Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2019
May


2018
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: October, 2017
Oct 12, 2017

In this episode I visit with data and IT security expert Brad Davis, CEO of EverSolve, a company specializing in data security. We discuss the role of the Board of Director's in data and IT security in both oversight and going into the weeds. We consider how the corporate head of IT and security can educate their Board on their role in this burgeoning field. Finally, we consider how a Board should respond when the inevitable IT or security breach occurs.

Check out EverSolve by clicking here

Brad Davis can be reached at bdavis@goeversolve.com

Oct 12, 2017

Your company has just made its largest acquisition ever and your Chief Executive Officer (CEO) says that he wants you to have a compliance post-acquisition integration plan on his desk in one week. Where do you begin? Of course, you think about the 2012 FCPA Guidance but remember that it did not have the time lines established in the recent enforcement actions involving Johnson & Johnson (J&J), Pfizer and Data Systems & Solutions LLC.

While there are time frames listed in these Deferred Prosecution Agreements (DPAs) are a guide of timeframes; many compliance professionals struggle with is how to perform these post-acquisition compliance integrations. An article from the Harvard Business Review, entitled “Two Routes to Resilience”, Clark Gilbert, Matthew Eyring and Richard Foster wrote about business transformation which speak directly to the compliance practitioner to help create post-acquisition integration game plan.

The authors, reviewed the situation where an entity must transform itself, leading to a transformation the authors call “establishing a ‘capabilities exchange’- a new organizational process that allows the two efforts to share resources without interfering with each other’s operations.” That is what a compliance practitioner must accomplish through a post-acquisition integration in the compliance context.

Anyone who has gone through a large merger or acquisition knows how terrifying it can be for the individual employee. Many people, particularly at the acquired company will be fearful of losing their jobs. This fear, mis-placed or well-founded, can lead to many difficulties in the integration process. The creation of a Compliance Capabilities Exchange process which allows “the two organizations to live together and share strengths” and will coordinate “the two transformational efforts so that each gets what it needs and is protected from [unwanted] interference by the other.” There are five steps in this process.

  1. Establish Compliance Leadership. While this may be the “simplest step but also the one most open to abuse.” The process should be run by just a few top people, which I believe are the Chief Executive Officer, Chief Financial Officer and Chief Compliance Officer of the acquiring company and a similar counter-part from the acquired company.
  2. Identify the compliance resources the two organizations can or need to share. Hopefully the acquiring organization will have some idea of the state of the compliance program before the deal is closed. It may be that there is some or all of a minimum best practices compliance program in place. If so, attention needs to turn to what can continue and how will need to be integrated.
  3. Create Compliance Capability Exchange Teams. In many “synergy efforts, everyone is expected to think about ways resources might be shared.” In Compliance Capability Exchanges, the responsibility should be “carefully confined to a series of teams.” Senior leadership should create compliance teams by assigning a small number of people from both entities with the responsibility of allocating resources used in the integration project.
  4. Protect Boundaries. This one is tricky as employees from the former target may not want to move forward with the integration; for fear of losing their jobs or some other reason. There may be internal disputes as to which group may handle an issue going forward. This area is tricky because it is important not to alienate new employees who might have good ideas on the integration or how to move forward. Once again, the Leadership Team must step in and referee disputes decisively if required.
  5. Scale up and promote the new compliance program. It is important to celebrate and promote the new entity to both the acquiring company, others in the company and even external stakeholders. It is important that markets and others in the same or similar industry see this evolution and growth. Take the time to publicize the integrated compliance function with the internal customer; IE., company employees. This would include all other compliance stakeholders, including third party representatives, both on the sales and supply chain side of the house and even customers. Finally, be sure to inform your management, Board of Directors and regulators, such as the Department of Justice (DOJ), as appropriate.

Whatever compendium of steps you utilize for post-acquisition integration, they should be taken as soon as practicable.  The earlier you can deploy these steps the better off your company will be at the end of the day. In an Ernst & Young white paper, entitled “Increased Oversight of M&A: An Expanding Role for Audit Committees”, it stated “Failed M&A can destroy a company's market value, destabilize its financial position and credit ratings, impair its strategic position, weaken the organization and damage the company's reputation”. This is particularly true for failed M&A compliance. One need only consider the Latin Node FCPA enforcement actions where the acquiring company had to write off its entire investment.

Three Key Takeaways

  1. Planning is critical in the post-acquisition phase.
  2. Build upon what you learned in pre-acquisition due diligence.
  3. You literally need to be ready to hit the ground running when a transaction closes. 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 11, 2017

In this episode Matt Kelly and I discuss the Treasury Department’s recently released A Financial System That Creates Economic Opportunities-Capital Markets report. The report has multiple proposals, including multiple ideas about rolling back Sarbanes-Oxley compliance, especially for smaller public companies. In this podcast, we discuss the three most significant ones for the compliance practitioner.

  1. Exempt more companies from audits of internal financial control. Companies with market cap below $75 million are currently exempt from the SOX 404(b) requirement that an annual outside audit of internal control over financial reporting. The Trump Administration proposes raising that exemption ceiling to $250 million in market cap.
  2. Doubling the lifespan of Emerging Growth Companies. Congress created a new class of public filers in 2012, “emerging growth companies,” that are exempt from numerous corporate governance and compliance rules for the first five years of their lives; to 10 years.
  3. Ending “social disclosure rules” required under the Dodd-Frank Act. The Dodd-Frank Act imposed several required disclosures such as the Conflict Minerals Rule, the CEO Pay Ratio Rule, and the Mine Safety Rule.

For more on this subject, see Matt’s blog post Treasury Report Eyes SOX Compliance

Oct 11, 2017

Previously many compliance practitioners had based decisions in the M&A context on DOJ Opinion Release 08-02 (08-02), which related to Halliburton’s proposed acquisition of the UK entity, Expro. In 2011, the Johnson & Johnson (J&J) DPA changed the perception of compliance practitioners regarding what is required of a company in the M&A setting related to FCPA due diligence, both pre-and post-acquisition. The 2012 Data Systems & Solutions LLC (DS&S) DPA which brought additional information to the compliance practitioner on what a company can do to protect itself in the context of M&A activity. 

The 2012 FCPA Guidance spoke about the post-acquisition phase of due diligence, noting that is a part of the compliance process for mergers and acquisitions. Both the “DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.” While the 2012 FCPA Guidance discussed mergers and acquisitions in the context of a best practices compliance program it did not specify a time frame for post-acquisition integration. 

