Categories

The Gunvor FCPA Enforcement Action: Part 3 – The Discounted Fine

We continue our exploration of the resolution of the FCPA enforcement action involving the Swiss trading firm Gunvor S.A. The enforcement action came in with a $661 million penalty against the company, which has pleaded guilty to bribing Ecuadorian government officials through the 2010s in exchange for intelligence about upcoming business contracts with the state-owned oil company of Ecuador. The matter was resolved via a Plea Agreement. Information detailing the company’s conduct was also issued.

Given the multi-year nature of the bribery scheme, how high it went up in the organization, and the lack of self-disclosure, one might charitably wonder how Gunvor was able to garner a fine that was so low. According to the Plea Agreement,  Gunvor paid over $97 million to corrupt third-party agents, who then made bribes to Ecuadorian officials. Gunvor earned over $384 million in profits from the business obtained through the corrupt scheme. Yet Gunvor received a 25% discount off the 30th percentile of the applicable US Sentencing Guidelines fine range. How did Gunvor achieve this discount?

Extensive Cooperation

The starting point for this analysis is the Plea Agreement. It noted several factors, including, among others, the nature and seriousness of the offense. Gunvor received credit for its cooperation with the department’s investigation, which included: (i) producing documents to the department from multiple foreign countries expeditiously while navigating foreign data privacy and criminal laws; (ii) providing information obtained through its own internal investigation to the department, which allowed the department to preserve and obtain evidence as part of the department’s investigation; (iii) making detailed, factual presentations to the department; (iv) arranging for the interview of an employee based outside the United States; (v) promptly collecting, analyzing, and organizing voluminous information, including complex financial information, at the request of the department, and producing an analysis of trading activity conducted by multiple outside forensic accounting firms retained by Gunvor; (vi) translating foreign language documents to facilitate and expedite review by the department; and (vii) imaging the phones of relevant custodians at the beginning of Gunvor’s internal investigation, thus preserving business communications sent on mobile messaging applications.

The Remediation

The Plea Agreement also included information on the remediation that Gunvor carried out. Gunvor also engaged in timely and appropriate remedial measures, including: (i) eliminating the use of third-party business origination agents; (ii) enhancing its third party due-diligence process; (iii) developing and implementing a control framework for internal business developers and additional layers of review and approval for counterparty payments; (iv) enhancing the independent compliance committee with responsibility for reviewing high-risk transactions; (v) engaging resources to review its compliance program and test the effectiveness of its overall reporting process, its reporting hotline and the effectiveness of the investigation of reports made through the hotline; (vi) evaluating and updating its compensation policy to better incentivize compliance with the law and corporate policies; (vii) hiring additional compliance personnel; (viii) testing and enhancing its compliance program, including by conducting compliance culture reviews, testing new third party due diligence process and payment controls, and evaluating controls around business development activities; and (ix) developing and implementing a risk-based business communications policy that addresses the use of ephemeral and encrypted messaging applications.

Prior Misconduct

The department also considered Gunvor’s history of misconduct. In October 2019, Gunvor resolved with the Office of the Attorney General of Switzerland concerning a corrupt scheme to bribe officials in Congo-Brazzaville and Côte d’Ivoire to secure oil contracts obtained between 2009 and 2012. As part of the 2019 Swiss resolution, Gunvor admitted that it lacked sufficient controls to prevent the underlying misconduct and failed to take “all the reasonable organizational measures” required to prevent Gunvor’s employees and agents from engaging in bribery.

Fine Calculation

The explanation from the DOJ answered an open question in the minds of many compliance professionals about recent FCPA enforcement. That question was about how culture and prior misconduct were factored into the fine determination. This case follows the recent SAP enforcement action, where there was a similar analysis. The DOJ is not discounting fines off the low end of a fine range but instead on some point above that low end. In Gunvor’s case, the high end of the fine range (after the full calculation under the Sentencing Guidelines) was $768,328,352, and the low end of the fine range was $384,164,176. With the uplift to the 30th percentile, the final fine was $374,560,071, with an additional forfeiture of $287,138,444. In the SAP enforcement action, the company received a 40% discount off the 10th percentile of the Sentencing Guidelines fine range.

