Podcast

Categories
Blog

Daily Compliance News: April 19, 2024-the Thrown Under the Bus Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance related stories to start your day. Sit back, enjoy a cup of morning coffee and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership or general interest for the compliance professional.

  • Menendez defense: my wife did it.  (ABC)
  • Rethinking how your company handles cyber-risk. (FT)
  • Story of the jailed crypto officer. (NYT)
  • Police bust global cyber-fraud gang. (BBC)

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Blog

The NBA, Data Driven Compliance and Jontay Porter

One of the best examples I have recently seen of the power of data-driven compliance is playing out in real-time in the NBA. It is the Jontay Porter betting scandal. This event drove home why transparency and robust data analytics can help identify illegal acts in real time, moving compliance from detective to proactive.

Background

The background to the story is both sad and tragic. As reported by ESPN, betting sites grew suspicious when a large amount of money was made on prop bets for Porter. The bets were: “In the game on Jan. 26 against the LA Clippers, there was increased betting interest on the under for Porter props, which for the night were set at around 5.5 points, 4.5 rebounds, and 1.5 assists. There was also an over/under for Porter’s made 3-pointers, which was 0.5.”

Additionally, “At least one other U.S. sportsbook detected unusual betting interest on the game’s Porter props. A sportsbook industry source told ESPN that multiple betting accounts attempted to bet large amounts, upward of $10,000 and $20,000, on Porter under in the January game against the Clippers. Betting limits on NBA player props vary by sportsbook and customer but are typically around $1,000 to $2,000.

The second part of the suspicious transaction was that in that game itself, “Porter played just four minutes before leaving the game because of what the Raptors said was an aggravation of an eye injury he had suffered four days earlier against the Memphis Grizzlies. Porter did not score against the Clippers but had three rebounds and one assist, and he did not attempt a 3, meaning the under-hit on all of the props.” According to the Draft Kings, the under on Porter’s 3-pointers was the biggest money winner for bettors of any NBA player props from games that evening.

A second set of anomalous information came in on March 20. In a game on that night, “Porter played just three minutes before exiting because of what the Raptors said was an illness and did not return. He did not score after attempting one shot and had two rebounds.

Sportsbooks had his over/under set at around 7.5 points and 5.5 rebounds. The next day, DraftKings Sportsbook reported in a media release that Porter’s prop bets were the No. 1 moneymaker from the night in the NBA.”

Anomalous Data

Another ESPN article reported that “the NBA’s investigation found that Porter revealed information about his health to a known sports bettor ahead of a March 20 game against the Sacramento Kings. According to the NBA, another bettor who was privy to the information placed a $80,000 same-game parlay bet featured under Porter’s statistics and would win $1.1 million. Porter played for three minutes before leaving the game with an illness. The bet, which was placed at DraftKings, was not paid.” This is in addition to multiple Sportsbooks that “reported a spike in betting interest on the under on several of Porter’s statistics ahead of a Jan. 26 game against the Los Angeles Clippers.”

Finally, and most damningly, Porter was also betting on NBA games. “The league investigation revealed Porter placed at least 13 bets on NBA games using an associate’s online betting account. According to the league, the bets ranged from $15 to $22,000, totaling $54,094. The NBA said the total payout from those bets was $76,059, with net winnings of $21,965. None of the bets involved any in which Porter played. Three bets were parlays, including one that included a bet on the Raptors to lose. All three bets lost, according to the NBA.”

 Lessons for Compliance

  1. Transparency

There are several key lessons for compliance in this sordid tale. The first is around transparency. It is not about the legalization of gambling; gambling on NBA games has always occurred. It is about the oversight that legalization has brought about. In other words, gambling has moved out of the shadows and into the light of day. There is increased regulatory oversight and reporting. The NBA itself noted that “it was alerted to the suspicious activity by licensed sportsbooks and an organization that monitors legal betting markets. Las Vegas firm U.S. Integrity, which works with sportsbooks, leagues, and state gaming regulators, monitored Porter’s abnormalities and said it is “proud to continue to support the NBA in initiatives relating to regulated sports betting.”

The legalization of gambling has increased the amount of money involved. However, having that much money means more oversight and better processes for determining anomalous patterns. Why? Because it is a business for these Sportsbooks and sites like Draft Kings. Not only is it a business, but its customers must have faith that the games are not crooked, which is exactly what the NBA demands.

  1. Data Analytics

The second, equally important lesson is about data analytics. Data analytics did not determine that Porter had illegally revealed information about his health. Data analytics determined an unusual pattern of betting on small bets on a minor player, all in a very big way. In other words, the data identified anomalies that could be further investigated. Every data analytics program should crunch massive GTE spending, marketing spending, charitable donations, third-party spending, and any other place funds could be generated to determine if a pot of money is needed to fund a bribe.

Moreover, once your data program is set up, you can monitor these areas in real-time. This will allow you to spot any unwarranted trends and patterns. Based on the investigation, you can suspend the activities. If further action is necessary, you can then take it. But it all begins with data analytics.

  1. Consequence Management

We now move to the tragic part of this story. As a direct consequence of his actions, Jontay Porter has been banned from playing in the NBA for life. For the compliance professional, the lesson is that the Department of Justice demands swift action, including termination and clawbacks for executives who are part of a bribery or corruption scheme.

