FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report






All Episodes
Now displaying: December, 2017
Dec 31, 2017

Jay and I take things in a different direction this week. We take the top five podcasts from 2017 and each of us, gives a highlight from that episode to highlight some of the key compliance issues from 2017, for our year end wrapup edition.

1. Episode 55-The Covfefe Edition, for the week ending June 2

 From Jay- Compliance is making its way into Boards of Directors. See article by Ben DiPietro in the WSJ Risk and Compliance Journal.

From Tom- Samuel Mebiame, sentenced to two years behind bars for paying bribes to help Och-Ziff with lucrative mining deals in Africa. See article by Sam Rubenfeld in WSJ Risk and Compliance Journal. Judge asks why no one else was criminally prosecuted. See article in Bloomberg.

2. Episode 53-The I Left My Heart in SF Edition, for the week ending May 19 

From Jay- Should compliance and ethics be wedded? New report by Institute of Business Ethics and the Ethics Institute considers the issues. See article in WSJ Risk and Compliance Journal.

From Tom- Astros lead the MLB with the best record in baseball. Will they regress to the mean?

3. Episode 52-The Firing the Investigators Edition, for the week ending May 12

 From Jay- ECI Report Finds Use of Corporate Monitors is on the Rise. For a copy of report, click here. For a webinar replay with Affiliated Monitors’ Eric Feldman and Nasdaq’s Michael Kallens click here.

From Tom- Why the judgment of CEOs and their actions really do matter. See James Stewart considers Barclays’ Jes Staley in his Common Sense column in the New York Times.   

4. Episode 54-The Rubber Match Edition, for the week ending May 26

From Jay-he recaps the SCCE San Francisco event he attended last week. See Jay’s recap in his article I Left My #SCCE Heart in San Francisco or I Love It When A Plan Comes Together!

From Tom-Was the individual enforcement against the MoneyGram CCO significant or much ado about nothing? See article by Dick Cassin in the FCPA Blog and by Sara Kropt in her Grand Jury Blog.

5.  Episode 77-The Home for the Holidays Edition, for the week ending November 17

 From Jay-

1a) Wal-Mart reserves $283MM to settle its outstanding FCPA matter. See article by Dick Cassin in the FCPA Blog. Henry Cutter reports in the WSJ Risk and Compliance Journal.

1b) The Everything Compliance gang put together an eBook of their reflections from the recent SCCE 2017 Compliance and Ethics Institute. It is available for download free on JDSupra. It is also available on the Affiliated Monitors site by clicking here.

From Tom- Tom visited with Marc Havener and Bryan Belknap about using movie clips to expand your compliance training classroom. See Tom’s blog post here

Dec 31, 2017

2017 was a very significant year for every compliance practitioner and compliance program. The year brought two important documents on compliance programs. It began with the Evaluation of Corporate Compliance Programs (Evaluation) released in February 2017 and ended with the Department of Justice (DOJ) announcing a new Policy regarding Foreign Corrupt Practices Act (FCPA) enforcement in November 2017. Building upon the Ten Hallmarks of an Effective Compliance Program, as first articulated in the 2012 FCPA Guidance, there are now specific points, issues and questions a compliance professional can use to more fully operationalize your compliance program. 

In November 2017, Deputy Attorney General Rod Rosenstein announced the new FCPA Corporate Enforcement Policy. This new Policy incorporated the Ten Hallmarks of an Effective Compliance Program through reference to the 2012 FCPA Resource Guide as continued best practices and added new information on the DOJ’s expectations for more fully operationalizing compliance. The DOJ further incorporated language and concepts from a variety of sources, including the 2016 FCPA Pilot Program and the 2017 Evaluation.

Three Key Takeaways 

  1. 2017 brought two key DOJ documents forward for use by the compliance practitioner, the Evaluation and new FCPA Corporate Enforcement Policy
  2. You must work to more fully operationalize your compliance program
  3. Always remember the three most important things in any compliance program are: Document, Document, and Document
Dec 31, 2017

This entry provides a wrap up on written standards, with a discussion on policies on cybersecurity. Regarding policies on cybersecurity, it has become so critical for corporation that the CCO and many compliance practitioners are now required to deal this issue.

Cybersecurity policies are the newest area to fall into the lap of the compliance professional. Fortunately, the state of New York's Department of Financial Services has issued the first state level regulations on cyber security for financial institutions. They became effective March 1, 2017 and while they are designed to protect financial services industries and consumers, they have application to and provide guidance for, a wider variety of non-financial service companies and commercial enterprises. It mandates your overall cybersecurity policy should be designed to meet the goals to prevent, detect and remediate a cybersecurity event.

While the regulation is obviously geared towards financial services firms, there were several points that any non-financial services compliance practitioner should consider. The overall cybersecurity program should be designed to meet the three goals of any best practices compliance program: (a) preventing any cybersecurity breaches or failures; (b) detect cybersecurity events; (b) remediate through responding to identified or detected cybersecurity events to mitigate any negative effects, recovering from them and restore normal operations and services. An added requirement for cybersecurity will be notification of appropriate regulatory authorities.

Your written policy should be based on a risk assessment, taking the following factors into consideration: “(a) information security; (b) data governance and classification; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; (j) physical security and environmental controls; (k) customer data privacy; (l) vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response.”

There should be a corporate officer position which reports to the Board of Directors, who should report to the Board on the following topics: (1) the confidentiality and the integrity and security of the information systems; (2) the cybersecurity policies and procedures; (3) material cybersecurity risks; (4) overall effectiveness of the cybersecurity program; and (5) any material cybersecurity events. The cyber compliance team must all show proficiency in the discipline and keep abreast of cybersecurity developments.

For ongoing monitoring, there should be annual penetration testing and biennial vulnerability assessments. Finally, there must be annual risk assessments designed to test: (1) identified cybersecurity risks and threats; (2) criteria for the assessment of the confidentiality, integrity, security, availability and adequacy of existing controls in the context of identified risks; and (3) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.

If a company allows a third-party provider to have access to or hold its data, it must perform an evaluation of that third-party provider in the following areas: (1) identification and risk assessment of the third-party provider; (2) minimum cybersecurity practices required to be met by third-party provider in order for them to do business; (3) due diligence processes used to evaluate the adequacy of cybersecurity practices of third-party provider; and (4) periodic assessment of third-party provider based on the risk they present and the continued adequacy of their cybersecurity practices. There should also be effective training and ongoing monitoring requirements for employees of impacted third-party providers.

All of the above should sound quite familiar to any anti-corruption compliance professional. Yet this DFS regulation should also be studied as a roadmap for the inevitable cybersecurity and InfoSec compliance which is just down the road for non-financial services industries. The third-party providers are particularly critical as many major data breaches occurred through connected third parties. One need only think of the Target data breach to the looting of the Central Bank of Bangladesh through the New York Federal Reserve Bank.

Three Key Takeaways

  1. CCOs and compliance professionals need to be ready to take on cybersecurity policies and procedures.
  2. Cybersecurity policies and procedures should strive to prevent, detect and remediate cybersecurity events and failures.
  3. Do not forget the lesson from the Target data breach; you are only as secure as your weakest third-part link.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 30, 2017

The next area for policies is extortion payments, which are completely exempted out of the FCPA. Extortion payments are made for any action which threatens or demands payment for life, liberty, or health. These should be exempted out from your facilitation payments and your compliance program through specific language. You need to do this for a variety of reasons. First and foremost, your employees must understand that the company will support them if they are in any way threatened with harm, with arrest, physical detention or their health/safety is threatened.  As a compliance professional, you need to make sure employees understand they need to do whatever they must to get themselves out of such a situation.

Some of the situations your employees might face are along the lines of the following:

  • Employees are stopped by police, military or paramilitary personnel, or militia (uniformed or not) at designated or other checkpoints or other places and a payment is demanded as a condition of passage of persons or property;
  • Employees are threatened with arrest or detainment; or
  • Employees are asked by persons claiming to be security personnel, immigration control, or health inspectors to pay for an allegedly required inoculation or other similar procedure.

I once had a situation where an employee was threatened with receiving a vaccination for yellow fever when they were departing a west African country. The employee paid some $85 to get out of that situation. I instructed him to submit it as a travel expense, writing out in a four sentence paragraph the event, attached to his expense report. The documentation proved that payment was not a facilitation payment. It was clearly an extortion payment.

The key though is that it be properly documented. But more than simply the documentation is that you must specifically list extortion payments in your books and records so you will in compliance with the books and records requirement of the FCPA to accurately record your expenses. You need to train your employees specifically on the actions to take both when they are put in the situation and what to do when they return to their office. In your policy state that if there is a threat to health safety or liberty, it is not a facilitation payment but an extortion payment. Make sure that they understand what their rights are and what their obligations are to report it when they come back to the corporate office or their office. Always remember, an extortion payment is not a FCPA violation.