Failure to Self-Disclose

We need to emphasize, once again, that under the Corporate Enforcement Policy, Gunvor’s failure to self-disclose cost it an opportunity of at least 50% and up to a 75% reduction off the low end of the U.S. Sentencing Guidelines: fine range. Moreover, its actions resulted in the company not receiving a reduction of at least 50% and up to 75% from the low end of the U.S.S.G. fine range but rather at the 30th percentile noted above. Gunvor’s failure to self-disclose cost it an estimated $50 million under the Sentencing Guidelines. Its inability to self-disclose and recidivism cost it a potential $150 million in total discounts available under the Corporate Enforcement Policy.

 Once again, the significance is that the DOJ is sending the message that self-disclosure is the single most important thing a company can do in any FCPA investigation or enforcement action. Kenneth Polite said that when announcing the updated Corporate Enforcement Policy in January 2023, the new Monitor Selection Policy was the number one reason for a company not having a monitor required. The DOJ’s message could not be more explicit: self-disclose, self-disclose, self-disclose, self-disclose.

Join us tomorrow as we consider the lessons learned from the Gunvor FCPA enforcement action.

Categories

The Gunvor FCPA Enforcement Action: Part 2 – The Bribery Schemes

We continue our exploration of the resolution of the FCPA enforcement action involving the Swiss trading firm Gunvor S.A. The enforcement action came in with a $661 million penalty against the company, which has pleaded guilty to bribing Ecuadorian government officials through the 2010s in exchange for intelligence about upcoming business contracts with the state-owned oil company of Ecuador. The matter was resolved via a Plea Agreement. Information detailing the company’s conduct was also issued.

The Gunvor bribery schemes ran for nearly 8 years. Between 2012 and 2020, Gunvor paid more than $97 million to intermediaries, knowing that some money was used to bribe Ecuadorean officials. Those officials included Nilsen Arias Sandoval, a then-high-ranking official at Petroecuador. To show the blatantness of the bribery scheme, Gunvor managers and agents attended meetings in the United States and elsewhere, and bribe payments were routed through banks in the United States using shell companies in Panama and the British Virgin Islands controlled by Gunvor’s co-conspirators. According to the DOJ, a Gunvor employee also directed one of the intermediaries to use the money to purchase an 18-karat gold Patek Philippe watch.

According to the Plea Agreement, the Brothers Ycaza, Antonio Pere, and  Enrique Pere were agents for Gunvor who exercised control over companies and bank accounts in the United States and elsewhere. These accounts were used to facilitate the payment of bribes to Ecuadorian government officials to, among other things, obtain and retain business for Gunvor.

Gunvor paid over $97 million to the Brothers Ycaza via their companies, EIC and OIC. Several Gunvor employees, including Kohut, Gunvor Manager #1, and Gunvor Manager #2, knew and intended that some payments would be used to bribe Ecuadorian officials. After that, the Brothers Ycaza made millions of dollars in bribe payments on Gunvor’s behalf, directly and indirectly, to Ecuadorian officials identified by number in the Plea Agreement.

To do so, the Brothers Ycaza set up shell companies to launder Gunvor’s corrupt payments, entered into several service agreements to facilitate the payment of bribes, created fake invoices for purported consulting services, and used email accounts with pseudonyms to transfer funds to offshore shell companies involved in the conspiracy. The illegal payments were made through multiple bank accounts in the United States and abroad to conceal the bribes.

Gunvor Singapore made the corruption payments through a services agreement with the Brothers Ycaza and their company through EIC, which enabled the payment of bribes to Ecuadorian officials on Gunvor’s behalf. The agreement provided for certain prepayments and success fees, but the bulk of the compensation was through per-barrel “volume fee” payments to EIC that depended on the amount of oil purchased in connection with the oil-backed loan contract. Gunvor and EIC amended the services agreement several times to change, among other things, the amount of the volume fees due to be paid to EIC. The Brothers Ycaza used portions of the volume fees to pay bribes to Ecuadorian officials on Gunvor’s behalf. The volume fee compensation model for the Brothers Ycaza was increased multiple times to increase both their compensation and the amount of bribes being paid on behalf of Gunvor over the length of the bribery scheme.