Opinion Release 08-02 began as a request from Halliburton to the DOJ from issues that arose in the pre-acquisition due diligence of the target company Expro. Halliburton had submitted a request to the DOJ specifically posing these three questions: (1) whether the proposed acquisition transaction itself would violate the FCPA; (2) whether, through the proposed acquisition of Target, Halliburton would “inherit” any FCPA liabilities of Target for pre-acquisition unlawful conduct; and (3) whether Halliburton would be held criminally liable for any post-acquisition unlawful conduct by Target prior to Halliburton's completion of its FCPA and anti-corruption due diligence, where such conduct is identified and disclosed to the Department within 180 days of closing.

Halliburton Opinion Release

Halliburton committed to the following conditions in 08-02, if it was the successful bidder in the acquisition:

Within ten business days of the closing. Halliburton would present to the DOJ a comprehensive, risk-based FCPA and anti-corruption due diligence work plan which would address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. The Halliburton work plan committed to organizing the due diligence effort into high risk, medium risk, and lowest risk 

Within 90 days of Closing. Halliburton would report to the DOJ the results of its high risk due diligence.

Within 120 days of Closing. Halliburton would report to the DOJ the results to date of its medium risk due diligence.

Within 180 days of Closing. Halliburton would report to the DOJ the results to date of its lowest risk due diligence.

Within One Year of Closing. Halliburton committed full remediation of any issues which it discovered within one year of the closing of the transaction. 

Many lawyers were heard to exclaim, “What an order, we cannot go through with it.” However, we advised our clients not to be discouraged because 08-02 laid out a clear road map for dealing with some of the difficulties inherent in conducting sufficient pre-acquisition due diligence in the FCPA context. Indeed, the DOJ concluded 08-02 by noting, “Assuming that Halliburton, in the judgment of the Department, satisfactorily implements the post-closing plan and remediation detailed above… the Department does not presently intend to take any enforcement action against Halliburton.” 

Johnson & Johnson (J&J) Deferred Prosecution Agreement

In Attachment D of the J&J DPA, entitled “Enhanced Compliance Obligations”, there is a list of compliance obligations in which J&J agreed to undertake certain enhanced compliance obligations for at least the duration of its DPA beyond the minimum best practices also set out in the J&J DPA. Regarding the M&A context, J&J agreed to the following: 

J&J will ensure that new business entities are only acquired after thorough FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. Where such anti-corruption due diligence is not practicable prior to acquisition of a new business for reasons beyond J&J’s control, or due to any applicable law, rule, or regulation, J&J will conduct FCPA and anti-corruption due diligence subsequent to the acquisition and report to the Department any corrupt payments, falsified books and records, or inadequate internal controls as required by … the Deferred Prosecution Agreement.

J&J will ensure that J&J’s policies and procedures regarding the anti-corruption laws and regulations apply as quickly as is practicable, but in any event no less than one year post-closing, to newly-acquired businesses, and will promptly, for those operating companies that are determined not to pose corruption risk, J&J will conduct periodic FCPA Audits, or will incorporate FCPA components into financial audits.

Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to J&J, on the anticorruption laws and regulations and J&J’s related policies and procedures; and

Conduct an FCPA-specific audit of all newly acquired businesses within 18 months of acquisition. 

These enhanced obligations agreed to by J&J in the M&A context were less time sensitive than those agreed to by Halliburton in 08-02. In the J&J DPA, the company agreed to the following time frames:

18 Month - conduct a full FCPA audit of the acquired company. 

12 Month - introduce full anti-corruption compliance policies and procedures into the acquired company and train those persons and business representatives which “present corruption risk to J&J.” 

Data Systems & Solutions LLC (DS&S) Deferred Prosecution Agreement 

In the DS&S DPA there were two new items listed in the Corporate Compliance Program, attached as Schedule C to the DPA, rather than the standard 13 items we have seen in every DPA since at least November 2010. The new additions were found on items 13 & 14 on page C-6 of Schedule C and deal with mergers and acquisitions. They read in full: 

DS&S will develop and implement policies and procedures for mergers and acquisitions requiring that DS&S conduct appropriate risk-based due diligence on potential new business entities, including appropriate FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. If DS&S discovers any corrupt payments or inadequate internal controls as part of its due diligence of newly acquired entities or entities merged with DS&S, it shall report such conduct to the Department as required in Appendix B of this Agreement.

DS&S will ensure that DS&S's policies and procedures regarding the anticorruption laws apply as quickly as is practicable to newly acquired businesses or entities merged with DS&S and will promptly:

Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to DS&S, on the anti-corruption laws and DS&S's policies and procedures regarding anticorruption laws.

Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable. 

This language draws from and builds upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance and the J&J “Enhanced Compliance Obligations” incorporated into its DPA. While the DS&S DPA does note that it is specifically tailored as a solution to DS&S’s FCPA compliance issues, I believe that this is the type of guidance that a compliance practitioner can rely upon when advising his or her clients on what the DOJ expects during M&A activities. 

FCPA M&A Box Score Summary

Time Frames

Halliburton 08-02

J&J

DS&S

FCPA Audit

1.     High Risk Agents - 90 days

2.     Medium Risk Agents - 120 Days

3.     Low Risk Agents - 180 days

18 months to conduct full FCPA audit

As soon “as practicable

Implement FCPA Compliance Program

Immediately upon closing

12 months

As soon “as practicable

Training on FCPA Compliance Program

60 days to complete training for high risk employees, 90 days for all others

12 months to complete training

As soon “as practicable

The Guidance, coupled with the 08-02 and the two enforcement actions, speak to the importance that the DOJ puts on M&A in the FCPA context. The time frames for post-acquisition integration are quite tight. This means that you should do as much work as you can in the pre-acquisition stage. The DOJ makes clear that rigor is needed throughout your entire compliance program, including M&A. This rigor should be viewed as something more than just complying with the FCPA; it should be viewed as just making good business sense. 

Three Key Takeaways

  1. The Halliburton Opinion Release put some very tight dates into the post-acquisition due diligence and evaluation process.
  2. J&J and DSS added some specific post-acquisition requirements.
  3. The time deadlines require you to hit the ground running post-closing. 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 10, 2017

Welcome to Episode 3 of Compliance Man Goes Global podcast of FCPA Compliance Report - International Edition. As always, I am joined by Timur Khasanov-Batirov, a practitioner who focuses on embedding compliance programs at high-risk markets.

In this Episode, we will focus on organizational challenges, which сcompliance practitioner faces in the process of implementing corporate compliance program. To make the podcast handy and more appealing we attach respective illustration from Timur’s Compliance Man illustrated series which is posted with this podcast.

