new practices and benefits and is a radical alternative to command-and control-style management.
  2. Agile compliance allows you to take small, digestible steps.
  3. Agile compliance works at the top. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Aug 16, 2017

In this very topical episode Matt Kelly and I take a deep dive into the administration’s response to the events over the weekend in Charlottesville and what it means for business leaders, compliance practitioners and others going forward. With the resignation of Ken Fraizer, CEO of Merck and others from the administration’s voluntary business counsel, due to the administration’s embrace of the alt-right and white supremacy, many CEO’s are asking the question “Where’s the upside” to publicly embracing the administration. From the compliance perspective, we explore the question in the context of a corporation’s ethical values, it business mission and statement for its employees and customers. Finally, we consider the documented ‘Trump Risk’ and how it is negatively impacting US businesses across the globe.

For more see Matt’ Blog post, Trump Tests Corporate America’s Commitment to Values on RadicalCompliance.com

Aug 15, 2017

If you have not seen it, I would suggest you go to see what I believe is the summer’s top movie, Dunkirk. It is great cinema, good history and presents the view of soldier on the ground from the English perspective. It unfolds on land, sea and air; in decreasing time frames of one week, one day and one hour. I was lucky enough to see it in glorious 70MM wide screen so the resolution was outstanding. There are several leadership lessons which I believe can be learned from the British (and German) experiences at Dunkirk.

1 2 3 Next »