Categories
Blog

Insights on the EU Corporate Sustainability Due Diligence Directive from GDPR

Regarding corporate social responsibility and data protection, impact assessments and due diligence can seem like a labyrinth of legal jargon and regulatory requirements. However, understanding the importance of these processes is crucial for any corporation looking to not only comply with regulations but also build trust with customers and stakeholders. In this blog post, we will dive into the intricacies of impact assessments and due diligence, answering common questions and providing practical tips for corporations navigating the complexities of the Corporate Sustainability Due Diligence Directive (CSDDD).

We will consider the following questions:

  1. What role does GDPR compliance play in navigating the complexities of the CSDDD?
  2. Why are privacy impact assessments important for the CSDDD?
  3. How can corporations comply with the CSDDD?

In the ever-evolving landscape of corporate responsibility and ethical governance, staying ahead of regulatory directives is crucial for businesses looking to comply and positively impact society and the environment. One such directive that is making waves in the corporate world is the CSDDD. In the wake of its near full adoption by the European Council, the implications of this directive are profound, prompting organizations to rethink their approach to sustainability, human rights, and environmental impact.

The parallels between the CSDDD and the General Data Protection Regulation (GDPR) serve as a reminder of the importance of proactively addressing ethical considerations within corporate governance. Just as with the GDPR, which focuses on data privacy and protection, the CSDDD underscores the necessity of corporate diligence in ensuring environmental responsibility, human rights protection, and fair business practices.

GDPR compliance is a critical component of navigating the complexities of the CSDDD. GDPR sets strict guidelines for how companies handle the personal data of EU citizens. By ensuring compliance with GDPR regulations, corporations can demonstrate their commitment to data protection and privacy, essential for building trust with customers and stakeholders in today’s data-driven world. One of the key components of GDPR compliance is to conduct regular audits of your data processing activities to ensure compliance with GDPR requirements. Implement robust data protection measures, such as encryption and access controls, to safeguard personal data and mitigate the risk of data breaches.

The essence of both GDPR and CSDDD is to take a proactive approach to compliance. By instilling a culture of responsibility within the organization, companies can effectively navigate the complexities of regulatory frameworks like the CSDDD. From conducting impact assessments to tracking progress and publishing annual statements, the directive emphasizes transparency and accountability in corporate operations.

Compliance with the CSDDD requires a proactive approach to data protection and privacy. Corporations must establish robust data governance frameworks, implement privacy-by-design principles, and regularly audit their data processing activities. By prioritizing data protection and privacy, corporations can demonstrate their commitment to responsible data management and build trust with customers and stakeholders. You should work to develop a data protection policy that outlines your organization’s commitment to data protection and privacy. Train employees on data protection best practices and provide ongoing support to ensure compliance with the CSDDD.

This is also true of privacy impact assessments (PIAs), essential for identifying and mitigating privacy risks associated with data processing activities. By conducting a PIA, corporations can assess the potential impact of their data processing activities on individuals’ privacy rights and take steps to minimize any adverse effects. PIAs are especially important in the context of the CSDDD, where data protection and privacy are paramount concerns. You should work to integrate privacy impact assessments into your data processing workflows to identify and address privacy risks proactively. Engage with data protection authorities and stakeholders to ensure transparency and accountability in your privacy practices.

While the CSDDD is a European directive, its reach extends beyond the EU’s borders, impacting US companies with significant operations or income derived from the region. This broad scope necessitates a thorough evaluation of supply chains, supplier relationships, and potential risks associated with non-compliance. The CSDDD’s requirements for due diligence and supplier engagement underscore the interconnected nature of global business operations.

As organizations strive to align with the CSDDD, integrating existing laws and guidelines from related legislation, such as GDPR, becomes essential. From incorporating OECD guidelines to addressing human rights and environmental impact, companies must adopt a comprehensive approach to compliance. By leveraging technological solutions and strategic staffing, businesses can streamline their compliance efforts and enhance their impact on society and the environment.

The convergence of directives like the CSDDD and GDPR heralds a new era of ethical governance for businesses worldwide. By embracing the principles of sustainability, human rights protection, and environmental stewardship, organizations can meet regulatory requirements and contribute to a more responsible and equitable corporate landscape. As we navigate the complexities of corporate responsibility, let us heed the lessons from these directives and strive to do the right thing, both ethically and legally.

Navigating the complexities of impact assessments and due diligence in the context of the CSDDD may seem daunting. Still, with a proactive approach to data protection and privacy, corporations can demonstrate their commitment to responsible data management and build trust with customers and stakeholders. By prioritizing GDPR compliance, conducting privacy impact assessments, and implementing robust data protection measures, corporations can navigate the complexities of the CSDDD effectively.

Categories
Blog

Using RegTech To Enhance the Fight Against Financial Crime

Have you heard these common myths about anti-money laundering technology solutions? Myth 1: Anti-money laundering technology solutions are only necessary for financial institutions. Myth 2: Anti-money laundering technology solutions are too complex and expensive for small businesses. Myth 3: Anti-money laundering technology solutions can eliminate the need for manual compliance efforts.