In each podcast, we take two typical concepts or probably misconceptions (conventional wisdom n Texan parlance) from in-house compliance perspective. We check out if these concepts work in emerging markets and jurisdictions. For each podcast, we divide the roles. One of us advocates the particular concept identifying pros. The second will provide arguments finding cons and trying to convince audience that that we face a pure myth. As a result, we hopefully will be able to come up with some practical solutions for in-house compliance practitioners can use in their company going forward. We tackle the following myths:

Corporate Concept #1. On practice compliance program is something, which is needed solely to compliance folks. Nobody else in corporation really cares

Corporate Concept #2- “In-house compliance team never possess sufficient resources

Oct 10, 2017

Today I want to look at what you should do with the information that you obtain in your pre-acquisition compliance due diligence. Jay Martin, Chief Compliance Officer (CCO) at BakerHughes, a GE company. suggests an approach that reviews key risk factors to move forward. Martin has laid out 15 key risk factors of targets under a FCPA analysis, which he believes should prompt a purchaser to conduct extra careful, heightened due diligence or even reconsider moving forward with an acquisition under extreme circumstances.

  1. A presence in a high risk country, for example, a country with a Transparency International CPI rating of 5 or less;
  2. Participation in an industry that has been the subject of recent anti-bribery or FCPA investigations, for example, in the oil and energy, telecommunications, or pharmaceuticals sectors;
  3. Significant use of third-party agents, for example, sales representatives, consultants, distributors, subcontractors, or logistics personnel (customs, visas, freight forwarders, etc.)
  4. Significant contracts with a foreign government, state-owned or state-controlled entities;
  5. Substantial revenue from a foreign government, state-owned or state-controlled entity;
  6. Substantial projected revenue growth in the foreign country;
  7. High amount or frequency of claimed discounts, rebates, or refunds in the foreign country;
  8. A substantial system of regulatory approval, for example, for licenses and permits, in the country;
  9. A history of prior government corruption investigations or prosecutions;
  10. Poor or no anti-bribery or FCPA training;
  11. A weak corporate compliance program and culture, from legal, sales and finance perspectives at the parent level or in foreign country operations;
  12. Significant issues in past compliance audits, for example, excessive undocumented entertainment of government officials;
  13. The degree of competition in the foreign country;
  14. Weak internal controls at the parent or in foreign country operations; and
  15. In-country managers who appear indifferent or uncommitted to U.S. laws, the FCPA, and/or anti-bribery laws. 

In evaluating answers to the above inquiries or those you might develop on your own, you may also wish to consider some type of risk rating for the responses, to better determine is the amount of risk that your company is willing to accept to do so you will need to both assess risk and subsequently evaluate that risk. Risks should initially be identified and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the post-acquisition remediation plan going forward. A risk-rating guide similar to the following can be used.

LIKELIHOOD

Likelihood Rating

Assessment

Evaluation Criteria

1

Almost Certain

High likely, this event is expected to occur

2

Likely

Strong possibility that an event will occur and there is sufficient historical incidence to support it

3

Possible

Event may occur at some point, typically there is a history to support it

4

Unlikely

Not expected but there’s a slight possibility that it may occur

5

Rare

Highly unlikely, but may occur in unique circumstances

‘Likelihood’ factors to consider: The existence of compliance internal controls, written policies and procedures designed to mitigate risk, leadership capable to recognize and prevent a compliance breakdown; Compliance failures or near misses; and/or Training and awareness programs. Product of ‘likelihood’ and significance ratings reflects the significance of a particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

The key to such an approach is the action steps prescribed by their analysis. This is another way of saying that the pre-acquisition risk assessment informs the post-acquisition remedial actions to the target’s compliance program. This is the method set forth in the 2012 FCPA Guidance. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the mergers and acquisitions arena. The model is a reasoned approach and can provide the articulation needed to explain which steps were taken.

It is also important that after the due diligence is completed, and if the transaction moves forward, the acquiring company should attempt to protect itself through the most robust contract provisions that it can obtain, these would include indemnification against possible FCPA violations, including both payment of all investigative costs and any assessed penalties. An acquiring company should also include repsentations and warranties in the final sales agreement for the entire target company that its participation in transactions is permitted under the local law where the transaction took place; that there is an absence of government owners in company; and that the target company has made no corrupt payments to foreign officials. Lastly, there must be a representation that all the books and records presented to the acquiring company for review were complete and accurate.

To emphasize all of the above, the DOJ stated in the Pfizer Deferred Prosecution Agreement (DPA), in the mergers and acquisition context, that a company is to ensure that, when practicable and appropriate on the basis of a FCPA risk assessment, new business entities are only acquired after thorough risk-based FCPA and anti-corruption due diligence is conducted by a suitable combination of legal, accounting, and compliance personnel. When such anti-corruption due diligence is appropriate but not practicable prior to acquisition for reasons beyond a company’s control, or due to any applicable law, rule, or regulation, an acquiring company should continue to conduct anti-corruption due diligence subsequent to the acquisition and report to the DOJ any corrupt payments or falsified books and records.

Three Key Takeaways

  1. Create a list of key risk factors in your protocol.
  2. Create a forced risk ranking, but remember it is simply that, a forced risk ranking.
  3. Your pre-acquisition team should include a suitable combination of legal, accounting, and compliance personnel.

 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 9, 2017

In this episode, I have back James Koukios, a partner in the law firm of Morrison and Foerster. We review some of the top FCPA and international anti-corruption cases and issues which have occurred over the summer of 2017. The topics are based on the firm’s most excellent monthly newsletter Top Ten International Developments for Anti-Corruption, which is available at no charge on the firm’s website. In this podcast, we discuss topics from the following newsletters: 

From the June newsletter 

  1. The Supreme Court decision in Kokesh-what does it mean for prosecutors, what does it mean for compliance practitioners and does it change the calculus around self-disclosure?
  2. DOJ Continues to Pursue “Declinations with Disgorgement.” What does this mean for companies going forward? Should it encourage or discourage self-disclosure?
  3. DOJ Files Forfeiture Complaint in connection with Alleged Malaysia Bribery Scheme. How does this tool relate to anti-corruption enforcement? Why is it such a powerful tool for prosecutors?

From the July newsletter

  1. The Halliburton FCPA enforcement action. What does it mean for the compliance practitioner?
  2. Three Long-Standing Corporate FCPA Investigations End without Charges. What can be learned from these cases about enforcement going forward?
  3. Dimitri Harder was sentenced to Five Years’ Imprisonment for FCPA Violations. What was the basis of the sentence? Do you see anything in this sentencing unusual?
  4. Was the Second Circuit decision in the FOREX trading case a setback for International Law Enforcement Cooperation? What is compelled testimony? What are the implications for international cooperation going forward? 

From the August newsletter

  1. Following Undercover Investigation, DOJ Charges Retired U.S. Army Colonel with Conspiring to Bribe Haitian Officials. How do undercover operations work in the FCPA and what they might mean going forward?
  2. UK Financial Reporting Council Announces Plans to Require Increased Anti-Corruption and Bribery Disclosures. What does this mean for US companies doing business in the UK?

Check out the firm’s newsletter or better yet subscribe to it.

Oct 9, 2017

The compliance component of your mergers and acquisition regime should begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.