Three Key Takeaways

  1. Extortion payments are not illegal under the FCPA?
  2. Was the action an extortion or some other type of situation?
  3. Document Document Documents your extortion payments both the financial component and a description of the underlying events.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 29, 2017

As every compliance practitioner is well aware, third parties still present the highest risk under the Foreign Corrupt Practices Act. The Department of Justice Evaluation of Corporate Compliance Programs devotes an entire prong to third party management. It begins with the following:

Risk-Based and Integrated ProcessesHow has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?

This first set of queries clearly specifies the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance must have a process for the full life cycle of third party risk management. There are five steps in the life cycle of third party management.

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

 Step 1 - Business Justification

The purpose of the Business Justification is to document the satisfactoriness of the business case to retain a third party. The Business Justification should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed.   The Business Justification should be completed by the Business Sponsor, who will be the company’s primary business contact with the third-party going forward.

Step 2 - Questionnaire

The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. I believe that this requirement is not only a key step but also a mandatory step for any third party that desires to do work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk but run away from doing business with such a party.

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses.

Step 3 - Due Diligence

Most compliance practitioners understand the need for a robust due diligence program to investigation third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence required under the FCPA. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner.

Our British compliance cousins of course are subject to the UK Bribery Act. In its Six Principles of an Adequate Procedures compliance program, the UK MOJ stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of this principle is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique.

After you have completed Steps 1-3 and then evaluated and documented your evaluation, you are ready to move onto to Step 4 - the contract. In the area of compliance terms and conditions, the 2012 FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

Step 4 - The Contract

You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, which have appeared, these Red Flags must be cleared or you must demonstrate how you will manage the risks identified. In others words you must Document, Document and Document that you have read, synthesized and evaluated the information garnered in Steps 1-3. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a ‘Check-the-Box’ exercise. 

Step 5 - Management of the Relationship

I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins and that work is found in Step 5– the Management of the Relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship.

I continually give my Mantra of compliance, which is Document, Document, and Document. Each of the steps you take in the management of your third parties must be documented. Not only must they be documented but they must be stored and managed in a manner that you can retrieve them with relative ease. The management of third parties is absolutely critical in any best practices compliance program.

Three Key Takeaways 

  1. Use the full 5-step process for 3rd party management.
  2. Make sure you have BD involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives. 

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 28, 2017

In Part II of a two-part series, the top compliance roundtable podcast is back with a review of the new Justice Department’s FCPA Corporate Enforcement Policy. 

  1. Jay Rosen considers the take the compliance program additions found in the “Timely and Appropriate Remediation in FCPA Matters” section. He highlights the new parts from the Evaluation of Corporate Compliance Programs, root cause analysis and parts from the 2016 FCPA Pilot Program, Part III on remediation. What does this new information mean for the compliance practitioner? From an assessment perspective what would a monitor look at more closely or even differently than under the 10 Hallmarks?
  1. Jonathan Armstrong looks the new Policy from a UK/EU angle. He explores the following issues from the Policy (1) where national blocking statutes prevent disclosure of information, what does the Policy require; (2) does the requirement for “Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records” conflict with the “right to be forgotten”. He also considers the difficulties a UK or EU company might face when dealing the US authorities and other relevant UK or EU authorities if they agreed to self-disclose. For instance, can they meet the extensive cooperation requirement in turning over information on persons and making them available for interview? Finally, and in a fascinating extrapolation, he explores whether the imposition of this law could actually negatively impact international anti-corruption enforcement.

For Jonathan Armstrong’s posts touching on these issues, see the following:

For some of Cordery Compliance’s writings on these topics, please see:

Rolls-Royce case sends a strong signal

Cease Processing Data Judgment

Mike, Jay and Jonathan are back with rants which follow the discussions. 

The members of the Everything Compliance panel include:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at
  • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at
  • Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at

In Part II, the top compliance roundtable podcast reviews the new DOJ FCPA Corporate Enforcement Policy. 

Dec 28, 2017

From the information provided by the Justice Department in Opinion Releases and in enforcement actions, there are several different insights which may be drawn on what should go into your policy on facilitation payments:

  1. Size of payment - Is there an outer limit? No, there is no outer limit but there is some line where the perception shifts. If a facilitating payment is over $100 you are arguing from a point of weakness. The presumption of good faith is against you. You might be able to persuade the government at an amount under $100. But anything over this amount and the government may well make further inquiries. So, for instance, the DOJ might say that all facilitation payments should be accumulated together and this would be a pattern and practice of bribery.
  2. What is a routine governmental action? Is the company entitled to this action, has it met all of requirements to obtain the requested permit, license or action or is it asking the government official to look the other way on some requirement? Is the company asking the government official to give us a break? The key question here is whether you are entitled to the action otherwise.
  3. Does the seniority of the governmental official matter? This is significant because it changes the presumption of whether something is truly discretionary. The higher the level of the governmental official involved, the greater chance his decision is discretionary.
  4. Does the action have to be non-discretionary? Yes, because if it is discretionary, then a payment made will appear to be obtaining some advantage that is not available to others.
  5. What approvals should be required? A facilitation payment is something that must be done with an appropriate process. The process should have thought and the decision made by people who are the experts within the company on such matters.
  6. Risk of facilitation payments and third parties? Whatever policy you have, it must be carried over to third parties acting on your behalf or at your direction. If a third party cannot control this issue, the better compliance practice would be to end the business relationship.
  7. How should facilitation payments be recorded? Facilitation payments must be recorded accurately. You should have a category entitled “Facilitation Payments” in your company’s internal accounting system. The labeling should be quite clear and they are critical to any audit trail so recording them is quite significant.
  8. Monitoring programs? There must always be ongoing monitoring programs to review your company’s internal controls, policies and procedures regarding facilitation payments. 

Also remember that the defense of facilitation payments is an exception to the FCPA prohibition against bribery. Any defendant which wishes to avail itself of this exception at trial would have to proffer credible evidence to support its position, but at the end of the day, it would be the trier of fact which would decide. So much like any compliance defense, the exception is only available if you use it at trial and it would be difficult to imagine that any company would want this matter to ever see the light of a courtroom.

After answering the above questions and your organization decides it desires to allow facilitation payments, you should draft a policy permits the company to make Facilitating Payments with (1) prior approval of the Compliance Department, (2) prior approval from Company management, and (3) proper financial recording. It may be difficult to distinguish a legal facilitation payment from a request that could be viewed as an illegal bribe or kickback; therefore, Facilitating Payments should be strictly controlled, and every effort should be made to eliminate or minimize such facilitating payments.

Do not forget that facilitation payments must be accurately shown on the books and records of your company. In all cases the employee who requested permission to make the facilitation payment must be responsible for obtaining all required approvals and forwarding a copy of the approvals and any other relevant supporting documentation as required, so that the it is recorded as a facilitation expense in the books and records maintained in a central file. Facilitation payments should not be recorded as consulting fees, entertainment expenses, or other types of expenses that may misrepresent the true nature of the payments.

There may be emergency situations when it will be difficult or impossible for employees to obtain approvals from immediately before having to decide whether or not to pay a facilitation payment. If the facilitation payment is made in an emergency, the employee reports the Facilitating Payment to the Compliance Department and explain the emergency as soon as practical after making the facilitation payment.

Three Key Takeaways

  1. What was the amount of the facilitation payment?
  2. Was the action truly routine?
  3. How high up was the government official who received the facilitation payment? Was his or her decision discretionary?

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 27, 2017

In this episode, I visit with Keith Read, Advisor to Convercent and Angus Robertson, Senior Vice President for Convercent on some of the key trends they observed in the marketplace in 2017, from the vendor perspective. I found this an interesting perspective as both of these gents spend quite a bit of time listening to compliance practitioner on what their needs are for their organizations. Some of the key trends they observed included: 

Data Privacy

A hugely increased focus on data privacy, partly driven by GDPR and partly driven by the increasing size and global reach of our customer base.

Whistle-blowing & Social Media

A genuine recognition of the importance of effective whistle-blowing programs, given that social media now means that people are far more prepared to speak out if they are not happy to speak up. This also brings with it the need for active retaliation prevention, not just a passive ‘shelf’ policy.

Global legislation around ABC

Increasing global compliance-related legislation – new and updated laws such as Sapin II, the UK’s Criminal Finances Act, the Brazilian Clean Companies Act, all utilize similar approaches to the enforcement of anticorruption legislation. This makes developing and implementing a common response strategy can be far more effective, and less costly; moreover, drawing disparate sources of data together - often for the first time - can be eye-opening.

Big Data and Analytics

Companies are focused more than ever on data, reporting and benchmarking. How do I as an ethics and compliance leader get the data I need to understand the health of my organization and the effectiveness of my program? How do I show how well I’m performing and the business value?