I recently had the opportunity to visit with  Matt DeLauro, the Chief Revenue Officer at SEON, to explore these and other questions. (You can listen to the episode on Innovation in Compliance.) We considered the impact of real-time detection services and the importance of breaking through traditional data silos for a robust approach to fraud prevention and regulatory compliance. We also considered security measures such as device fingerprinting, the evolution of Suspicious Activity Reports, and the future landscape of compliance and anti-fraud efforts, and this episode offers a wealth of knowledge for compliance practitioners and professionals.

We also considered the critical importance of Anti Money Laundering (AML) regulations, particularly in the wake of increased sanctioned activities within European banking systems. Regulatory bodies emphasize the need for heightened AML efforts in the financial industry to combat money laundering and ensure compliance. Machine learning emerges as a key tool in detecting anomalies and potential money laundering attempts, with companies like SEON at the forefront with their integrated machine learning algorithms.

How can compliance professionals stay ahead of increasingly sophisticated money launderers and fraudsters? Financial crimes are evolving rapidly, but innovative RegTech solutions give compliance teams new tools. One interesting approach is to leverage device fingerprinting for fraud prevention. Device fingerprinting analyzes device metadata like location, typing patterns, and orientation to catch real-time account takeovers and bot attacks. By gathering intelligence on the device, compliance teams can identify suspicious access attempts and stop fraudsters.

Moreover, detecting and preventing fraudulent activities necessitates monitoring anomalous behaviors, such as unusual device access or IP addresses. Utilizing device fingerprinting data, behavioral biometrics, and machine learning algorithms can help identify patterns of fraudulent activities and enable real-time fraud detection to thwart fraudulent transactions instantly.

Another approach is through scaling monitoring with machine learning. This is because reviewing transactions manually is hugely time-intensive and limits scalability. Machine learning models overcome this by continually improving detection rates and reducing reliance on large manual review teams. Such an approach can identify complex schemes that rules-based systems miss and enable businesses to expand without compromising compliance. Continuously training machine learning models to enhance detection capabilities and prevent fraud in real time can aid in fraud detection and prevention. By feeding back labeled data on identified fraud or money laundering attempts into the machine learning algorithms, companies can improve detection accuracy over time.

This approach can be enhanced by unifying siloed data sources (this is the converse of how the Department of Justice presented this to compliance professionals, of breaking down data silos.) Centralizing compliance data from across departments gives investigators a holistic view of risk. This prevents the need to manually compile relevant information from separate systems, speeding up reviews and providing broader context.

Another financial crime protection strategy is to generate SARs automatically. This approach uses large language models, which can auto-generate the lengthy suspicious activity reports (SARs) regulators require. Rather than investigators manually piecing together all the details over hours, smart software reduces it to a few clicks, saving significant time and effort. Automation has revolutionized the generation of Suspicious Activity Reports, reducing the time spent on investigations and increasing efficiency. Centralized data and machine learning capabilities are crucial for better detecting potential fraudulent activities and streamlining the reporting process.

Leading compliance teams are embracing RegTech solutions to strengthen financial crime defenses in the face of growing threats from organized fraud rings and money laundering networks. The future will require even more agility to counter emerging criminal tactics. In the evolving landscape of financial crimes, with fraudsters leveraging sophisticated techniques and interconnected networks to bypass traditional controls, companies must adapt and innovate their fraud and compliance strategies to stay ahead of the curve in combating financial crimes. To drive this point home, DeLauro encapsulates the urgency and necessity for adaptive anti-money laundering measures with the following: “Companies that have a static or maybe a long-standing permanent set of controls around fraud and compliance get figured out by the fraudsters and the money launderers very quickly.”

As AML regulations take center stage as a national security priority, the podcast episode underscores the pivotal role of automation, machine learning, and continuous innovation in strengthening AML efforts and safeguarding financial ecosystems against fraudulent activities. Matt DeLauro’s insights shed light on the dynamic landscape of financial crimes and the imperative for organizations to embrace proactive prevention strategies to combat money laundering effectively.

Categories
Blog

Changing Sales Models

Over the past 12 months or so, there have been a series of Foreign Corrupt Practices Act (FCPA) enforcement actions in which the respondents have changed and/or modified their sales models to move away from external third parties and toward direct sales and business generation models. This portends a change in the way the Department of Justice (DOJ) may think about sales models, their inherent risk, and risk management going forward. These FCPA enforcement actions involved Albemarle, SAP, Gunvor, and Trafigura.

Albemarle

The Albemarle Non-Prosecution Agreement (NPA) cited several remedial actions by the company that helped Albemarle obtain a superior result in terms of the discounted fine and penalty. These steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out and tested an effective compliance program. The company shifted to a direct sales business model.

This change was relatively new and undoubtedly noteworthy for FCPA enforcement actions, which were changes in a company’s approach to sales and their sales teams. Obviously, corrupt third-party agents brought the company to such FCPA grief. Many of the quotes in the NPA make it clear that Albemarle executives had an aversion to paying bribes but had greater moral flexibility when a third-party agent was involved. This led to the company moving away from third-party agents to a direct sales force.

SAP

While most of the remediation reported in this matter was standard, the one item that every compliance professional should consider is that SAP proactively discontinued using third-party agents for business origination. The point is perhaps the most significant, as the DOJ called out SAP for discontinuing their use of third-party agents. The DOJ information sets out the following: Change in sales models. On the external sales side, SAP eliminated its third-party sales commission model globally, prohibited all sales commissions for public sector contracts in high-risk markets, and enhanced compliance monitoring and audit programs, including creating a well-resourced team devoted to audits of third-party partners and suppliers.