The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

Next is a five-step process on how to plan and execute a strategy to perform pre-acquisition due diligence in the M&A context.

  1. Establish a point of contact. Here you need to determine one point of contact that you can liaise with throughout the process. Typically, this would be the target’s Chief Compliance Officer (CCO) if the company is large enough to have full time position.
  2. Collect relevant documents. Obtain a detailed list of sales going back 3-5 years, broken out by country and, if possible, obtain a further breakdown by product and/or services; all Joint Venture (JV) contracts, due diligence on JVs and other third party business partners; the travel and entertainment records of the acquisition target company’s top sales personnel in high risk countries; internal audit reports and other relevant documents. You do not need to investigate de minimis sales amounts but focus your compliance due diligence inquiry on high sales volumes in high-risk countries. If the acquisition target company uses a sales model of third parties, obtain a complete list. It should be broken out by country and amount of commission paid. Review all underlying due diligence on these foreign business representatives, their contracts and how they were managed after the contract was executed; your focus should be on large commissions in high risk countries.
  3. Review the compliance and ethics mission and goals. Here you need to review the Code of Conduct or other foundational documents a target has to gain some insight into what they publicly espouse.
  4. Review the seven elements of an effective compliance program as listed below: 
  1. Oversight and operational structure of the compliance program. Here you should assess the role of board, CCO and if there is one, the compliance committee. Regarding the CCO, you need to look at their reporting and access - is it independent within the overall structure of the company? Also, what are the resources dedicated to the compliance program including a review of personnel, the budget and overall resources? Review high-risk geographic areas where your company and the acquisition target company do business. If there is overlap, seek out your own sales and operational people and ask them what compliance issues are prevalent in those geographic areas. If there are compliance issues that your company faces, then the target probably faces them as well.
  2. Policies/Procedures, Code of Conduct. In this analysis you should identify industry practices and legal standards that may exist for the target company. You need to review how the compliance policies and procedures were developed and determine the review cycles, if any. Lastly, you need to know how everything is distributed and what the enforcement mechanisms for compliance policies are. Additionally you need to validate, with Human Resources (HR), if there have been terminations or disciplines relating to compliance.
  3. Education, training and communication. Here you need to review the compliance training process, as it exists in the company, both the formal and the informal. You should ask questions, such as “What are the plans and schedules for compliance training?” Next determine if the training material itself is fit for its intended purpose, including both internal and external training for third parties. You should also evaluate the training delivery channels, for example is the compliance training delivered live, online, or through video? Finally, assess whether the company has updated their training based on changing of laws. You will need to interview the acquisition target company personnel responsible for its compliance program to garner a full understanding of how they view their program. Some of the discussions that you may wish to engage in include visiting with the target company’s General Counsel (GC), its Vice President (VP) of sales and head of internal audit regarding all corruption risks. You should also delve into the target’s compliance efforts, and any other corruption-related issues that may have surfaced.
  4. Monitoring and auditing. Under this section you need to review both the internal audit plan and methodology used regarding any compliance audits. A couple of key points are (1) is it consistent over a period of time and (2) what is the audit frequency? You should also try and judge whether the audit is truly independent or if there was manipulation by the business unit(s). You will need to review the travel and entertainment records of the acquisition target company’s top sales personnel in high-risk countries. You should retain a forensic auditing firm to assist you with this effort. Use the resources of your own company personnel to find out what is reasonable for travel and entertainment in the same high-risk countries which your company does business.
  5. Reporting. What is the company’s system for reporting violations or allegations of violations? Is the reporting system anonymous? From there you need to  turn to who does the investigations to determine how are they conducted? A key here, as well as something to keep in mind throughout the process, is the adequacy of record keeping by the target.
  6. Response to detected violations. This review is to determine management’s response to detected violations. What is the remediation that has occurred and what corrective action has been taken to prevent future, similar violations? Has there been any internal enforcement and discipline of compliance policies if there were violations? Lastly, what are the disclosure procedures to let the relevant regulatory or other authorities know about any violations and the responses thereto? Further, you may be required to self-disclose any FCPA violations that you discover. There may be other reporting issues in the M&A context such as any statutory obligations to disclose violations of any anti-bribery or anti-corruption laws in the jurisdiction(s) in question; what effect will disclosure have on the target’s value or the purchase price that your company is willing to offer?
  7. Enforcement Practices/Disciplinary Actions. Under this analysis, you need to see if there was any discipline delivered up to and including termination. If remedial measures were put in place, how were they distributed throughout the company and were they understood by employees?

5. Periodically evaluate the M&A review procedures’ effectiveness benchmarked against any legal proceedings, anti-corruption enforcement actions, Opinion Releases or other relevant information. 

Mike Volkov has noted there are multiple red flags which could be raised in this process, which would warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breach of policies and procedures. Obviously, a target which is in financial difficulty would bear closer scrutiny. Structurally, if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors level, this could present issues. From the CCO perspective, if the position did not have Board access, CEO access or if there were not regular reports to the Board, it could present an issue for compliance. Conversely if there were frequent requests to waive policies, management over-ride of compliance controls or no consistent consequence management for violations; it could present clear red flags for further investigation.

Three Key Takeaways

  1. The results of your pre-acquisition due diligence will inform your post-acquisition integration and remediation going forward.
  2. Periodically review your M&A due diligence protocol.
  3. If red flags appear in pre-acquisition due diligence, they should be cleared. 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 6, 2017

Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories, including: 

  1. Roy Shell considers whether compliance officers should be liked or respected. See his article on the SCCE Compliance and Ethics Blog.
  2. What is the intersection of sports, corruption and compliance? Jaclyn Jaeger explores in Compliance Week.
  3. The Alere FCPA enforcement action emphasized the convergence of rev rec and corruption. Richard Bistrong considers in the FCPA Blog.
  4. Bill Coffin asks who will be the next compliance hero, see his article in Compliance Week.
  5. Ireland requested a review by the European Court of Justice of the legality of contracts governing data transfers between Europe and the U.S. Ben DiPietro reports in the WSJ Risk and Compliance Report. Jonathan Armstrong reports from the UK perspective on the Cordery Compliance website.
  6. More chaos from the Trump Administration as Secretary of HHS Tom Price resigns. Matt Kelly reports on the ethical considerations in Radical Compliance.
  7. Proving once again that he is not a mere mortal, Jose Altuve hits 3 home runs in the first division playoff game, which the Astros win 8-2. He becomes only the 9th player in MLB history to do so. Stephanie Apstein reports in SI.com.
  8. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program. In October, I consider compliance with business ventures such as in the M&A context, joint ventures, distributors, channel ops partners, teaming agreements and all other manner of business venture. The second week I continue to take a deep dive in M&A and begin JVs under the FCPA. This month’s sponsor is the Volkov Law Group. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  9. Jay and I will be podcasting a live episode of This Week in FCPA from the SCCE 2017 Compliance and Ethics Institute, stay tuned for details on time.
  10. The Everything Compliance gang is back with Episode 19. Check in with the top roundtable podcast in compliance by clicking on Everything Compliance.
  11. Tom premiers an exciting new services offering the Doing Compliance Master Class.
Oct 6, 2017

One of the clearest themes from the 2012 FCPA Guidance was around the importance of your pre-acquisition work in any merger or acquisition on a target company. In the section on Declinations, the 2012 FCPA Guidance provided an example of a company which had received a declination in large part because of its pre-acquisition work, which then served as a basis of its post-acquisition remediation. I find it appropriate to think of the process as a straight line, directly from the pre-acquisition phase through to closing and then to remediation, integration and self-reporting in the post-acquisition phase.