In exchange for the bribes, Ecuadorian officials provided improper advantages to Gunvor, including (a) helping to direct Petroecuador to award contracts to State-Owned Entities for the ultimate benefit of Gunvor and (b) providing Gunvor, through certain of its employees and agents, information about Petroecuador that assisted Gunvor in corruptly obtaining and retaining business for Gunvor in connection with Petroecuador. This structure allowed Gunvor and its co-conspirators to avoid a competitive bidding process and obtain contractual terms they could not have otherwise. Gunvor also received confidential Petroecuador information in exchange for the bribes. Gunvor earned more than $384 million in profits from the contracts it obtained corruptly from Petroecuador.

In 2017, when the corrupt Petroecuador official Arias left the company, the Brothers Ycaza engaged other corrupt Petroecuador officials through cash bribe payments. This new scheme included effecting bribe payments on Gunvor’s behalf in exchange for confidential Petroecuador information about shipping windows. To facilitate this scheme phase, Gunvor continued to pay fees to the Brothers Ycaza through another company, OIC, on each barrel of oil products purchased in connection with their oil-backed loan contracts with Petroecuador. As in the prior phase of the scheme, Gunvor employee Kohut continued to coordinate the processing and payment of the invoices by Gunvor. Upon receiving funds from Gunvor, the Brothers Ycaza wired money to intermediaries based in Ecuador, who then arranged for the bribes to be delivered in cash to Ecuadorian officials within Petroecuador, who provided confidential Petroecuador information to Gunvor.

Gunvor employees and officers participating in the bribery scheme worked to conceal their illegal actions. One Gunvor Manager instructed Kohut to communicate using personal email accounts. The Brothers Ycaza also used personal or pseudonymous email accounts to speak about the scheme. Alias were often used rather than their actual names.

Interestingly, and perhaps equally troublingly, Gunvor executives and compliance personnel knew that Gunvor had paid the Brothers Ycaza tens of millions of dollars. This was without receiving other supporting documentation for EIC’s or OIC’s business activities on Gunvor’s behalf. Between May 2018 and May 2020, Gunvor executives and compliance personnel requested the Brothers Ycaza (i) for supporting documentation to justify the commission payments and (ii) to meet with executives and compliance personnel. The Brothers Ycaza repeatedly failed to respond entirely to Gunvor’s documentary requests and would not travel to Gunvor’s headquarters for the requested meeting. Finally, the Plea Agreement dryly noted, “Notwithstanding these repeated failures, Gunvor continued to make corrupt payments to entities owned and controlled by Antonio Pere and Enrique Pere until approximately January 2020, at which time Gunvor suspended payments to OIC.”

It is unclear from any resolution documents or the DOJ Press Release how the bribery scheme was uncovered or even ended. It may have been through a DOJ investigation into one of the other corrupt companies that came to grief working in Ecuador or with Petroecuador. It is clear that Gunvor did not self-disclose.

Join us tomorrow, and we will consider Gunvor’s steps after the DOJ knocks.

Categories

The Gunvor FCPA Enforcement Action: Part 1 – Introduction

In March 2024, the Department of Justice (DOJ) announced the resolution of an FCPA enforcement action involving the Swiss trading firm Gunvor S.A. The enforcement action comes in with a $661 million penalty against the company, which has pleaded guilty to bribing Ecuadorian government officials through the 2010s in exchange for intelligence about upcoming business contracts with the state-owned oil company of Ecuador. The matter was resolved via a Plea Agreement. Information detailing the company’s conduct was also issued.

  1. Introduction

According to the DOJ Press Release, “Gunvor entered into a plea agreement with the government and pleaded guilty to an information charge charging the company with conspiracy to violate the anti-bribery provisions of the FCPA. Following the plea, the court sentenced Gunvor to pay a criminal monetary penalty of $374,560,071 and to forfeit $287,138,444 in ill-gotten gains. The sentence includes credits of up to one-quarter of the criminal fine for amounts Gunvor pays to resolve investigations by Swiss and Ecuadorean authorities into the same misconduct.”