Gunvor

As I noted in my review of the Albemarle and SAP enforcement actions, SAP eliminated its third-party sales commission model globally and prohibited all sales commissions for public sector contracts in high-risk markets. It also enhanced compliance monitoring and audit programs, including the creation of a well-resourced team devoted to audits of third-party partners and suppliers. Albemarle changed its approach to sales and its sales teams. Guvnor also moved away from third-party agents to a direct sales force.

Trafigura

Trafigura eliminated the use of third-party business origination agents. Matt Kelly noted in Radical Compliance, “This is the latest in a string of FCPA enforcement cases where we’ve seen a big, structural change to the sale function. Albemarle eliminated its use of third-party sales agents as part of its FCPA settlement last year; SAP eliminated its third-party sales commission model globally as part of its own FCPA settlement announced in January. Now we have a third global enterprise going that same route, reducing its FCPA risk in a deep, permanent way by restructuring its sales operations.” Here, Trafigura did away with third-party representatives for business generation.

In these four recent enforcement actions, the companies changed their approach to sales and their sales teams and did away with third parties generating new business. All of this points to these companies moving away from third-party agents to a direct sales force.

Moving to a direct sales force does have its risks, which must be managed, but those risks can certainly be managed with an appropriate risk management strategy, monitoring of the strategy, and improvement; those risks can be managed. Yet there is another reason, and more importantly, a significant business reason, to move towards a direct sales business model. Every time you have third-party agent or anyone else between you and your customer, you risk losing that customer because your organization does not have a direct relationship with the customer. A direct sales business model will give your organization more direct access to your customers.

The fact that the 2020 FCPA Resource Guide, 2nd edition, and the 2023 Evaluation of Corporate Compliance Programs do not outline this strategy is another intriguing aspect of how Albemarle, SAP, Gunvor, and Trafigura use it. These are all approaches developed by the companies based upon their own analysis and risk models. It may have come from a realization that the risk involved with third-party sales models was simply too significant, that the companies wanted more control over their sales or some other reason. Whatever the reason for the change, the DOJ took note of each organization and viewed it affirmatively.

Every compliance professional should understand that this is how new ideas are developed by the DOJ and in compliance. Companies assess their own risks and then move forward to manage or change their risk profiles. Expect to start seeing and hearing more about the direct sales model for the DOJ. This is where the DOJ’s comments on compensation incentives and consequence management will come into play.

Categories
Blog

The Trafigura FCPA Enforcement Action – Part 4 – Lessons Learned

We conclude our exploration of the resolution of the FCPA enforcement action involving the Swiss trading firm G Trafigura Beheer B.V. (Trafigura), an international commodity trading company with its primary operations in Switzerland. The company pleaded guilty and will pay over $126 million to resolve an investigation stemming from the company’s corrupt scheme to pay bribes to Brazilian government officials to secure business with Brazil’s state-owned and state-controlled oil company, Petróleo Brasileiro S.A. – Petrobras (Petrobras). The matter was resolved via a Plea Agreement. Information detailing the company’s conduct was also issued.

Despite substantial violations of the FCPA and its extension into the corporate offices, Trafigura received the 10% discount noted above. The message from this enforcement action is the cost of failing to self-disclose, creating liability under the FCPA and creating jurisdiction for the DOJ to bring an enforcement action, denial that you have done anything wrong, failure to cooperate (at least initially), and not sanctioning any of the culpable company actors. In other words, there is a bit of reverse logic and analysis in this case. However, as noted several times, the DOJ rewarded Trafigura with some credit and gave them a discount. Most importantly, and perhaps inexorably, Trafigura was not required to retain a monitor.

Remediation 

While most of the remediation is reported as standard, the one item that every compliance professional should consider is that the company proactively discontinued using third-party agents for business origination. This point is perhaps the most significant, as we have now seen the DOJ call out Albemarle and SAP for discontinuing their use of third-party agents.

As Matt Kelly noted in Radical Compliance, in his discussion of Guvnor FCPA enforcement action, “This is the latest in a string of FCPA enforcement cases where we’ve seen a big, structural change to the sale function. Albemarle eliminated its use of third-party sales agents as part of its FCPA settlement last year; SAP eliminated its third-party sales commission model globally as part of its own FCPA settlement announced in January. Now we have a third global enterprise going that same route, reducing its FCPA risk in a deep, permanent way by restructuring its sales operations.” With Trafigura, we now have a fourth.”

As I noted in my review of the Albemarle and SAP enforcement actions, SAP eliminated its third-party sales commission model globally, prohibited all sales commissions for public sector contracts in high-risk markets, and enhanced compliance monitoring and audit programs, including the creation of a well-resourced team devoted to audits of third-party partners and suppliers. Albemarle changed its approach to sales and its sales teams. Guvnor also moved from being a third-party agent to a direct sales force.