Delineation of Compliance vs. Ethics

Consumers and employees focused more on ethics causes organizations to shift. This is especially true in B2C and industries led by technology or the shared economy.

Employee engagement and nudge programs

Providing the just-in-time information that is context aware relative to business process and communication, so that employees can make the right decision at the right time to support their company values.


The FCPA Compliance Report is proud to have Convercent sponsor this episode. Convercent works to drive ethics to the center of business through Enterprise Ethics & Compliance Software

that invites users to share, listen and learn to help build a more ethical corporate culture. For more information go to

Dec 27, 2017

In this special 2017 year-end wrap up, host Richard Lummis and myself reflect back on the leadership lessons we explored over the past year. In this momentous year for leadership, both in business and the wider polis, we considered academics, numerous Presidents, movies, sports figures and some of the current corporate scandals which populated the year.

Our clear listener and fan favorite was our episode on Leadership Lessons from Count Dracula, proving once again the market for interesting takes on the most famous vampire of all-time. It appears the Count still has a large podcast following, even in 2017.

We considered the leadership lessons to be learned from corporate scandals as diverse as the fraudulent account scandal at Wells Fargo, which has uncovered many other types of unethical, if not illegal conduct; the ongoing revelations on Uber, which all began with one blog post, by ex-employee Susan Fowler; right up to the ghost jet scandal at GE. We considered the failures in each area and how the companies are beginning to dig out, both reputationally and financially.

One of our most well-received series was focusing on leadership lessons from US Presidents. From an ad-hoc start with Lincoln and Jefferson, several listeners asked if we could continue this exploration so we have committed to working our way through the pantheon of US Presidents. This year we made it up to Martin Van Buren. We have focused on their leadership as Presidents. Each man has brought lessons which are still relevant today. We both enjoyed learning or relearning about Presidents largely out of the public eye and for me, it was James Monroe.

Our movie series during the month of Oscar was a ton of fun. We both had the opportunity to revisit some great classic movies such as Mutiny on the Bounty, Patton and All the King’s Men. We will definitely put on another month of Oscars series of podcasts in 2018. We also explored more somber texts such as Hue 1968, which looked at the Battle of Hue in the context of the 1968 Tet Offensive and the turning point of the Vietnam War and how the leadership lessons still resonate for the business leader today.

We hope you have enjoyed our offerings on business leadership and will join us again in 2018.

Dec 27, 2017

One of the more confusing areas of the FCPA is in that of facilitation payments. Facilitation payments are small bribes but make no mistake about it, they are bribes. For that reason, many companies feel they are inconsistent with a company culture of doing business ethically and in compliance with laws prohibiting corruption and bribery.  Further, the 2012 FCPA Guidance specifies, “while the payment may qualify as an exception to the FCPA’s anti-bribery provisions, it may violate other laws, both in Foreign Country and elsewhere. In addition, if the payment is not accurately recorded, it could violate the FCPA’s books and records provision.” Finally, the 2012 FCPA Guidance states, “Whether a payment falls within the exception is not dependent on the size of the payment, though size can be telling, as a large payment is more suggestive of corrupt intent to influence a non-routine governmental action. But, like the FCPA’s anti-bribery provisions more generally, the facilitating payments exception focuses on the purpose of the payment rather than its value.” [emphasis in original text]

In addition to these clear statements about whether the FCPA should continue to allow said bribes; you should also consider the administrative nightmare for any international company. The UK Bribery Act does not have any such exception, exemption or defense along the lines of the FCPA facilitation payment exception. This means that even if your company allows facilitation payments, it must exempt out every UK Company or subsidiary from the policy. Further, if your company employs any UK citizens, they are subject to the UK Bribery Act no matter who they work for and where they may work in the world so they must also be exempted. Finally, if your US Company does business with a UK or other company subject to the UK Bribery Act, you may be prevented contractually from making facilitation payments while working under that customer’s contract. As I said, an administrative nightmare.

Interestingly, one of the clearest statements about facilitation payments comes not from a FCPA case about facilitation payments but the case of Kay v. Rice, 359 F.3d 738, 750-51 (5th Cir. 2004). This case dealt with whether payment of bribes to obtain a favorable tax ruling was prohibited under the FCPA. In its opinion, the Fifth Circuit commented on the limited nature of the facilitating payments exception when it said:

A brief review of the types of routine governmental actions enumerated by Congress shows how limited Congress wanted to make the grease exceptions. Routine governmental action, for instance, includes “obtaining permits, licenses, or other official documents to qualify a person to do business in a foreign country,” and “scheduling inspections associated with contract performance or inspections related to transit of goods across country.” Therefore, routine governmental action does not include the issuance of every official document or every inspection, but only (1) documentation that qualifies a party to do business and (2) scheduling an inspection—very narrow categories of largely non-discretionary, ministerial activities performed by mid- or low-level foreign functionaries.

Enforcement Actions 


The FCPA landscape is littered with companies who sustained FCPA violations due to payments which did not fall into the facilitation payment exception. In 2008, Con-way Inc., a global freight forwarder, paid a $300,000 penalty for making hundreds of relatively small payments to Customs Officials in the Philippines. The value of the payments Con-way was fined for making totaled $244,000 and were made to induce the officials to violate customs regulations, settle customs disputes, and reduce or not enforce otherwise legitimate fines for administrative violations.

Helmerich and Payne

In 2009, Helmerich and Payne, Inc., paid a penalty and disgorgement fee of $1.3 million for payments which were made to secure customs clearances in Argentina and Venezuela. The payments ranged from $2,000 to $5,000 but were not properly recorded and were made to import/export goods that were not within the respective country’s regulations; to import goods that could not lawfully be imported; and to evade higher duties and taxes on the goods.


Finally, there is the Panalpina enforcement action. This matter was partly resolved with the payment by Panalpina and six of its customers of over $257 million in fines and penalties. Panalpina, acting as freight forwarder for its customers, made payments to circumvent import laws, reduce customs duties and tax assessments and to obtain preferential treatment for importing certain equipment into various countries but primarily in West Africa.

Three Key Takeaways

  1. Do not forget the administrative nightmare of facilitation payments for international organizations.
  2. The Kay decision made clear how narrow the ‘routine government action’ exception is.
  3. Facilitation payments will usually be an add-on as they are symptomatic of an ineffective, paper compliance program.

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 22, 2017

Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories of the week, including:

  1. A former Embraer employee cops a guilty plea for his role in bribery in Saudi Arabia. Dick Cassin reports in the FCPA Blog.
  2. A host of luminaries pen an article entitled, “Oral Downloads of Interview Memoranda to Government Regulators Waive Work Product Protection” on NYU’s Compliance and Enforcement Blog. This is scary stuff if you care about privilege.
  3. An Italian judge orders ENI and Shell to a criminal trial for their alleged role in a massive bribery scandal in Nigeria over payment to obtain concession rights. Scott Tong reports in NPR’s Marketplace.
  4. The German company Bilfinger seeks a comeback after a disastrous bribery and corruption scandal and sustaining a FCPA violation. Henry Cutter reports in the WSJ Risk and Compliance Journal.
  5. Sam Rubenfeld explains that compliance with the Magnitsky Act is easy in the WSJ Risk and Compliance Journal.
  6. George “Ren” McEachern, with the FBI’s international corruption unit, will retire and become a managing director at Exiger. Sam Rubenfeld reports in the WSJ Risk and Compliance Journal.
  7. The former heads of the Paraguayan and Brazilian soccer associations guilty of racketeering conspiracy and other charges. Zachary Zagger and Sindhu Sundar report in Law360 (sub req’d)
  8. Jay Rosen previews the Jay Rosen Weekend Report, What's in a Number and Are You More than a Just a Link Collector?
  9. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program. In December, I conclude my discussion of written standards in a best practices compliance program. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  10. Mike Volkov has published a new eBook, Pointing the Finger — How Corporate Boards Are Dodging Accountability and What CCOs Can Do About It. It was published by Corporate Compliance Insights and is available here.
  11. Check out May the Podcast Be With You-the intersection of Star Wars and Compliance. The five-part series premiered on December 11. Episode 1-what is risk?, Episode 2-due diligence, Episode 3-effective training, Episode 4-disruption in compliance and Episode 5-myth of the rogue employee. The series is sponsored by Affiliated Monitors.


Dec 22, 2017

Welcome to the Part V and our final entry of this five-part podcast series Jay Rosen and I produced in honor of the latest Star Wars movie The Last Jedi. Each day over this week, Jay and I reviewed a In this final entry, we consider Rogue One and the myth of the rogue employee. 

Today we consider the only stand-alone entry in the Star War series, Rogue One. This movie tells the tale of the spies who stole the schematics from the original Death Star and transmitted it to Princess Leia and thereby the Rebel Alliance. Rogue One is the first film in the Star Wars Anthology series, a series of stand-alone spin-off films in the Star Wars franchise. It is not clear where the name of the movie came from; although my personal nomination is that in the attack led by Luke on the original Death Star, his squadron was Rogue Two so the movie title is a tribute to those Rebel Alliance X-wing fighters and their pilots.