In a DOJ Press Release, Acting Senior Counselor Brent S. Wible of the Justice Department’s Criminal Division said, “Over nearly a decade, Gunvor representatives bribed high-level government officials at Ecuador’s state-owned oil company to enter into business transactions with other state-owned entities that ultimately benefited Gunvor. As a result of this complex bribery scheme, Gunvor obtained hundreds of millions of dollars in illicit profits. Gunvor’s guilty plea demonstrates that the Criminal Division remains resolute in our efforts to root out bribery and official corruption. We will continue to hold both corporations and individuals who bribe foreign officials to account in coordination with our international partners.”

U.S. Attorney Breon Peace for the Eastern District of New York noted, “Today’s guilty plea and sentencing mark yet another example of this office’s efforts to combat widespread corruption.” He added, “Corruption erodes the public’s trust in their government, prevents government officials from acting in the best interests of the people they represent, and harms businesses that play by the rules, driving up consumer prices. The Justice Department, including my office, will not tolerate bribes paid by American companies or foreign companies misusing the U.S. financial system.”

Finally, Special Agent in Charge Jeffrey B. Veltri of the FBI Miami Field Office added, “Gunvor’s years-long bribery scheme involving high-level Ecuadoran officials was detrimental to the business environment and eroded the public’s trust and confidence in their government. This guilty plea and significant fine would not have been possible without significant cooperation from our international partners in the Cayman Islands, Colombia, Curacao, Ecuador, Panama, Portugal, Singapore, and Switzerland. This truly was an international effort.”

II.Information

The Information found that between 2012 and 2020, Gunvor and its co-conspirators paid more than $97 million to intermediaries, knowing that some of the money would be used to bribe Ecuadorean officials, including a high-ranking official at the country’s national energy concern, Petroecuador. Gunvor managers and agents attended meetings in the United States and elsewhere as part of the scheme. The bribe payments were routed through banks in the United States using shell companies in Panama and the British Virgin Islands controlled by Gunvor’s co-conspirators.

In exchange for these bribe payments, high-level Ecuadorian officials front companies for Gunvor to win the rights to a series of oil-backed loan contracts with Petroecuador. This structure allowed Gunvor and its co-conspirators to avoid a competitive bidding process and obtain contractual terms that they could not have otherwise. Gunvor also received confidential Petroecuador information in exchange for the bribes. Gunvor earned more than $384 million in profits from the contracts it obtained corruptly from Petroecuador.

The Press Release also noted the guilty pleas from multiple participants in the bribery scheme and recipients of the illegal payments. The DOJ obtained guilty pleas from the following individuals:

  • Antonio Pere Ycaza, a former consultant for Gunvor, pleaded guilty to one count of conspiracy to violate the FCPA and one count of conspiracy to commit money laundering.
  • Enrique Pere Ycaza pleaded guilty to one count of conspiracy to commit money laundering and to violate the FCPA.
  • Raymond Kohut pleaded guilty to one count of conspiracy to commit money laundering.
  • Nilsen Arias Sandoval, a former senior Petroecuador official, pleaded guilty to one count of conspiracy to commit money laundering.

Over this blog series, we will consider bribery schemes, resolutions, and lessons learned for compliance professionals.

Categories

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 10, Getting to Self-Disclosure: Speak Up, Triage and Internal Investigation

Over this series, I have reviewed the messages communicated by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) from three key Foreign Corrupt Practices Act (FCPA) enforcement actions regarding their priorities in investigations, what they want to see in remediations, and what they consider best practices compliance programs. These enforcement actions warrant a close study of the lessons learned. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities. One thing is abundantly clear: It all begins with self-disclosure.