Moving to a direct sales force does have its risks, which must be managed, but those risks can certainly be managed with an appropriate risk management strategy, monitoring of the strategy, and improvement; those risks can be managed. Yet there is another reason, and more importantly, a significant business reason, to move towards a direct sales business model. Whenever you have a third-party agent or anyone else between you and your customer, you risk losing that customer because your organization does not have a direct relationship with the customer. A direct sales business model will give your organization more direct access to your customers.

Another exciting aspect of this approach used by Albemarle, SAP, and Trafigura is that it is not an approach laid out in either the 2020 FCPA Resource Guide, 2nd edition, or the 2023 Evaluation of Corporate Compliance Programs. The companies developed all of these strategies based on their own analysis and risk models. It may have come from a realization that the risk involved with 3rd party sales models was too great, that the companies wanted more control over their sales, or another reason. Whatever the reason for the change, the DOJ clearly noted each organization and viewed it affirmatively.

Bribery Schemes

This area is essential for all compliance professionals to take note of. The bribes were initially funded with a $ 0.20 surcharge or uplift for every barrel of oil traded. With the price of oil fluctuating wildly at the time in question, between $60 to $100 per barrel, I am not sure such a small amount would even seem anomalous. It would not rise to a rounding error but generate $19 million in bribes. While I am not sure that the bribery scheme was designed to be so hard to detect, the reality is that no compliance professional could look at the trades and determine if a bribe was baked into the pricing.

Yet there was even a deeper part of the bribery scheme. Executives at Trafigura and corrupt traders at Petrobras prearranged the oil trading prices rather than letting the market determine them. The information noted, “The Trafigura Executive 2 and Brazilian Official 1 agreed to prices for trades of oil products and bribe amounts for each trade. After determining the price, Trafigura Executive 2 instructed Trafigura traders to negotiate with Petrobras, which Trafigura Executive 2 knew to be a sham, to arrive at the pre-agreed price.” [emphasis supplied]

Finally, another set of bribes was funded through an unrelated business unit. This occurred when one of the two corrupt Trafigura executives involved in the bribery scheme was transferred to run the company’s Singapore business unit. From there, this corrupt executive had a corrupt third party in Hong Kong bill the Singapore business unit for non-existent consulting services related to the Chinese market for $500,000. This money funded additional bribes to corrupt Petrobras employees. This extra step would require someone in compliance to connect the dots between a corrupt third-party bribery scheme in Singapore and China and the corruption at Petrobras in Brazil.

Lack of a Monitor

The following DOJ Memo governs the decision of whether a company needs a monitor: Revised Memorandum on Selection of Monitors in Criminal Division Matters, released in March 2023. The memo has 10 factors a prosecutor must consider.

  1. Did the corporation voluntarily self-disclose?
  2. At the time of the resolution and after a thorough risk assessment, has the company implemented an effective compliance program and sufficient internal controls to detect and prevent similar misconduct in the future?
  3. At the time of the resolution, the company had adequately tested its compliance program and internal controls to demonstrate that they would likely detect and prevent similar misconduct.
  4. Whether the underlying criminal conduct was long-lasting or pervasive across the business organization or was approved, facilitated, or ignored by senior management, executives, or directors (including through a corporate culture that tolerated risky behavior or misconduct or did not encourage open discussion and reporting of possible risks and concerns),.
  5. Whether the underlying criminal conduct involved exploiting an inadequate compliance program or system of internal controls.
  6. Did the conduct involve the active participation of compliance personnel?
  7. Did the company take adequate investigative or remedial measures to address the underlying criminal conduct, including terminating business relationships and practices that contributed to it?
  1. At the time of the resolution, the company’s risk profile had substantially changed.
  2. Whether the corporation faces any unique risks or compliance challenges.
  3. Is the company subject to other oversight?

A review of the Information and Plea Agreement reveals no self-disclosure. Equally significantly, there is no information about whether the company has implemented an effective compliance program or sufficient controls, let alone tested them. According to the data, the conduct was long-lasting across multiple business units. If there were internal controls in place, they were undoubtedly inadequate. There does not appear to be involvement in the compliance function. The only positive factor from the resolution documents is that Trafigura did terminate its use of third parties to initiate and foster business development, but that appears to be the only factor they have met.

Writing again in Radical Compliance, Matt Kelly said, “Either way, these cases send mixed messages to the compliance community. It looks like you can get away with not self-disclosing misconduct and perhaps even slow-rolling your cooperation if you’re prepared to invest lots in a newly invigorated compliance program and tolerate the Fraud Section as your new BFFs for the next three years of a settlement agreement.”

If the DOJ has discontinued its monitoring program or changed the requirements, it is undoubtedly its prerogative to do so. It would be helpful if they communicated that change to the compliance community.

Categories
Blog

The Trafigura FCPA Enforcement Action – Part 3 – The Penalty

We continue our exploration of the resolution of the FCPA enforcement action involving the Swiss trading firm G Trafigura Beheer B.V. (Trafigura), an international commodity trading company with its primary operations in Switzerland. The company pleaded guilty and will pay over $126 million to resolve an investigation stemming from the company’s corrupt scheme to pay bribes to Brazilian government officials to secure business with Brazil’s state-owned and state-controlled oil company, Petróleo Brasileiro S.A. Petrobras (Petrobras). The matter was resolved via a Plea Agreement. Information detailing the company’s conduct was also issued.