As long as 24 years ago, Lynn S. Paine wrote about the myth of the rogue employee in the Harvard Business Review (HBR), in an article entitled “Managing for Organizational Integrity. In this article she wrote, “executives are quick to describe any wrongdoing as an isolated incident, the work of a rogue employee. The thought that the company could bear any responsibility for an individual’s misdeeds never enters their minds. Ethics, after all, has nothing to do with management. In fact, ethics has everything to do with management.” How prescient she was in her article.

For it is management who sets the tone throughout the organization, whether that is something along the lines of a wink and a nod towards ethics and compliance or the more ubiquitous miss your numbers for two quarters and you will be history, Paine noted, “More typically, unethical business practice involves the tacit, if not explicit, cooperation of others and reflects the values, attitudes, beliefs, language, and behavioral patterns that define an organization’s operating culture. Ethics, then, is as much an organizational as a personal issue.”

However, a company’s responsibility is more than simply to set the right tone then sit back and do nothing. The drafters of the Foreign Corrupt Practices Act (FCPA) recognized this when they included the requirement for internal controls to be included in the law. For, as Paine said, “Managers who fail to provide proper leadership and to institute systems that facilitate ethical conduct share responsibility with those who conceive, execute, and knowingly benefit from corporate misdeeds.”

Yet the myth of the rogue employee is more than a simple myth. It is also a dangerous myth. It is dangerous because it excuses negligent or intentional corporate behavior. Mike Volkov, in a blog post entitled “The Myth of the Rogue Employee, noted that illegal conduct such as that under the FCPA does not occur “in a vacuum.” He explained “There are other employees with whom the person interacts, there are financial controls in place to protect against such misconduct, there are reporting mechanisms for employees to report suspicious activity, and there is likely to be someone in the organization who is close enough to the bad actor, or responsible for the conduct of the bad actor, and who suspected or should have suspected that the actor was engaged in misconduct.” Moreover, the more sophisticated the scheme, the more actors are involved and the more controls are overridden or disregarded as he explained, “As the misconduct becomes more complicated, like in the case of bribery or antitrust violations, where such schemes require additional actors or raise red flags or where others are in a position to know or suspect that misconduct may have occurred”.

The three basic tenets of a best practices compliance program are to prevent, detect and remedy. By claiming employees who engage in bribery and corruption have ‘gone rogue’; companies are attempting to divest themselves of responsibility for actions from which they benefit, particularly if the bribery and corruption generated business sales and revenue. 

We hope you have enjoyed our five-part podcast series on the intersection of Star Wars and compliance as much as we enjoyed producing it. Always remember the storytelling component of compliance. Reciting rules, regulations, policies and procedures is the way to engage effectively in compliance.

May the podcast be with you this holiday season.

Dec 22, 2017

The original version of the FCPA, enacted in 1977, contained an exception for payments made to non-US officials who performed duties that were “essentially ministerial or clerical”. In 1988 Congress responded by amending the FCPA under the Omnibus Trade and Competitiveness Act to clarify the scope of the FCPA’s prohibitions on bribery, including the scope of permitted facilitation payments. An expanded definition of “routine governmental action” was included in the final version of the bill, reflecting the intent of Congress that the exceptions apply only to the performance of duties listed in the subcategories of the statute and actions of a similar nature. Congress also meant to make clear that “ordinarily and commonly performed actions”, with respect to permits or licenses, would not include those governmental approvals involving an exercise of discretion by a government official where the actions are the functional equivalent of “obtaining or retaining business for, or with, or directing business to, any person”.

The FCPA contains an explicit exception to the bribery prohibition for any “facilitation or expediting payment to a foreign official, political party, or party official for the purpose of which is to expedite or to secure the performance of a routine governmental action by a foreign official, political party, or party official”. “Routine government action” does not include any decision by a public official to award new business or continue existing business with a particular party. The statute lists examples of what is considered a “routine governmental action” including:

  • obtaining permits, licenses, or other official documents to qualify a person to do business in a country;
  • processing government papers, such as visas or work orders;
  • providing police protection, mail pick-up and delivery, or scheduling inspections associated with contract performance or transit of goods across country;
  • providing phone service, power and water supply, loading and unloading cargo, or protecting perishable products from deterioration; and
  • actions of a similar nature.

There is no monetary threshold for determining when a payment crosses the line between a facilitation payment and a bribe. The accounting provisions of the FCPA require that facilitation payments must be accurately reflected in an issuer’s books and records, even if the payment itself is permissible under the anti-bribery provisions of the law

Risks associated with relying on the “facilitation payments” exception

Facilitation payments carry legal risks even if they are permitted under the anti-bribery laws of a particular country. In the US enforcement agencies have taken a narrow view of the exception and have successfully prosecuted FCPA violations stemming from payments that could arguably be considered permissible facilitation payments. Violations of the accounting and recordkeeping provisions of the FCPA are also more likely when a company makes facilitation payments. Abroad, countries are increasingly enforcing domestic bribery laws that prohibit such payments. Companies that allow facilitation payments face a slippery slope to educate their employees on the nuances of permissible payments in order to avoid prosecution for prohibited bribes.

  1. US enforcement authorities construe the exception narrowly

Other than as discussed above, there is no definitive guidance on circumstances in which the facilitation payments exception applies. There may be less risk of enforcement by US authorities in cases involving bona fide facilitation payments that are made specifically for one of the purposes enumerated in the FCPA. However, companies still face the risk of at least facing a governmental inquiry to explain the circumstances surrounding the payments, possibly resulting in penalties based on an unanticipated restrictive interpretation of the exception. As noted by the FCPA Professor, the recent Noble Non-Prosecution Agreement noted that the payments made by Noble’s Nigerian customs’ agent Panalpina, to facilitate the importation of its rigs into Nigeria did “not constitute facilitation payments for routine governmental actions within the meaning of the FCPA"

2. Potential non-compliance with the FCPA’s accounting and record-keeping provisions

While the anti-bribery provisions of the FCPA permit facilitation payments, the accounting and recordkeeping provisions of the law nevertheless require companies making such payments to accurately record them in their books and records. Companies or individuals may be reluctant to properly record such payments, as it shows some semblance of impropriety and effectively creates a permanent record of a violation of local law. However, failure to properly record such expenditures may result in prosecution by the Securities and Exchange Commission (SEC) even if the underlying payments themselves are permissible. One example of prosecution resulting from the misreporting of seemingly permissible facilitation payments involves Triton Energy Corporation, which settled an investigation by the SEC involving multiple alleged FCPA violations, including the miss-recording of facilitation payments. An Indonesian subsidiary of the company had been making monthly payments, of approximately $1,000, to low-level employees of a state-owned oil company in order to assure the timely processing of monthly crude oil revenues. The SEC did not charge that these payments violated the anti-bribery provisions of the FCPA; however, these payments were miss-recorded in corporate books and therefore violated the FCPA’s accounting and recordkeeping provisions. Triton Energy consented to an injunction against future violations of the FCPA and was fined $300,000.

3. Increased enforcement of non-US laws that do not recognize an exception for facilitation payments

While the FCPA and certain other national anti-bribery laws contain exceptions for facilitation payments, such payments typically are considered illegal in the country in which they are made; there is not any country in which facilitation payments to public officials of that country are permitted under the written law of the recipient’s country. Accordingly, even if a particular facilitation payment qualifies for an exception of the FCPA, it, nevertheless, is likely to constitute a violation of local law – as well as under anti-bribery laws of other countries that also might apply simultaneously – and thus exposes the payer, his employer and/or related parties to prosecution in one or more jurisdictions. While enforcement to date in this area has been limited increased global attention to corruption makes future action more likely. Countries that are eager to be seen as combating corruption are prosecuting the payment of small bribes with greater frequency.

4. Corporate approaches to facilitation payments may exceed the legitimate scope and applicability of the exception

Businesses still struggle with how to address the facilitation payments exception in their compliance policy and procedures, if the subject is covered at all. Businesses should be wary of allowing employees to decide on their own whether a particular payment is permissible. Unless such payments are barred completely or each payment is subject to pre-approval (which in many cases would be unrealistic (e.g., passport control)), there is always the risk that an employee, agent or other person whose actions may be attributed to the company will make a payment in reliance on the exception when in fact the exception does not apply. In addition, the temptation to improperly record otherwise permissible facilitation payments has been discussed above.

Three Key Takeaways

  1. Many companies still struggle with facilitation payments.
  2. What are the five listed purposes for facilitation payments?
  3. The facilitation payment exception is narrowly construed by both the courts and the Justice Department.

Why are facilitation payment so problematic?