It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a mechanism through which to view the feasibility of the business strategy and help to value the potential target.

The first step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

One of the difficulties in the pre-acquisition phase is that there is never enough time or resources to do all the assessment and analysis that you might desire. This means that if you do not have the time, resources or support to conduct a worldwide risk assessment, you must take a different approach. You might try assessing other areas through a more limited focused risk assessment. 

Some of the areas that such a pre-acquisition risk assessment could begin with an inquiry into the following areas: 

  • Are the target’s resources adequate to sustain a culture of compliance?
  • How are the compliance risks being addressed in the C-Suite and the Boardroom?
  • What are the compliance risks related to the supply chain?
  • How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
  • Is the documentation adequate to support the compliance program for regulatory purposes?
  • Is culture, attitude (tone from the top), and knowledge measured?
  • Disciplinary guidelines – Do they exist, have they been publicized at the target and has anyone been terminated or disciplined for a violating policy?
  • Are escalation protocols appropriate? 

There are a variety of materials that you can review from or at a company that can facilitate such a Pre-acquisition Risk Assessment. You can review the target’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities. 

You could assess the target’s senior management support for the target’s compliance efforts through interviews of high-level personnel such as the CCO, CFO, General Counsel, Head of Sales, CEO and Board Audit or Compliance Committee members to assess “tone from the top”. You can examine resources dedicated to compliance and also seek to understand the compliance expectations that top management is communicating to its employee base. Finally, you can gauge operational responsibilities for compliance.           

Such a review would lead to the next level of assessment, which is how well does that target communicate about compliance within its organization and to key third-parties such as sales agents. You can do this by assessing compliance policy communication to company personnel but even more so by reviewing such materials as compliance training and certifications of employees and third-parties. You should also take consider statements by senior management of the target regarding compliance, such as actions relating to terminating employees who do business in compliance but do not make their quarterly, semi-annual or annual numbers set in budget projections. 

A key element of any best practices compliance program is internal and anonymous reporting. This means that you need to review mechanisms on reporting suspected compliance violations and then actions taken on any internal reports, including follow-ups to the reporting employees of the target. You should also assess whether those employees who are seeking guidance on compliance for their day-to-day business dealings are receiving not only adequate but timely responses. 

As there is no dispute that third parties represent the highest risk to most companies under the FCPA, as assessment of the target’s third party due diligence program is certainly something that should be a part of any pre-acquisition risk assessment. But more than simply a review of procedures for due diligence on third party intermediaries; there should be an assessment if there has been management of the third-party after the contract is signed. 

Another area for review in any pre-acquisition risk assessment is to consider the target’s employee commitment to its compliance regime. But just as you look at the carrots to achieve compliance, you should also look at the stick, in the form of disciplinary procedures for violations. This means you should see if there have been any disciplinary actions for employee compliance violations and then determine if such discipline has been applied uniformly.   

The pre-acquisition risk assessment can be a critical element in any M&A work for compliance. Use this opportunity to see where the target might stand on compliance. Your risk assessment can evolve as you obtain greater information. Finally use this pre-acquisition risk assessment as a base document to plan, resource and budget for your post-acquisition remediation, integration and reporting. 

Three Key Takeaways

  1. One never has enough time to engage in all the pre-acquisition review you might want to do, so optimize your time and resources.
  2. Consider what you can review to put together a preliminary risk assessment on the target.
  3. As with most compliance initiatives, you are only limited by your imagination so if you are limited in time and scope try something new and different.

 

 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Oct 5, 2017

As a general legal matter, when a company acquires another company, the successor company cannot be liable for the acquired company’s activities prior to acquisition. In FCPA jurisprudence, there is no case law precedent directly on point. However, the DOJ and SEC have commented extensively on “successor liability.” Opinion Release 03-01, from the DOJ first suggested that an acquiring company could be liable for pre-acquisition FCPA violations. In that case, an acquiring company determined a target had engaged in conduct which potentially violated the FCPA. The DOJ opined that if the acquirer halted the illegal conduct, extensively remediated, disciplined the offending officers and employees of the target and continued to provide information and cooperate with the government, the DOJ would not prosecute under the FCPA. 

In addition to 03-01, there are a few FCPA enforcement actions which suggest that if a company makes good faith efforts to conduct due diligence, integrate compliance programs and take extensive remedial actions by and if all that is done on a quick basis, the DOJ will give the acquiring entity strong credit. One of the best examples of this approach was the 2009 purchase by Pfizer of Wyeth. Pfizer could do limited due diligence before the acquisition but because both were massive organizations it was not possible to do complete due diligence prior to acquisition. After the acquisition, but within 180 days, Pfizer had identified much of the wrongdoing at Wyeth and halted it. Pfizer was not held criminally liable for any of the conduct at Wyeth. 

Most of what Pfizer was held responsible for in its DPA was because of a previous acquisition of Pharmacia, which they acquired in 2002 and 2003. At the time of the Pharmacia acquisition, purchasers did not typically conduct pre-acquisition due diligence on acquisition targets. And during the investigation most of the violations of FCPA for which Pfizer was held criminally liable; began prior to the acquisition of Pharmacia. Pfizer was held responsible for the misconduct at Pharmacia both before and afterwards. The Pfizer case is interesting because it shows both the sides of the equation.

In 2008, DOJ Opinion Release No. 08-02 provided additional information for a safe harbor for successor liability based upon a very specific fact scenario. The Opinion Release is known as the “the Halliburton Opinion Release.” In the Halliburton Opinion Release, the DOJ indicated that it would not take enforcement action based on specific circumstances that allowed for limited pre-acquisitions due diligence and aggressive post-acquisition schedule for a risk audit and disclosures to the government. Thereafter in the Johnson and Johnson and DSS DPAs, the DOJ further refined the requirements and time frames to obtain this safe harbor. 