Given the multi-year nature of the bribery scheme, how high it went up in the organization, the lack of self-disclosure, and the admittedly lack of stellar cooperation, one might wonder how Trafigura could obtain any discount from their overall penalty.  There was no total figure to show the amounts of bribes paid by Trafigura in the Plea Agreement.  However, it was noted that Trafigura earned over $61 million in profits from the business obtained through the corrupt scheme. Yet Trafigura received a 10% discount off the 50th percentile of the applicable US Sentencing Guidelines acceptable range. How did Trafigura achieve this discount?

Cooperation

The starting point for this analysis is the Plea Agreement. However, we should note that Trafigura failed to preserve and produce certain documents and evidence on time and, at times, took positions inconsistent with full cooperation, “particularly during the early phase of the department’s investigation.” Additionally, Trafigura was slow to exercise disciplinary and remedial measures for certain employees whose conduct violated company policy. Finally, Trafigura “ultimately accepted responsibility for its criminal conduct. Its previous position in resolution negotiations also caused significant delays and required the offices to expend substantial efforts and resources to develop additional admissible evidence before the defendant constructively reengaged with the offices in agreeing to a negotiated resolution.”

This cooperation included (i) providing timely updates on facts learned during its internal investigation, (ii) making factual presentations to the DOJ, (iii) facilitating the interviews of employees and agents, including an employee located outside the United States, and arranging for counsel for employees where appropriate; (iv) producing relevant non-privileged documents and data to the department, including documents located outside the United States in ways that navigated foreign data privacy laws, accompanied by translations of certain documents; and (v) providing all relevant facts known to it, including information about individuals involved in the conduct. The compliance professional should note that Trafigura provided documents to the DOJ outside the United States in ways that navigated foreign data privacy laws.

The Remediation 

The Plea Agreement also included information on the remediation Trafigura carried out. Trafigura also took steps to fix the problems. These included (i) creating and implementing better, risk-based policies and procedures for things like fighting corruption, using middlemen and consultants, making payments to third parties, and assessing the risk of joint ventures and equity investments; (ii) improving the processes and controls around high-risk transactions; (iii) spending more money on training employees and testing their compliance; and (iv) making sure that the problems were fixed regularly. The final point is perhaps the most significant, as we have now seen the DOJ call out Albemarle and SAP for discontinuing their use of third-party agents.

Prior Misconduct

Trafigura also had prior misconduct, which the DOJ called out. While noting it was “not recent,” Trafigura had sustained a 2006 guilty plea for entering goods through false statements and a 2010 conviction for violating Dutch export and environmental laws concerning the discharge of petroleum waste in Côte d’Ivoire.

Fine Calculation

The explanation from the DOJ raised an open question in the minds of many compliance professionals regarding recent FCPA enforcement. That question was about how culture and prior misconduct were factored into the acceptable determination. This case follows the recent SAP enforcement action, in which a similar analysis was conducted. The DOJ does not discount fines off the low end of an acceptable range but instead in the middle between the high and low range. In the case of Trafigura, the high end of the acceptable range (after the complete calculation under the Sentencing Guidelines) was $170,345,061, and the low range was $85,172,530. As a result of the defendant’s cooperation and efforts to make things right, as well as the fact that some Trafigura Group companies had been guilty of similar crimes in the past, the DOJ took 10% off the middle of the two ranges, which put them in the 50th percentile. This led to a “total criminal fine” of $80,488,040, 10% less than the fifth percentile above the lowest possible fine under the Sentencing Guidelines.

Join us tomorrow, and we will conclude with lessons learned from the Trafigura enforcement action.

Categories
Blog

The Trafigura FCPA Enforcement Action – Part 2 – The Bribery Schemes

We continue our exploration of the resolution of the FCPA enforcement action involving the Swiss trading firm G Trafigura Beheer B.V. (Trafigura), an international commodity trading company with its primary operations in Switzerland. The company pleaded guilty and will pay over $126 million to resolve an investigation stemming from the company’s corrupt scheme to pay bribes to Brazilian government officials to secure business with Brazil’s state-owned and state-controlled oil company, Petróleo Brasileiro S.A. Petrobras (Petrobras). The matter was resolved via a Plea Agreement. Information detailing the company’s conduct was also issued.

According to the Information, between approximately 2003 and 2014, Trafigura and its co-conspirators paid bribes to Petrobras officials in order to obtain and retain business with Petrobras. Beginning in 2009, Trafigura and its co-conspirators, who met in Miami to discuss the bribery scheme, agreed to make bribe payments of up to 20 cents per barrel of oil products bought from or sold to Petrobras by Trafigura and to conceal the bribe payments through the use of shell companies, and by funneling payments through intermediaries who used offshore bank accounts to deliver cash to officials in Brazil. The meeting in Miami created US jurisdiction for the FCPA violations.

While at first blush, the bribery schemes appear to be similar to FCPA violations from time immemorial, there are some interesting aspects that will inform how a compliance professional can learn new lessons from this enforcement action. These factors include corrupt actors, internal funding of the bribes from locations literally across the globe, and the potential conflicts of interest in hiring employees of customers prone to bribery and corruption.