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 21, 2017

Welcome to the Day 4 of the five-day podcast series Jay Rosen and I are producing in honor of the latest Star Wars movie The Last Jedi. Each day over this week, Jay and I will review a Star Wars movie and discuss it from the compliance perspective. Today, we consider Episode VII, The Force Awakens and disruption in compliance.

The full series schedule is:

Monday, December 18, Part I- IV-a New Hope and risk.

Tuesday, December 19, Part II- V-The Empire Strikes Back and due diligence.

Wednesday, December 20, Part III- VI-Return of the Jedi and effective training.

Thursday, December 21, Part IV- VII-The Force Awakens and disruptive innovation in compliance.

Friday, December 22, Part V-Rogue One and the myth of the rogue employee.

Today I consider the first ‘new’ Star Wars movie entry, Episode VII – The Force Awakens. I say it is a new Star Wars movie as it was the first one not created by LucasFilms, as George Lucas had sold his company to Disney, which produced the 2016 entry into the Star Wars oeuvre. It was directed by JJ Abrams and told the story of the Star Wars universe some 30 years after the destruction of the last Death Star.  It is this disruptive nature of the Star Wars franchise that I will focus on today as it relates to disruption innovation in compliance.

The film introduced several new characters: Rey, Finn and Poe Dameron, Kylo Ren and the First Order, a successor to the Galactic Empire. The film was largely one giant search for Luke Skywalker who had gone into isolation after his failure to re-establish the Jedi order. In addition to introducing the new characters, we are reunited with Han, Chewbacca and Princess Leia, who is now General Leia Organa. The First Order has developed new weapon, Starkiller, a deliciously worthy successor to the Death Star; the Rebel Alliance majorly disrupts the weapon and the First Order by destroying it, in the film’s climactic battle.  

One of the key things the Department of Justice (DOJ) has communicated over the past few months is the importance of doing compliance rather than having a paper compliance program in place. In releasing the new Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy, the DOJ emphasized the clear delineation of factors they will consider in determining if a company has an operationalized best practices compliance program in place in the context of a FCPA enforcement action. All of this has required disruptive innovation in compliance beyond the simple paper compliance program which until recently was seen as the norm.

Compliance is a process. Compliance programs should evolve as business risks change. Just as disruptive innovation tends to focus on process, your compliance program should focus on your overall business process to be successful.

Compliance 3.0 is very different from compliance programs of the past decade. Compliance is moving from a solutions shop where all compliance functions are centered in the legal or compliance department to a process function where the front-line business team can use technology and other tools to operationalize compliance. The 2017 Evaluation of Corporate Compliance Programs focused on how well a company operationalizes compliance into the business functions. The authors point to new business models as disruptive and I think this concept translates into how compliance can be burned into the DNA of an organization rather than simply sitting in the corporate office in the US.

Not all disruptive innovations succeed as disruption is only one step in both the creative and growth process. The key concept is what former SCCE President Roy Snell says are the three goals of any compliance program; to prevent, find and fix issues. This is how compliance differs from legal, whose job is to protect the company; from compliance whose mission is to monitor, obtain the data and then use the data as a feedback loop back into the company.

As many compliance practitioners are lawyers, we are naturally reticent to embrace such change, however I think the pronouncements of the DOJ throughout the year have made even clearer the need for continued evolution of anti-corruption compliance going forward. In The Force Awakens, there were numerous disruptions. We saw the death of one of the most beloved characters in the series, Han Solo, the growing awareness by Rey of her powers and the return of Luke Skywalker. It totally disrupted the First Order and destroyed its most lethal weapon.  

Join us tomorrow where we consider Rogue One and the myth of the rogue employee.

May the podcast be with you this holiday season.

Dec 21, 2017

The FCPA states, “The FCPA’s anti-bribery provisions apply to corrupt payments made to (1) “any foreign official”; (2) “any foreign political party or official thereof”; (3) “any candidate for foreign political office”; or (4) any person, while knowing that all or a portion of the payment will be offered, given, or promised to an individual falling within one of these three categories. Although the statute distinguishes between a “foreign official,” “foreign political party or official thereof,” and “candidate for foreign political office,” the term “foreign official” in this guide generally refers to an individual falling within any of these three categories.”

Government policies affect the commercial environment.  A company is subject to legislation and regulation that affects how it conducts its business and generates value for its investors.  Participating in the political process is part of a business strategy to protect a company’s interests.

Most international businesses have strategy to engage in the political process with a view to the long-term interests of the company and to promote and protect its interests. All political contributions and expenditures on behalf of the Company and management reports on these political contributions and expenditures should be reported to the Board of Directors annually.  No political contributions may be made or promised unless written pre-approval has been obtained from the corporate compliance function.

Among the factors that influence which candidates merit political donations include:

  • Candidate support for key company business and public policy priorities;
  • Candidate voting record and leadership position;
  • Candidate commitment to company’s industry growth, and ability to positively impact its goals; and
  • Company assets or employees in a region or state represented by the candidate.

All political contributions should be made in accordance with all applicable laws and regulations and disclosed as required by law. Any requests for contributions to a political candidate, committee, or party must be addressed to the corporate compliance function and must include an analysis of the four factors above, as well as business justification for the request to support the particular candidate, committee, or party. 

Additionally, no Company funds or other assets may be used for political contributions outside the U.S., unless expressly approved in writing by Government Affairs.  A Company employee seeking approval for political contributions outside the U.S. must present Government Affairs, in writing, with all relevant information to allow for a thorough and careful analysis.  Among the information required by compliance function should be:

  • The name of the candidate, committee, or political party;
  • The government agency(ies) with which the candidate is or has been affiliated (e.g., has the candidate served with the Ministry of Interior and in what period of time);
  • The candidate’s position on key issues that affect Company’s business (e.g., human rights, equality, labor laws, unionization, taxes, foreign investment, etc.);
  • The candidate’s voting record on the issues affecting the Company;
  • Whether Company does business with the government entity with which the candidate is seeking a position and the amount of such business in the preceding 24 months;
  • Any pending or recently awarded contracts with the government entity with which the candidate is affiliated or is seeking a position;
  • Any pending or recently awarded contracts overseen or managed by the committee, party, or political entity for which the political contribution is sought; and
  • The business justification for making the political contribution.

Your company policy should prohibit politically exposed persons (PEPs) from exerting pressure or undue influence over you employees, agents, consultants, or representatives to make personal political contributions. 

Your policy should prohibit use of your company’s resources or assets, including work time, to support candidates or campaigns personally. In the course of employment, PEPs should be prohibited from engaging in any activity on a company’s behalf that is intended to influence legislation, rulemaking, or governmental policy or engage lobbyists or others to do so, without pre-authorization of the corporate compliance function.

Political contributions shall not be used to disguise a payment that is prohibited by a company’s Code of Conduct, Anti-Corruption Policy, or other policies or procedures.  If your company’s policies prohibit the payment in another form, it should not be made under the guise of a political contribution.  No employee should utilize third parties or their own personal funds to make a payment that cannot be made under a company’s policies and procedures.   

Any exceptions to this policy should only be approved by the CCO, Compliance Oversight Committee or Board of Directors.

Three Key Takeaways

  1. Political candidates are covered by the FCPA.
  2. What is the business purpose for the contribution?
  3. Do not make contributions towards candidates who can award your company business.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 21, 2017

In Part I of a two-part series, the top compliance roundtable podcast is back with a review of the new Justice Department’s FCPA Corporate Enforcement Policy. 

  1. Mike Volkov sets the stage with background on this new DOJ policy regarding FCPA enforcement going forward, considering what this means from the DOJ/ prosecutorial perspective. He explores why would the DOJ would start with a presumption of a declination when there is arguably a criminal violation? What does this new Policy mean for SEC enforcement? Does this extend any of the concepts we saw as far back as the Yates Memo? 

For Mike Volkov’s post on the new FCPA Corporate Enforcement Policy, see the following: 

Five Key Takeaways from DOJ’s New FCPA Corporate Enforcement Policy 

  1. Matt Kelly considers how might the Justice Department prosecute a case (1) where the company doesn’t meet all the FCPA Program criteria; and (2) how vigorously will prosecutors evaluate a company’s compliance program as part of its investigation? Is this Policy something new or more in the line of a continuation/clarification? Does this new Policy create a real incentive or not for companies to self-disclose? Finally, does this create a true partnership between the DOJ and Business to fight bribery and corruption? 

For Matt Kelly’s post on the new FCPA Corporate Enforcement Policy, see the following: 

DOJ Expands FCPA Pilot Program 

The gang is back with rants which follow the discussions. 