The 2012 FCPA Guidance advanced the information for the compliance professional. It provided the clearest argument for a safe harbor to companies if companies invest reasonable effort in due diligence and post-acquisition compliance; they may well be able to avoid major liability. The DOJ and SEC noted, “in a significant number of instances, DOJ and SEC have declined to take action against companies that voluntarily disclosed and remediated conduct and cooperated with DOJ and SEC in the merger and acquisitions context.” Furthermore, DOJ and SEC provided that “a successor company’s voluntary disclosure, appropriate due diligence, and implementation of an effective compliance program may also decrease the likelihood of an enforcement action regarding an acquired company’s post-acquisition conduct when pre-acquisition due diligence is not possible.” 

The 2012 FCPA Guidance provided literally a roadmap for a Buyer to limit compliance risk in the mergers and acquisition context. It emphasized the importance of pre-acquisition due diligence and post-acquisition integration of compliance programs and internal controls. This type of integrated approach would reduce risk of future bribes and allow the purchaser and target to address potential violation(s) through negotiation of costs and responsibilities for investigation/remediation. Finally, and as with all effective compliance, it will assist the purchaser to accurately value the target company. 

In 2014, the DOJ issued Opinion Procedure Release 14-02 which provided further guidance on successor liability. This release reiterated the DOJ’s willingness to recognize a safe harbor where the acquiring company makes sufficient efforts to conduct due diligence and post-acquisition integration and concluded that acquisition of a company does not create FCPA liability where it did not exist before, such as for jurisdictional reasons. In the Release, the requesting company had acquired a company with significant anti-corruption compliance program deficiencies, including: lack of documentary records to support gifts to government officials or charitable donation, incomplete and inaccurate records for expenses, and lack of written compliance policies and procedures. 

Three Key Takeaways

  1. Opinion Release 03-01 was the first to provide a safe harbor concept in the M&A context.
  2. The Halliburton Opinion Release expanded the safe harbor concept to the situation where a company could not engage in substantive pre-acquisition due diligence.
  3. The 2012 FCPA Guidance brought together the various strands of a safe harbor position.

 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 5, 2017

The top compliance roundtable podcast is back with a wealth of new topics.

  1. Matt Kelly opens with a discussion of the Equifax data breach and its implications for the compliance profession.

For Matt Kelly’s posts on the Equifax data breach and cybersecurity, see the following:

Vendor, Cybersecurity Risk, Ugh

Clayton, Congress Talk Cybersecurity

  1. Jonathan Armstrong considers the Uber situation in London where it recently lost it license to do business from the regulator Transportation for London (TfL). He discusses a prior case that he handled which had similar issues.
  2. Jay Rosen considers the massive FBI undercover operation resulting in 10 arrests in college basketball for corruption regarding high school recruits.
  3. Tom Fox sits in for Mike Volkov, who is on assignment this week. He discusses the top FCPA enforcement action of all-time, the recently announced Telia enforcement action.

For Tom Fox’s posts on the Telia enforcement action, see the following:

The Telia FCPA Resolution, Part I - Introduction

The Telia FCPA Enforcement Action: Part II - The Bribery Schemes

The Telia FCPA Enforcement Action: Part III - The Individuals

Telia FCPA Enforcement Action: Part IV - Getting Some Monies Back

Telia FCPA Enforcement Action: Part V-Lessons Learned 

The gang is back with rants which follow the discussions.

The members of the Everything Compliance panel include:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com
Oct 4, 2017

Count Dracula is one of the four classic Universal Pictures movie monsters from the 1930s; including the Wolfman, the Mummy and Frankenstein’s Monster. What sets him apart from these other three? In particular what is the Dracula brand? Is it fanged teeth and a black cape? Is it the signature Bela Lugosi voice? Is it a bat? In this episode, Richard Lummis and I explore branding for business leaders and discuss the lessons a 21st century business leader can learn from a 1930s movie character.

Oct 4, 2017

Why should a company engage in pre-acquisition due diligence in the mergers and acquisition context? Certainly compliance with anti-corruption laws such as the FCPA or UK Bribery Act is a good starting point. However there are other reasons that were laid by Transparency International (TI) in, a White Paper entitled “Anti-Bribery Guidance for Transactions.” The TI White Paper suggests that there are greater forces driving compliance than simply compliance with anti-corruption and anti-bribery laws such as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. A company engaging in an international acquisition should also strive to avoid the potential financial and reputational damage that may arise from investing in or purchasing a company associated with bribery or corruption.

Some of the specific consequences where investments are made in a company which has a history of bribery or corruption include.

  • Both the target company and the acquiring company may place themselves (and their respective Boards of Directors) at risk of criminal or civil fines and penalties.
  • The market value of the target company may be overstated and hence damage the overall financial position of an acquiring company. Conversely, such conduct may diminish the asset value and returns for a target company.
  • The business instability brought by such conduct. This can include aborted business deals where both sides work long and hard only to have the transaction fall apart near the end of the process.
  • The acquired business may not simply be dysfunctional but acquiring such a business may also introduce a culture into the acquiring company which will negatively impact it and bring about employee de-motivation.
  • Even if there are no individual criminal actions brought against target or acquiring company employees, there can be a long period of disruption due to lengthy and costly investigations and the attendant reputational damage.

There are several positive benefits from appropriate due diligence, including:

  • Management quality indicator which will assess the positive qualities of the target company, including the quality of the target’s management and its overall systems, including books and records. The evidence from due diligence of anti-corruption and anti-bribery programs is an indicator of overall management quality.
  • The mitigation benefits available if a bribery incident is discovered. Under the UK Bribery Act, if a company has “Adequate Procedures” it may have a defense to a claim of violation of the Act. Under the FCPA, evidence of a best practices compliance program can be used in mitigation of any alleged violation of the FCPA.
  • The reputational gain which an acquiring company may be able to gain with regulators or investors if it can show integrity and responsibility during the due diligence process.
  • Lastly an acquiring company can go a long way in meeting investor expectations in Environmental, Social and Governance (ESG) risks, which can include corruption and bribery, during M&A transactions.

To begin the process, the following should be actively explored:

  • Has bribery taken place historically?
  • Is it possible or likely that bribery is currently taking place?
  • If so, how widespread is it likely to be?
  • Does the target have in place an adequate anti-bribery program to prevent bribery?
  • What would the likely impact be if bribery, historical or current, were discovered after the transaction had completed?

Financial, legal or reputational risk can have a significant impact the valuation or a transaction or its desirability. The following potential impacts for a purchaser or investor of anti-corruption or anti-bribery risks during due diligence can be laid out visually in chart format, which is a useful way to think through and present your analysis.