Funding the Bribery Schemes

Unlike fraud, which is the theft of money, property, or goods from a company, bribery is the theft of money from a company to pay someone else. Hence, there must be a way for those involved in corruption to create a pot of money to pay bribes. It can be simply cheating on your expense accounts, hiding costs in marketing, or making fraudulent charitable donations. But in Latin America and specifically in Brazil, one of the most favored ways to do so is to bake the bribe directly into the contract sales price. Unfortunately, this makes bribe funding one of the most difficult to detect. That is what was done in the Trafigura case.

According to the Information, “Beginning in 2009, TRAFIGURA BEHEER B.V. and its co-conspirators agreed to make bribe payments of up to 20 cents per barrel of oil products bought from or sold to Petrobras by TRAFIGURA BEHEER B.V. and its subsidiaries and affiliated entities, and to conceal the bribe payments through the use of shell companies.” [emphasis supplied] What is the price of a barrel of oil on any trading market, spot or long term? It can vary quite widely, and during the time of the bribes paid in this matter, it vacillated between $55 to $90 per barrel. It would be more than difficult for any compliance officer to look at a trading contract and pick up this amount as an anomaly.

Additionally, executives at Trafigura and corruption traders at Petrobras pre-arranged the oil trading prices rather than letting the market determine them. The Information noted, “The Trafigura Executive 2 and Brazilian Official 1 agreed to prices for trades of oil products and bribe amounts for each trade. After the price had been determined,  Trafigura Executive 2 instructed Trafigura traders to engage in negotiations with Petrobras, which Trafigura Executive 2 knew to be a sham, in order to arrive at the pre-agreed price.” [emphasis supplied]

The next step was to internally fund the bribe payments through other Trafigura business units, where no one could connect the dots. It came about when one of the two corrupt Trafigura executives involved in the bribery scheme was transferred to run the company’s Singapore business unit. From there, this executive had a corrupt third party in Hong Kong bill the Singapore business unit for non-existent consulting services related to the Chinese market to the tune of $500,000. This money funded additional bribes to corrupt Petrobras employees. This same mechanism was used multiple times to add to the 20 cents per barrel surcharge being paid directly by Petrobras.

Corrupt Employees

There are a couple of other points of note about these bribery schemes. As noted above, there were two corrupt Trafigura executives called out in the Information. (Monikered as Trafigura Executives 1 & 2) Yet, according to the Information, there were other Trafigura executives who either knew about or approved the bribe payments, but they were not further identified in the Information. Trafigura Executive 2 initially worked under Trafigura Executive 1 but later became the head of the Singapore business unit. Clearly, he took corruption with him when he moved from Brazil to Switzerland (the home office) and then to Singapore. This is yet another data point that compliance officers need to assess.

One other point from this matter. Trafigura hired the first corrupt Petrobras employee after he left that company. Once again, compliance needs to figure out a way to become aware of such hires. It was clearly done to pay off this employee and to further the ongoing bribery scheme.

Join us tomorrow for a discussion of Trafigura’s response.

Categories
Blog

The Trafigura FCPA Enforcement Action – Part 1 – Introduction

In March 2024, the Department of Justice (DOJ) announced the resolution of a Foreign Corrupt Practices Act (FCPA) enforcement action involving the Swiss trading firm G Trafigura Beheer B.V. (Trafigura), an international commodity trading company with its primary operations in Switzerland. The company pleaded guilty and will pay over $126 million to resolve an investigation stemming from the company’s corrupt scheme to pay bribes to Brazilian government officials to secure business with Brazil’s state-owned and state-controlled oil company, Petróleo Brasileiro S.A. Petrobras (Petrobras).

According to the DOJ Press Release, “Trafigura pleaded guilty to conspiracy to violate the anti-bribery provisions of the FCPA. Under the plea agreement, Trafigura will pay a criminal fine of $80,488,040 and forfeiture of $46,510,257. The department will credit up to $26,829,346 of the criminal fine against amounts Trafigura pays to resolve an investigation by law enforcement authorities in Brazil for related conduct.”

In the DOJ Press Release, Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division, said, “For more than a decade, Trafigura bribed Brazilian officials to illegally obtain business and reap over $61 million in profits. Today’s guilty plea underscores that companies will face significant penalties when they pay bribes and undermine the rule of law. The department remains determined to combat foreign bribery and hold accountable those who violate the law.”

U.S. Attorney Markenzy Lapointe for the Southern District of Florida said, “Our office will continue to target anyone who uses the Southern District of Florida to further foreign corrupt practices and bribery schemes. We will continue working with our Criminal Division colleagues to identify and prosecute those responsible, including individuals and corporations.” Finally, Assistant Director Michael Nordwall of the FBI’s Criminal Investigative Division noted, “Trafigura’s corrupt practices violated the FCPA, and today’s resolution demonstrates that there are steep penalties for any company that tries to bribe government officials.

The information noted that between approximately 2003 and 2014, Trafigura and its co-conspirators paid bribes to Petrobras officials to obtain and retain business with Petrobras. Beginning in 2009, Trafigura and its co-conspirators, who met in Miami to discuss the bribery scheme, agreed to make bribe payments of up to 20 cents per barrel of oil products bought from or sold to Petrobras by Trafigura and to conceal the bribe payments through the use of shell companies, and by funneling payments through intermediaries who used offshore bank accounts to deliver cash to officials in Brazil. Trafigura profited approximately $61 million from the corrupt scheme.