The members of the Everything Compliance panel include:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at
  • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at
  • Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at
Dec 20, 2017

What should your compliance policy and procedures on charitable donations look like? What should you prohibit or even caution against? The starting point is the 2012 FCPA Guidance regarding charitable donations. Your policy should begin by asking the following five initial questions:

  • What is the purpose of the donation?
  • Is the payment consistent with the company’s internal guidelines on charitable giving?
  • Is the payment at the request of a foreign official?
  • Is a foreign official associated with the charity and, if so, can the foreign official make decisions regarding your business in that country?
  • Is the payment conditioned upon receiving business or other benefits?

There are additional inquiries based upon the DOJ Opinion Releases issued regarding charitable donations. Some of the protections a company can do to comply with the FCPA regarding charitable donations are as follows:

  • Will the donation recipients certified that they or the entity will comply with the requirements of the FCPA;
  • Will the recipient provided audited financial statements; and
  • Will the recipient restrict the use of the donated funds to humanitarian or charitable purposes only;
  • Will the funds transferred to a valid bank account; and
  • Will the recipients, allow ongoing auditing and monitoring of the efficacy of the charitable donation program.


Based upon the Schering-Plough and Lilly SEC enforcement actions, there are some additional inquiries that should be specified:

  1. What was the timing of the charitable donation or promise to make a donation in relation to the obtaining or retaining of business?
  2. Did the company follow its normal protocol for requesting, reviewing and making a charitable donation or is there a pattern of unusual donations outside the protocol?
  3. Did any one person make multiple donations just below their authority level so that it did not have to go up the line for review?
  4. Was the total amount donated to one charitable foundation out of proportion to the rest of the country or region’s charitable donation budget?
  5. Did the sales in one area, region or country spike after a pattern of charitable donations?

The information on the red flags from the prior Opinion Releases and the best practices, as set out in the 2012 FCPA Guidance, have been available for some time. From the Schering-Plough and Lilly enforcement actions, your policy should consdier the timing of charitable donations to see if they are at or near the time of the awarding of new or continued business. Finally in managing the relationship, you now need to look at overall increases in sales to determine if they are tied to a pattern of charitable donations. By looking at the timing and quantum of charitable donations, internal audit may be able to ascertain that a spike in sales is tied to corrupt conduct.

Three Key Takeaways

  1. What are the basic inquiries to make around charitable donations?
  2. Use all of the communication tools the DOJ has provided; written guidance, enforcement actions and Opinion Releases to inform your charitable donation policy.
  3. Document Document Documents the basis of your charitable donations risk assessment.

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 20, 2017

In this episode, Matt Kelly and I take a deep dive into a report from the Financial Stability Oversight Council on the cybersecurity risk of third party technology providers in the financial industry. We discuss some of the specific risks and recommendations laid out in the report. We use this as a jumping off point to explore how such issues are becoming more and more the purview of the compliance practitioner. Some of the solutions Matt discusses are directly in the wheelhouse of the compliance professional. Finally we note the potential for more regulatory scrutiny from both the SEC and PCAOB going forward into 2018.

For addition information on this topic see some of Matt’s writings in this area see


Feds Eye Cybersecurity Risks of Tech Providers

The Fine Art of Scoping a SOC 2 Audit

NIST Standards and Why They Matter

Dec 20, 2017

Welcome to the Day 3 of the five-day podcast series Jay Rosen and I are producing in honor of the latest Star Wars movie The Last Jedi. Each day over this week, Jay and I will review a Star Wars movie and discuss it from the compliance perspective. Today, we consider Episode VI, Return of the Jedi and effective training.

The full series schedule is:

Monday, December 18, Part I- IV-a New Hope and risk.

Tuesday, December 19, Part II- V-The Empire Strikes Back and due diligence.

Wednesday, December 20, Part III- VI-Return of the Jedi and effective training.

Thursday, December 21, Part IV- VII-The Force Awakens and disruptive innovation in compliance.

Friday, December 22, Part V-Rogue One and the myth of the rogue employee.

In this final movie from the original three, the good guys win in the end after overcoming incredible odds. Many fans and critics panned it for including the incredibly cute and furry Ewoks on the moon named Endor as a part of the storyline. Many thought one very tall Wookie was enough cuteness for the series. This movie’s big reveal was that Luke and Princess Leia were twins and that she was now free to unabashedly pursue bad boy Han Solo. While Episode VI was the lowest grossing film of the original three, coming in at only $572MM worldwide, it was still a great ride and visually stunning. George Lucas’ in-house organ, Industrial Light & Magic (ILM), certainly earned their title for their special effects in the movie. The Sarlacc battle sequence was great, the speeder bike chase on the Endor moon was way cool and the space battle between Rebel and Imperial pilots was a great ride.

I have adapted an approach from Joel Smith on his Inhouse Owl website to help determine compliance training effectiveness.

1.What you want to measure. Before you ever train an employee, you should have a goal in mind. What actions do you want employees to take? What risks do you want them to avoid? In compliance, you want them to avoid non-ethical and non-compliant actions that would lead to compliance violations. The goal is to train employees to follow your Code of Conduct and your compliance program policies and procedures so you avoid liability related to actions.

2. What is employee engagement? The next step is to get a sense of whether employees feel that the training you provided is relevant and targeted to their job. If it’s not targeted, employees will likely not be committed to changing risky behavior. You can get data on employee engagement through a quick post-training survey, which will help you isolate and qualify the training benefit.

3. Did employees actually learn anything? A critical part of any employee training is the assessment. If you want to understand the “benefit” of training employees, you must know whether they actually learned anything during training. You can collect this data in a number of ways, but for compliance training, the best way is to measure pre-and post-training understanding over time. Basically, each time you train an employee, measure comprehension both before and after training.

4. Are employees applying your training? You need to conduct a survey to determine employee application and their implementation of the training topics. To do so, you must conduct employee surveys to understand whether they ceased engaging in certain risky behaviors or better yet understand how to conduct themselves in certain risky situations. These surveys can provide a good sense of whether the training has been effective. 

Join us tomorrow where we consider The Force Awakens and disruptive innovation in compliance.

May the podcast be with you this holiday season.

Dec 19, 2017

Welcome to the Day 2 of a five-day podcast series Jay Rosen and I are producing in honor of the latest Star Wars movie The Last Jedi. Each day over this week, Jay and I will review a Star Wars movie and discuss it from the compliance perspective. Today, we consider Episode V, The Empire Strikes Back and due diligence.

The full series schedule is:

Monday, December 18, Part I- IV-a New Hope and risk.

Tuesday, December 19, Part II- V-The Empire Strikes Back and due diligence.

Wednesday, December 20, Part III- VI-Return of the Jedi and effective training.

Thursday, December 21, Part IV- VII-The Force Awakens and disruptive innovation in compliance.

Friday, December 22, Part V-Rogue One and the myth of the rogue employee.

This movie is my personal favorite of the initial trilogy. During the climactic battle between Luke Skywalker and Darth Vader, there is the BIG REVEAL where Vadar utters the immortal line, “I AM YOUR FATHER”. In the context of knowing who you are doing business with under the Foreign Corrupt Practices Act or UK Bribery Act. I once heard a company President say he did not need to perform due diligence because he looked a man in the eyes and that was enough to know if he was honest. (I should add, this company President also evaluated the strength of a handshake as an additional level of due diligence.) Hopefully we have moved past this level of sophistication for due diligence and its evaluation thereof.

There are three levels of due diligence and you must make a determination which is appropriate for the entity or person you are investigating. If a red flag appears it must be cleared or a risk management strategy articulated to allow moving forward.

Level I

First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering (AML), anti-bribery, sanctions lists, coupled with other financial corruption and criminal databases. Level I due diligence addresses such basic issues as whether the third party actually exists, the identities of management, officers, directors and shareholders and whether such persons are on regulators’ watch lists. It can also provide some basic information on whether there are politically exposed persons (PEPs) involved in the third party. Finally, if there are any media reports linking the company to corruption.

Level II

Level II due diligence encompasses supplementing Level I due diligence with a deeper screening of international media, typically the major newspapers and periodicals from all countries plus detailed Internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company, the third party’s key executives and associated parties. Level II can give you information on adverse litigation, any bankruptcy proceedings, overt signs of financial difficulty. More generally it will also provide local online information such as corporate filings, regulatory filings, lawsuits and locally archived materials. You also be able to determine if there were any in-country investigations or sanctions from regulatory entities.

Level III

This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation and is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in-country investigation.

Now imagine if Luke had performed a more robust level of due diligence on Darth Vadar? Would he have been able to find out Darth Vadar was his father? Perhaps not but then again, we might not have heard that seminal line “I AM YOUR FATHER”.

Join us tomorrow where we consider Return of the Jedi and effective training.

May the podcast be with you this holiday season.

Dec 19, 2017

In this episode, Richard Lummis and I consider the recent revelations which came to light that during the tenure of the former Chief Executive Officer, Jeff Immelt and the saga of two corporate jets. Immelt had an empty plane fly behind his jet on corporate trips. This ghost plane tracked Immelt’s jet and was designed to be available if there was a mechanical issue, which presumably could not be fixed sufficiently in time for the CEO’s busy travel schedule. There were several points that the lessons every business leader can learn from these revelations going forward.