 

Legal Risk

Financial Risk

Reputational Risk

Current bribery and/or corruption in target company discovered during transaction

High

High

Medium

Current bribery and/or corruption in acquired company discovered in post-transaction

High

High

High

Historical bribery and/or corruption discovered during transaction

High to low depending on jurisdiction

High to low depending on jurisdiction

Low to medium

Historical bribery and/or corruption in acquired company discovered post-transaction

High to medium depending on jurisdiction

High to medium depending on jurisdiction

High to medium

These factors provide the compliance practitioner strong ammunition when confronted with a management which fails to understand the need for a robust due diligence in a mergers and acquisition transaction. By not focusing on the regulatory aspects of M&A transactions but more on the market reasons for engaging in the appropriate due diligence, you can emphasize the business reasons for compliance.

Three Key Takeaways

  1. There are numerous legal and business reason to engage in anti-corruption due diligence in the M&A space.
  2. ESG can present significant corruption risks in emerging markets.
  3. Present your analysis in high, medium and low risk formats.

 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 3, 2017

Today, I want to consider some of the key FCPA enforcement actions involving mergers and acquisition. These cases and the 2012 Guidance have made clear that Justice Department and SEC will vigorously prosecute companies which allow bribery and corruption to continue after a merger or purchase occurs. The key point to remember is that if a company was engaging in bribery and corruption before it was acquired and continues to do so after the transaction is completed, it is now you which is engaging in bribery and corruption, not them. 

Syncor International Corporation (2002)

Allegations- Cardinal Health, Inc. acquired Syncor International Corporation, a radiopharmaceutical company based in California. Between 1997 and 2002, Syncor’s Taiwanese subsidiary made improper commissions payments totaling $344,000, to physicians who were employed by state-owned hospitals to influence the doctors’ decision to buy Syncor products and services. Another $600,000 in corrupt payments were made through Syncor’s foreign subsidiaries in Mexico, Belgium, Luxembourg, and France. All payments were authorized by and with the knowledge and approval of Syncor’s Founder and Chairman.

Penalties-Syncor Taiwan Inc., a wholly owned subsidiary of Syncor International Corporation, pled guilty to substantive violations of the FCPA’s anti-bribery and books and records provisions, was sentenced to 3 years of supervised probation and ordered to pay a US $2 million fine. The company also agreed to pay a $500,000 civil penalty and to cease and desist in future violations and was required to retain an independent consultant to review and make recommendations concerning the company’s compliance policies and procedures. At the time, it was the largest penalty ever obtained by the SEC in an FCPA case.

Key Lessons Learned- This was the first time the DOJ charged a foreign company under the 1998 amendments, for taking acts place in the US (i.e., Chairman’s approval). Parent liability was established through the foreign subsidiary’s books and records and employees of a state-owned entity are instrumentalities of the government. This case also demonstrated how a government investigation can slow the closing of an acquisition as the acquisition by Cardinal Health was delayed until the investigation was concluded and agreements were struck with the DOJ and SEC. The acquirer brought Syncor for a lower price than originally negotiated. 

Titan Corporation (2005)

Allegations- This case involved the acquisition of Titan Corporation, by Lockheed Martin Corporation but perhaps most importantly, the acquisition ultimately failed. Titan employed a consultant and paid $3.5 million to a known business advisor of the President of Benin. Of the $3.5 million paid to the advisor, approximately $2 million were indirect contributions to the President’s re-election campaign. At the direction of a Titan senior officer, at least two payments of $500,000 each were wired from Titan’s bank account in San Diego, California, to the agent’s account in Monaco. The remaining payments were made to the agent in cash. Payments were characterized on Titan’s books and records as “social program payments” that were required by its contract with the government, the company also falsified documents to enable its agents to under-report local commission payments in Nepal, Bangladesh, and Sri Lanka. Finally, Titan falsely reported to the US government commission payments on equipment exported to Sri Lanka, France, and Japan.

Penalties- Titan pled guilty to substantive violations of the FCPA’s anti-bribery and books and records provisions, as well as a tax violation, was sentenced to 3 years of supervised probation and ordered to pay a $13 million fine. SEC alleged violations of the FCPA’s anti-bribery and books and records provisions. Titan agreed to pay the SEC and additional $15.5 million in disgorgement and prejudgment interest penalties and a $13 million penalty, which was satisfied by payment of the criminal fines. Titan was required to retain an independent consultant to review its compliance procedures and to adopt its recommendations. Finally, the SEC issued a 21(a) Report criticizing Titan’s proxy statement for incorporating what it deemed false FCPA representations and warranties. Most importantly for Titan, its acquisition by Lockheed-Martin ultimately failed.

Key Lessons Learned-some of the basic tenets of a compliance program were laid out in this enforcement action. They included: a company must conduct meaningful due diligence with respect to foreign agents and consultants and must ensure that the services alleged to be performed are provided. Internal controls must be designed to detect “red flags,” such as offshore payments and inconsistent invoices. From the M&A perspective, representations and warranties in a merger agreement must be accurate (or qualified) when included in a proxy statement. There can be a risk of additional prosecution under the International Traffic in Arms Regulations (ITAR) and possible suspension of export privileges, potential US and foreign tax exposure and possible contractor debarment issues by the Department of Defense. Ultimately and most importantly from the business perspective, the merger failed when Titan was unable to meet contractual agreement to settle with the US government by a certain time. 

Latin Node (2009)

Allegations-In June 2007, eLandia acquired Latin Node, which provided wholesale telecommunications services to several developing countries by leasing lines from local phone companies, in Latin America for $20 million. In August 2007, during a post-acquisition financial integration review, eLandia discovered evidence that Latin Node had paid approximately $2.25 million in bribes to Honduran and Yemeni government officials between March 2004 and June 2007. Subsequently, eLandia voluntarily reported the payments to DOJ, eventually paying a $2 million fine and placing Latin Node into bankruptcy and thereby losing its entire investment.

Penalties-Latin Node pled guilty to a one-count criminal information as part of a plea agreement with the government. Under the agreement, Latin Node agreed to pay a $2 million criminal fine, a $400 special assessment and agreed to continue its cooperation with the government. Four Latin Node executives were charged with criminal conduct for their actions. They were Jorge Granados, 54, the company's former CEO; Manuel Caceres, 64, a former vice president; and Juan Pablo Vasquez, the chief commercial officer; and Manual Salvoch, the company’s former CFO. All four pled guilty.

Key Lessons Learned-This was the first FCPA enforcement action based entirely on pre-acquisition conduct that was unknown to the buyer when the transaction closed. The purchaser’s entire $22+ million investment in Latin Node was wiped out due to inflated acquisition price of corrupt company and investigation costs. All of this demonstrated the need for rigorous pre-acquisition due diligence in addition to the post-acquisition integration. It also exposed individuals to the real possibility of jail time for their actions. 