The three FCPA enforcement actions we have reviewed are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. I added a fourth, the Gunvor S.A. enforcement action, as a discussion point, as it was released while I was writing this series. I have also cited several speeches by DOJ officials, including those from Deputy Attorney General Lisa Monaco and Assistant Attorney General Kenneth Polite. They pointed out a clear path for the company, which finds itself in an investigation, using extensive remediation to avoid monitoring. They provided insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Late last week, there were two speeches at the ABA White Collar Conference: one by DAG Lisa Monaco and a second by Acting Assistant Attorney General Nicole M. Argentieri, which re-emphasized the points I have articulated. Today, I want to use their speeches to add another factor to my Top Ten Lessons List: a Speak Up Culture, effective triage, and quick, efficient, and accurate internal investigation when information is brought forward.

DAG Monaco could not have been clearer when she said, “When a business discovers that its employees broke the law, the company is far better off reporting the violation than waiting for DOJ to discover it. Now, when the DOJ does discover the violation, the company can still reduce its exposure by proactively cooperating in our investigation. But I want to be clear: no matter how good a company’s cooperation, a resolution will always be more favourable with voluntary self-disclosure.” [emphasis supplied]

DAG Monaco noted that the DOJ has structured its “Voluntary Self Disclosure (VSD) programs to encourage companies to take responsibility for misconduct within their organizations. And we’ve conditioned benefits on the company’s willingness to step up and own up — requiring it to disgorge profits, upgrade compliance systems, and cooperate in investigations of culpable employees…We want to empower them to make the business case for investing in compliance. And when they do, they can point to our policies. Early reports on this work are promising. We directed all components and U.S. Attorneys to implement self-disclosure programs.”

The benefits of the VSD come from this self-disclosure. The DOJ’s announcement that it was launching a whistleblower program for payments to people who come forward with information about criminal activity emphasised this idea even more. While the SEC, CFTC, IRS, and other agencies have whistleblower reward programs, this is a powerful message from the DOJ that if your company has an issue, it is far better to self-disclose than investigate, remediate, and hope the DOJ (or any other agency) never finds out about the matter. Put another way, Argentieri spoke about “the benefits that await those that voluntarily disclose misconduct.”

All of this means you must be able to intake, evaluate, and investigate the information.

Culture of Speak Up

Your organization must have an effective and efficient means of allowing employees to raise their hands and speak up. That speak-up can be through an anonymous hotline, by going into their supervisor’s office to report something, or by coming to the compliance function. Or it could be another avenue of reporting. The point is that every company must be ready, willing, and able to hear and act on internal reports of wrongdoing.

Triage

Given the number of ways that information about violations or potential violations can be communicated to government regulators, having a robust triage system is a critical way to separate the wheat from the chaff and bring the correct number of resources to bear on a compliance problem. One important area is determining whether to bring in outside counsel to head up an investigation and the resources you may want or need to commit to a problem. You need to “kick the tyres” of any allegations or information so that you know the circumstances in front of you before you make decisions. You can achieve this through a robust triage process.

Internal Investigations

You can decide whether or not to investigate by consulting with other groups, such as the Compliance Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Using a detailed written procedure, you can ensure complete transparency on all parties’ rights and obligations once an allegation is made. This gives compliance the flexibility and responsibility to deal with such matters, from which it can best assess and decide how to manage them.

We concluded this series where we began with the need for or benefits of self-disclosure. The benefits laid out by the DOJ are clear, tangible, and direct. If you self-disclose, provide extraordinary cooperation, extensively remediate, and disgorge any ill-gotten gains through profit disgorgement, there will be a presumption of declination. Even if you do not meet the self-disclosure threshold, you can still garner significant discounts under the DOJ’s Corporate Enforcement Policy through extraordinary cooperation and extensive remediation.

Categories

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 9, Internal Controls

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in an ongoing best practices compliance program.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 9, Internal Controls. The DOJ has made it clear that any organization under FCPA scrutiny must use its internal controls to continuously test, monitor, and improve all aspects of its compliance program.

SAP

As a part of its remediation, the company conducted a gap analysis of internal controls. This remediation found those internal controls “lacking.” SAP also undertook a “comprehensive risk assessment focusing on high-risk areas and controls around payment processes and enhancing its regular compliance risk assessment process.” Using this risk assessment as a starting point, the company performed a gap analysis, determined the overall remediation regime needed, and effectuated that remediation. 