Trafigura’s conduct during most of the investigation was undoubtedly less than sterling. The company did not self-disclose to the DOJ and had the Plea Agreement dryly noted, “However, the defendant, in particular during the early phase of the government’s investigation, failed to preserve and produce certain documents and evidence promptly and, at times, took positions that were inconsistent with full cooperation.” Additionally, Trafigura was slow to exercise disciplinary and remedial measures for certain employees whose conduct violated company policy. In other words, it was not a company that engendered itself with the DOJ during the investigation phase.

Perhaps because of its conduct during the investigation and an apparent lack of a culture of compliance at the firm, the company only received 10% off the middle range under the sentencing guidelines. Trafigura was a recidivist, with (1) a 2006 guilty plea for entry of goods using false statements, (2) Trafigura’s 2010 conviction of violating Netherlands exports, and (3) a violation of Côte d’Ivoire environmental laws in connection with the discharge of petroleum waste. Ultimately, Trafigura admitted that it had done something illegal during the investigation. However, the company’s initial stance in resolution talks caused a lot of delays, and the government had to spend a lot of time and money gathering more evidence that could be used in court before Trafigura could agree to a peaceful resolution. This led to a guilty plea and a criminal fine, reflecting a 10% reduction off the fifth percentile of the applicable guidelines acceptable range.

In this blog series, we will consider bribery schemes, resolutions, and lessons learned for compliance professionals.

Categories
Blog

How Boeing Can Begin to Fix its Broken Culture

How bad is Boeing’s culture? It is so bad that, as reported in the WSJ, the CEO has announced his departure from the company, and the Chairman of the Board of Directors has announced he will not stand for re-election. It is so bad that the New York Times asked in a headline, What Should Boeing Do to Fix Its Longstanding Problems? Over this week, I have been exploring how a company can assess its corporate culture, improve it, and make those changes permanent through continuous monitoring and improvement. I want to conclude this blog post series by applying those lessons to the current culture at Boeing.

First, Boeing must create a culture that prioritizes those who speak up about safety issues. An organization’s speak-up culture is essential for fostering open communication, transparency, and employee trust. Such a culture encourages individuals to raise concerns, flag potential issues, and contribute to a safer and more accountable work environment. By prioritizing a speak-up culture, companies can proactively address challenges, prevent safety risks, and promote a culture of continuous improvement.

A speak-up culture is a critical factor in ensuring organizational success and safety. Employees must feel safe, valued, and empowered to voice their opinions without fear of reprisal. Boeing must create a culture of trust and psychological safety to enable individuals to speak up, as a culture that supports open communication leads to better decision-making processes and overall performance. A speak-up culture is pivotal in shaping a positive and proactive organizational environment.

Accountability in leadership is fundamental to setting the tone for organizational culture and fostering a sense of responsibility and integrity among team members. The resignation of the CEO is probably a necessary first step, as leaders who demonstrate accountability not only model desired behaviors but also create a culture where individuals take ownership of their actions and outcomes. Leaders cultivate a culture of trust, respect, and ethical conduct by holding themselves and others accountable for their commitments and decisions. Such leadership is lacking at this point at Boeing.

Sam Silverstein has emphasized accountability in leadership as a transformative impact on organizational dynamics. By stressing that accountability is a way of life rather than a mere task, Silverstein underscored leaders’ profound influence in shaping the values and norms within their teams. He stressed the importance of consistency and fairness in holding individuals accountable, noting that leaders play a pivotal role in setting expectations and driving cultural change. The discussion underscored the critical role of leadership accountability in fostering a culture of integrity and excellence within organizations.

Yet the question remains: How can Boeing change its corporate culture? Changing organizational culture is a complex and multifaceted endeavor that requires a deliberate and strategic approach. To shift its culture, Boeing must first assess the existing norms, values, and behaviors that shape its environment. Boeing can begin by identifying areas for improvement and aligning cultural practices with desired outcomes. Companies can embark on a journey of cultural transformation that enhances employee engagement, performance, and overall organizational success. It all starts with a cultural assessment.

Equally important is the need for the new CEO and Boeing’s senior leadership to fully commit to driving cultural change within organizations. Boeing can initiate meaningful change by defining and measuring the current culture, investing in training and education, and holding individuals accountable for upholding cultural values. Cultural initiatives must be aligned with business objectives and ensure that cultural transformation efforts are embedded in every aspect of the organization. There are significant challenges ahead for Boeing, but the company has the opportunity to achieve lasting transformation.

In short, the company must take the following steps:

  • Analyze its safety failure report to uncover critical insights into safety management protocols and potential areas for improvement.
  • Explore the profound impact of company culture on safety practices and understand how it shapes employees’ behavior and decision-making in critical situations.
  • Implement effective speak-up programs to empower employees to voice their safety concerns without fear of reprisal, fostering a culture of open communication and proactive risk mitigation.
  • Foster safe environments by leveraging leadership’s pivotal role in setting clear safety expectations, modeling best practices, and promoting a culture of accountability.
  • Enhance reporting systems in large corporations to streamline incident documentation, analysis, and communication for proactive risk management and continuous safety improvement.

I hope you have enjoyed this blog post series on corporate culture and that you will follow my latest podcast, Culture Crafters, on the Compliance Podcast Network.