Thomas Gryta, Joann S. Lublin and Mark Maremont, writing in the Wall Street Journal (WSJ), said that a GE spokesperson noted the reason for the ghost plane ““This practice, which GE has discontinued, involved business-critical itineraries with tight schedules, multiple international stops and, in most cases, security concerns.”” The spokesperson then gratuitously added, ““We do not believe that the understandable criticism of this discontinued practice fairly reflects on Jeff’s dedicated service to GE for over 30 years.”” However the WSJ piece, citing un-named sources said, “While CEO, Mr. Immelt wanted a backup jet in case there was a mechanical issue that could lead to delays”. The cost to operate the ghost plane was about $6500 per hour, adding up to $250,000 to the cost of each flight.

The New York Times (NYT) reported that the practice occurred during his 16-year tenure as CEO of GE. Yet it was the subject of an internal whistleblower complaint in 2014. The WSJ reported, “The company told GE’s directors the company had reduced the practice in mid-2014 and that the continued use of the backup plane was limited to isolated situations such as travel to risky destinations. The board members were previously unaware, the people said, and some were dismayed to learn of the practice. “Obviously, this was an excess,” one of these people said.”

Here was a clear misrepresentation to the Board of Directors. Even if limited to ‘isolated situations’ there was a CEO’s behavior and practices which was so egregious that it took a hotline compliant to change and the company executives were less than truthful to its own Board of Directors that the practice could continue. It was not as if company executives had any lack of understanding that the practice was not approved by the Board. The head of the Board’s Audit Committee mandated the practice must end.

To hide what was going on, the company went out of its way to hide the ghost plane practice as “Flight crews were told to not openly refer to the backup planes, for fear of raising eyebrows, especially at the small airport facilities for private jets, the people said. One person said the flight manifest sometimes listed “Robert Jeffries” or “Jeffrey Roberts” as the passenger on the second plane, when in fact the seats were empty.” That certainly sounds like someone trying to hide something.

What about the excuse that it was for security? James Stewart, writing in the NYT skewered that reasoning by citing to Scott Davis of Melius Research who stated, ““Not even heads of state get that kind of treatment.” Moreover, if the security was such a concern, why was GE sending its CEO there in the first place. Stewart wrote, “No one I spoke to in the field of corporate security said that made any sense, especially in the instance when the second plane stayed in Anchorage while Mr. Immelt traveled to Asia. There are plenty of planes there that could be chartered in case of emergency, not to mention commercial flights with first-class cabins and ample security. Robert Strang, a corporate security expert and the chief executive of the Investigative Management Group, told me he had been conducting security audits for chief executives for 29 years and could think of no similar example.” Finally, “If a destination is so dangerous that it requires a backup plane, then a C.E.O. shouldn’t be going in the first place”. And it’s not as if Mr. Immelt had been traveling to war-torn Syria or Afghanistan.

Next was a point that Immelt himself raised which spoke directly to business leadership. In a letter to John J. Brennan, chairman and CEO of Vanguard and GE’s lead director, Immelt said, “Given my responsibilities as C.E.O. of a 300,000-employee global company, I just did not have time to personally direct the day-to-day operations of the corporate air team.” He added, “Other than to say ‘hello’ I never spoke to the head of Corporate Air in 16 years.” The CEO of the company goes 16 years without once ever having a substantive conversation with the head of the group mandated with handling his air travel? Frankly I do not know whether to laugh or cry at this statement. If it is true what does it tell you about the Imperial leadership style of Immelt. If he is not telling the truth, it tells you about the liberties he is taking with his facts.

Stuart Davis also raised some obvious issues. If the CEO or his underlings were willing to violate the Board’s edict of no ghost jets; what else did they allow? Davis was further quoted, ““You hear about this and you have to wonder what else they were spending money on. You really have to question the financial oversight and controls and internal audit. You have to question the entire organization.””

According to the WSJ article, “GE informed its board’s compensation committee each year about how much the company had spent to fly Mr. Immelt on corporate aircraft, the people said. But those total amounts lacked details such as how many flights the CEO took, the number of pilots involved or the cost of aircraft fuel, people familiar with the process said. Directors assumed that GE’s human-resources executives had reviewed details about Mr. Immelt’s personal and business trips, according to one person. The GE board’s compensation committee should have requested more detail about Mr. Immelt’s usage.” Even if the Board was initially misled by GE executives, it should have asked for the details to test the information presented to it, especially as it had been the subject of a whistleblower compliant involving the CEO.

All this would seem to indicate that no one was either (1) running the ship, (2) watching the ship being run or (3) was interested enough to find out what was going on. That is laid at the feet of the Board, in not asking direct, probing questions. It also points to the role of compliance to resolve whistleblower issues and to monitor on an ongoing basis to ascertain if the remediation has been followed or the company reverted to its prior conduct. Finally, any CEO’s excuse that as a 30-year employee, including 16 as CEO and he never had time to say anything other than ‘hello’ to an employee speaks to a CEO who is not only ignoring his employees but clearing communicating that I do not care about you or your job function at this organization. How is that for not only tone at the top but also conduct at the top.

Dec 19, 2017

Opinion Releases can provide valuable information for the compliance practitioner. I agree with the statement found in the 2012 FCPA Guidance that “DOJ’s opinion procedure is a valuable mechanism for companies and individuals to determine whether proposed conduct would be prosecuted by DOJ under the FCPA. Generally speaking, under the opinion procedure process, parties submit information to DOJ, after which DOJ issues an opinion about whether the proposed conduct falls within its enforcement policy.” 

In the areas of charitable donations, the DOJ has provided several Opinion Releases which give solid guidance on this tricky issue. There have been four Opinion Releases in the area of charitable donations under the FCPA. In each Opinion Release, the DOJ indicated that it would not initiate prosecutions based upon the fact scenarios presented to it.


This request was from a US based energy company that planned to operate a plant in South Asia, in an area where was no medical facilities available. The energy company planned to donate $10 million for equipment and other costs to a medical complex that was under construction nearby. The donation would be made through a US charitable organization and a South Asian LLC. 

The energy company stated it would do three things with respect to this donation.

  1. Before releasing funds, the energy company said it would require certifications from the officers of all entities involved that none of the funds would be used in violation of the FCPA.
  2. It would ensure that none of the persons employed by the charity or the LLC were affiliated with the foreign government.
  3. The energy company would require audited financial reports detailing the disposition of the funds.


This request was from a US based utility company that planned to operate a plant in Asia, in an area where there was no primary-level school. The utility company planned to donate $100,000 for construction and other costs to a government entity that proposed to build an elementary school nearby. Before releasing funds, the utility company said it would require certain guarantees from the government entity regarding the project, including that the funds would be used exclusively for the school. 


This request was from a Delaware company doing business in Africa. The company desired to initiate a pilot project under which it would contribute $25,000 to the Ministry of Finance in the country to improve local enforcement of anti-counterfeiting laws. The contribution would fund incentive awards to local customs officials, which was needed because this African country was a major transit point for illicit trade and the local customs officials have no incentive to prevent the contraband. 

The company said that along with the contribution, it would execute an agreement with the Ministry to encourage exchange of information and establish procedures and criteria for incentive awards. The company said that if the program is successful, the awards would continue to be funded as needed, and the company will seek the participation of its competitors in this program. 

The company would implement at least five safeguards to ensure the funds would be used as intended, including:

  1. Payments to a valid government account, subject to internal audits.
  2. Payments only upon the confirmation that goods seized were in fact counterfeit.
  3. The Ministry would identify award candidates without input from the company and would provide evidence that funds were used properly.
  4. The company would monitor the program’s effectiveness.
  5. Records will be required to be kept and be available for inspection for a period of time. 


A US Company desired to move from a charitable entity model to a for profit model in the area of micro-financing. To do so it was required to make a large cash donation to a charity in the country in question. The company engaged in three rounds of due diligence in which it determined that the most favorable candidate had a government official on its Board of Directors but that under the laws of the country in question, the government official could not receive compensation to sit as a Board member. After initially listing the 3 levels of due diligence in which the company had engaged prior to finalizing its choice of local entity to receive the donation; the DOJ noted that the donation ‘requested’ of the US Company would be subject to the following controls: 

  1. Payments of the donations would be staggered over a period of eight quarters rather than in one lump sum.
  2. Ongoing monitoring and auditing of the funds use for a period of five years.
  3. The donations would be specifically utilized for the building of infrastructure.
  4. The funds could not be transferred to either the charities parent or any other affiliated entity.
  5. The funds would not be paid to the parent of the organization receiving the grant and there was an absolute prohibition on compensating Board Members.
  6. The proposed grant agreement under which the funds would be donated had significant anti-corruption provisions which included a requirement that the local organization receiving the funds adopt an anti-corruption policy and that company making the donation shall receive full access to the local organization’s books and records.
  7. Right to terminate the agreement and recall the funds if evidence was found that “reasonably suggests” a breach of compliance provisions. 