There have been several M&A cases since these three but they set the model for the DOJ’s prosecution going forward. Every compliance practitioner should be aware of these cases and communicate to management that one of the most well settled areas of FCPA enforcement is around M&A. Simply put if you do not engage in appropriate pre-acquisition due diligence and there continues to be ongoing bribery and corruption after you acquire an entity, your company will bear the brunt of any prosecution.

Three Key Takeaways

  1. FCPA enforcement in the M&A space is one of the most well settled areas of enforcement.
  2. Failure to perform pre-acquisition due diligence can significantly devalue a purchased asset.
  3. Always remember that if bribery continues after an acquisition it is no longer them engaging in bribery and corruption but you who are engaging in bribery and corruption.

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 3, 2017

In this episode, Matt Kelly and I take a deep dive into an article by Todd Haugh, in the most recent issue of the MIT Sloan Management Review entitled, “The Trouble With Corporate Compliance Programs that even best practices compliance program fail to take into account behavioral best practices and one important but too often overlooked key to strengthening both individual and overall corporate behavior is eliminating rationalizations. 

Haugh points to the Wells Fargo scandal which occurred in large part because of multiple rationalizations at multiple levels. At the employee level, they were pressured to violate both company policy and the law by their managers. At the senior management level the balance sheet rationalization came into play. Both of these led employees to “rationalize their conduct by denying responsibility and claiming relative normality.” 

We consider the steps Haugh recommends. The first was one of the most intriguing and it was for a company to employee a behavioral specialist to take current research and theory into practice in an organization. The second was to “use behavioral best practices to eliminate rationalizations.” The final suggestion is that companies should “use incentives to influence behavior in the right direction” by understanding how rationalizations come into play. Most interestingly Haugh believes that employee “praise and expressions of gratitude motivate more than money”. Think of the cost of a good word now and then or a pat on the back. 

The topic is a fascinating look at new insights for the compliance practitioner into how to motivate employees and make compliance more effective in an organization.

For more see Tom's blog post, The Fraud Triangle, Rationalizations and Compliance Programs. 

Oct 2, 2017

Today, I begin a one month series on how to have a more effective compliance program involving business ventures. This will include the role of compliance in mergers and acquisitions, the role of compliance in joint venture agreement, distributorship, franchises as well as other forms of business relationships.

The 2012 FCPA Guidance makes clear that one of the ten hallmarks of an effective compliance program is around mergers and acquisitions (M&A), in both the pre-and post-acquisition context. A company that does not perform adequate due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps, most commonly, inadequate due diligence can allow a course of bribery to continue - with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target. But, equally important is that if a company engages in the suggested actions, they will go a long way towards insulating, or at least lessening, the risk of FCPA liability going forward.

Nat Edmonds, in an interview in the Wall Street Journal (WSJ) entitled, “Former Justice Official: How to Buy Corrupt Companies” said “I think most companies and their outside counsel believe any potential corruption problem should stop a deal from occurring. Companies would be surprised to learn that neither the Securities and Exchanges Commission nor the DOJ takes that position. In many ways the SEC and DOJ encourage good companies with strong compliance programs to buy the companies engaged in improper conduct in order to help implement strong compliance in companies that have engaged in wrongful conduct. What companies must do and what outside counsel should advise them to do is to have a realistic perspective of what effect that corruption or potential improper payment has on the value of the deal itself. Because of the concern that any corruption would stop the deal or implicate the buyers, many times companies don’t look as thoroughly as they should at potential corruption. There is often concern that if you start to look for something you may find a problem and it could slow down or stop the whole deal.”

The 2012 FCPA Guidance was the first time that many compliance practitioners focused on the pre-acquisition phase of a transaction as part of a compliance regime. The DOJ and the SEC made clear the importance of this step. In addition to the above language, they cited to another example in the section on Declinations where the “DOJ and SEC declined to take enforcement action against a U.S. publicly held consumer products company in connection with its acquisition of a foreign company.” This action was based upon the following, “The company identified the potential improper payments to local government officials as part of its pre-acquisition due diligence and the company promptly developed a comprehensive plan to investigate, correct, and remediate any FCPA issues after acquisition.”

In a hypothetical, the 2012 FCPA Guidance provided some specific steps a company had taken in the pre-acquisition phase. These steps included, “(1) having its legal, accounting, and compliance departments review Foreign Company’s sales and financial data, its customer contracts, and its third-party and distributor agreements; (2) performing a risk-based analysis of Foreign Company’s customer base; (3) performing an audit of selected transactions engaged in by Foreign Company; and (4) engaging in discussions with Foreign Company’s general counsel, vice president of sales, and head of internal audit regarding all corruption risks, compliance efforts, and any other corruption-related issues that have surfaced at Foreign Company over the past ten years.”

The DOJ Evaluation of Corporate Compliance Programs also had some specific questions around M&A. Under Prong 11. Mergers and Acquisitions (M&A), the following topics were listed, including some specific questions. Under Due Diligence Process, the following questions were posed, Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What has been the M&A due diligence process generally? Under the topic, Integration in the M&A Process, the following query was posed, How has the compliance function been integrated into the merger, acquisition, and integration process? Finally, under the line area of interesting, Process Connecting Due Diligence to Implementation, the following queries were posed, What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities? 

One of the key themes this month will be the integrated nature of compliance and business ventures. Whether the compliance work is seen in the mergers and acquisition context, joint venture context or one of the myriad of other business relationships of the current business world, there is an approach that a Chief Compliance Officer (CCO) or compliance professional should take to assess the risk, monitor the risk and then manage the risk with continued monitoring with a feedback of data and information into your risk management strategy.

Three Key Takeaways

  1. We will consider the role of compliance in a wide variety of business relationships, including mergers and acquisitions, joint venture agreements, distributorships, franchises as well as other forms of business relationships.
  2. Compliance for mergers and acquisitions should be seen as a unidimensional continuum.
  3. The Evaluation focuses on what data did your risk monitoring system turn up and how did you utilize it going forward.

 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 2, 2017

In this episode, I have a fascinating interview with David McLaughlin, founder and CEO of QuantaVerse, which has artificial intelligence and data analytics tools to help companies manage risk more effectively. We discuss the use of such tools and techniques for risk reduction solutions to provide insight into the details of your customer’s customers, which allows a company to not only identify bad actors but also aggressively fight financial crime, including fraud, bribery and corruption. We explore how this downstream approach would allow you to more effectively manage subcontractors to your company’s prime contractors. We consider how artificial Intelligence is transforming Internal audit investigations with technology; how it is enhancing compliance programs with predictive data analytics and how artificial intelligence can Help companies reduce FCPA risk. 

We conclude with a discussion how the use of AI can bring a more holistic approach to compliance as a business process rather than simply policies and procedures so that the end of the day a company is more profitable. The implications for the compliance profession are profound and these concepts will lead improvements on compliance efficiencies. 

For more information on QuantaVerse, check out their website, quantaverse.net

« Previous 1 2