Mendelsohn Guidance 

Dick Cassin, writing in the FCPA Blog, in a posting entitled “When is Charity a Bribe?”, cited to the then Deputy Chief of the Criminal Division’s Fraud Section at the DOJ Mark Mendelsohn.  Mendelsohn was asked about the guidelines regarding requests for charitable giving and the FCPA and said that any such request must be evaluated on its own merits. He advocated a “common sense” approach in identifying and clearing Red Flags. Some of the areas of inquiry would include answers to the following questions. 

  1. Is there a nexus between the charity and any government entity from which the company is seeking a decision?
  2. If the governmental decision-maker holds a position at the charity, that's a red flag.
  3. Is the donation consistent with the company's overall pattern of charitable donations?
  4. If one donation or a series of them is more than the company has made to any other charity in the past five years, that would also be a red flag.
  5. Who made the request for the donation and how was that request made? 

Three Key Takeaways

  1. You can utilize the Opinion Release process for a wide variety of issue.
  2. You must manage your charitable donations program even after the money has been donated.
  3. Never forget the Mendelsohn common sense approach to charitable donations.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 18, 2017

When is a rose not a rose? When it is a charitable donation not made for philanthropic purposes and violates the FCPA. This was a feature of the Eli Lilly and Company (Lilly) FCPA enforcement action brought by the Securities and Exchange Commission in 2012, involving a bribery scheme utilized by Lilly in Poland. The scheme and FCPA violations mirrored an earlier FCPA enforcement action, also brought by the SEC as a civil matter, rather than by the Department of Justice as a criminal matter, against another US entity Schering-Plough, for making charitable donations in Poland which violated the FCPA. One of the remarkable things about both of these enforcement actions, brought almost eight years apart, was that they involved improper payments to the same Polish charitable foundation to wrongfully influence the same Polish government official to purchase products from both of these companies.

The Bribery Schemes

Both companies were involved in negotiations for the sale of products with the Director of the Silesian Health Fund (Health Fund). He had also established a charitable foundation, the Chudow Foundation to engage in restoration of ancient castles in Poland. Both companies made donations to the Chudow Foundation at or near the time decisions were made regarding the purchase of their respective products by the Health Fund. The FCPA books and records violations for the donations stated that they were all mischaracterized on the respective company’s books. The donations were made by each company with the description for the donations as follows:

Although all of these donations were approved by a team within Lilly, the “Medical Grant Committee [MGC]”, who reviewed the requests for such donations, the MGC’s approval was “largely based on the justification and description in the submitted paperwork.” While Requests 1 & 2 may have had tangential value to the stated purpose of the Chudow Foundation to restore castles in Poland, even Request 3 was clearly a quid pro quo as an action to obtain business. Just as clearly, ‘rental of castle’ is not a charitable donation but an expenditure, even with that understanding, the SEC Complaint noted that Lilly held no conferences at any castles so it was an outright misrepresentation.

The Schering-Plough SEC Complaint noted that the company Manager involved in the payment scheme, “provided false medical justifications for most of the payments on the documents that he submitted to the company’s finance department.” Additionally, he structured the payments so that they were at or below his approval limit so that he did not have to ask for permission to make the improper payments. The Manager in question viewed the donations as “dues that were required to be paid for assistance from the Director.”

The Red Flags for Charitable Donation


What were the factors which should become red flags for the review of charitable donations under the FCPA? The Schering-Plough SEC Complaint listed several items which it deemed indicia of red flags.

  1. No due diligence. The first is that no due diligence was performed on the charity to identify the Director of the Silesian Health Fund as the founder or his role in the Chudow Foundation.
  2. Donations not related to health care. While the company permitted donations to healthcare related programs there was no follow up to determine the purposes or uses of the donated funds.
  3. Outside normal range of donation. The next red flag was that the donations made to this single charitable foundation approximately 40% of the company’s promotional budget in 2000 and 20% in 2001.
  4. Disproportionate sales. The company’s sales increased disproportionately compared with its own sales of the same products in other areas of Poland. Up to 53% of one product was sold in the region run by the Director of the Silesian Health Fund.

B. Lilly

The Lilly SEC Complaint listed several items which it deemed indicia of red flags.

  1. No due diligence. Once again there was no due diligence performed on the charity to identify the Director of the Silesian Health Fund as the founder or his role in the Chudow Foundation.
  2. Donations not related to health care. Unlike Schering-Plough, the reasons listed for the charitable donations did not relate to health care. Moreover, they were approved by a Lilly committee specifically tasked with reviewing such requests failed to investigate beyond the submitted paperwork, which was apparently not correct.
  3. Outside normal range of donation. The SEC Complaint quoted an email from a Lilly manager who said that he had decided to commit 70-75% of the [charitable donation] budget and the Director of the Silesian Health Fund was given a “free hand to manage the Lilly investment, emphasizing the fact we only doing this for him…”
  4. Suspicious Timing. The donations were made at or near the time that decisions on the purchase of Lilly products were made by the Director of the Silesian Health Fund. One donation was made two days are the Director of the Silesian Health Fund agreed to make a purchase of Lilly products.

Here Lilly used charitable donations to a charitable foundation which was, as stated in the SEC Complaint, “founded and administered by the head of one of the regional government health authorities at the same time that the subsidiary was seeking the official’s support for placing Lilly drugs on the government reimbursement list.” There was a total of eight payments made to the charitable foundation. In addition to the charitable donations made, Lilly “falsely characterized the proposed payments”. Lilly had a group which reviewed the request for such donations called the “Medical Grant Committee [MGC]” which approved the payments “largely based on the justification and description in the submitted paperwork.”

Three Key Takeaways

  1. Every compliance practitioner should study both the Lilly and Schering-Plough enforcement actions.
  2. What is the purpose of the charitable entity you are making a donation to?
  3. Document Document Documents your due diligence around donees.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 18, 2017

Welcome to the first day of a five-day podcast series Jay Rosen and I are producing in honor of the latest Star Wars movie The Last Jedi. Each day over this week, Jay and I will review a Star Wars movie and discuss it from the compliance perspective. Today, we consider Episode IV, A New Hope and risk.

The full series schedule is:

Monday, December 18, Part I- IV-a New Hope and risk.

Tuesday, December 19, Part II- V-The Empire Strikes Back and due diligence.

Wednesday, December 20, Part III- VI-Return of the Jedi and effective training.

Thursday, December 21, Part IV- VII-The Force Awakens and disruptive innovation in compliance.

Friday, December 22, Part V-Rogue One and the myth of the rogue employee.

One of the plotlines is that the Galactic Empire has created a Death Star with enough firepower to destroy a planet. The Rebel Alliance is determined to destroy the Death Star and has blueprints detailing the defensive posture of the Death Star. A computer analysis determines a weakness in the Death Star’s defensive shield. At one point, the Death Star’s commander, Grand Moff Tarkin, played by Peter Cushing, is told there is a ‘risk’ in the Rebel’s plan of attack. Tarkin dismisses this risk as insignificant. Of course, Luke Skywalker then proceeds to exploit this risk and destroy the Death Star.

Tarkin’s incorrect assessment of this risk was lethal. Today I want this part of the story to introduce the subject of how you evaluate compliance risk under the Foreign Corrupt Practices Act (FCPA) or an economic sanctions regime. Failure to appreciate risk can lead to some very serious and perhaps lethal consequences.

Whether you utilize one approach or another, analyzing the results of your risk assessment is as important as doing the risk assessment. With the recent Department of Justice (DOJ) remarks around how they will review the effectiveness of compliance programs during an enforcement action to determine potential credit or even granting a declination, the stakes have never been higher. Of course, for Grand Moff Tarkin, his refusal to analyze the risk assessment presented to him was fatal.

Join us tomorrow where we consider The Empire Strikes Back and due diligence.

May the podcast be with you this holiday season.

Dec 18, 2017

In this episode, I visit with Brian Platz who discusses blockchain and his new company Fluree, a new Public Benefit Corporation that has introduced a scalable blockchain database for decentralized applications. Fluree is not healthcare specific, but there is a lot of potential for blockchain. 

In this podcast interview we covered the following:

  • What is a scalable blockchain database and why is it important?
  • What are some of the healthcare use cases for Fluree?
  • Transparency and consensus as key attributes of block chain. Does that contradict healthcare’s needs for privacy and security?
  • Who will leverage this technology in healthcare? What are its uses in the broader compliance context?
  • What impact will healthcare consumers and patients see as a result of Fluree?
  • Fluree organized as a Public Benefit Corporation. What does that mean for the company going forward?
1 2 Next »