ABB

The ABB Plea Agreement reported that ABB “performed a root-cause analysis of the conduct at issue. From there, the company revamped its internal controls, investing significant additional resources in control testing and monitoring throughout the organization. While not often seen as a part of internal controls, the company restructured its reporting by internal project teams to ensure compliance controls oversight.

Additionally, ABB essentially created its monitoring program around controls, testing its compliance program, and reporting to the DOJ. In the “Written Work Plans, Reviews, and Reports” section, ABB agreed to conduct a first review and prepare a report, followed by at least two follow-up reviews and reports. But more than simply reporting on control testing, ABB agreed to create and submit for review a work plan for this ongoing testing of its compliance program, as the program was detailed in the DPA. The DPA specified, “No later than one (I) year from the date this Agreement is executed, the Company shall submit to the Offices a written report setting forth:

  • a complete description of its remediation efforts to date;
  • a complete description of the controls testing conducted to evaluate the effectiveness of the compliance program and the results of that testing; and
  • It proposes to ensure that its compliance program is reasonably designed, implemented, and enforced so that the program is effective in deterring and detecting violations of the FCPA and other applicable anti-corruption laws.”

The bottom line is that all these companies worked very hard to significantly enhance their controls, testing, and monitoring and then improve based on that information. None of the actions taken by these companies were particularly new or even innovative. Indeed, these strategies have been available from the DOJ since at least the first edition of the FCPA Resource Guide in 2012. It was, however, the work by the company to understand the deficiencies in their internal controls regime and their superior efforts to upgrade them.

Albemarle

The Albemarle SEC Order was instructive regarding internal controls for a different reason than we have been considering throughout this series. The Order detailed a series of internal control failures by the company across multiple business units in several other countries. The entire story painted a picture of a company that did not have adequate or easily overridden internal controls.

Vietnam. The Order noted, “Albemarle’s system of internal accounting controls was insufficient to prevent or detect these improper payments, which Albemarle Singapore falsely recorded as legitimate commissions in books and records consolidated into Albemarle’s financial statements.”

India. A backdated agreement increased an India agent’s commission multiple times without compliance oversight or approval. Commissions went from “extremely high” to “far from any possible realistic justification.” Finally, “the agreement called for payment of a three percent commission to India Agent, a rate three times higher than that paid to Albemarle’s existing agent for India.”

Indonesia. Albemarle’s system of internal accounting controls was insufficient to prevent or detect the improper payments made to and through Indonesia Agent, which Albemarle Singapore falsely recorded as legitimate commissions and business expenses in books and records consolidated into Albemarle’s financial statements.”

China.  When an Albemarle business director questioned China Agent’s compensation as “high,” an Albemarle Netherlands business director provided the business justification that he anticipated significant returns on the contract.

UAE.  No due diligence was conducted on an agent until after the agent agreement had been executed. The agent provided no discernible services other than conveying confidential tender evaluations and competitors’ bids obtained from the customer.

Each of these resolutions drives home the importance of internal controls, creation, and remediation as a key part of your overall compliance regime during any investigation. The sooner you can start on your internal controls, the better off you will be in your negotiations with the DOJ and SEC.

Categories

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 8, Enhancing Your Compliance Program

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and providing insight for the compliance professional into what the DOJ expects in an ongoing best practices compliance program.

Over this series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 8, Enhancement of Compliance. The DOJ has clarified that any company undergoing an FCPA enforcement action must significantly enhance its compliance program with a budget, headcount, and expertise in reporting, investigations, and consequence management processes.

Albemarle

The Albemarle NPA cited several remedial actions by the company that helped Albemarle obtain superior results regarding the discounted fine and penalty. These steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out an effective compliance program and had tested it. The NPA provided that Albemarle

  • Strengthening its anti-corruption compliance program by investing in compliance resources, expanding its compliance function with experienced and qualified personnel, and taking steps to embed compliance and ethical values at all levels of its business organization;
  • Transformed its business model and risk management process to reduce corruption risk in its operation and to embed compliance in the business, including implementing a go-to-market strategy that resulted in eliminating the use of sales agents throughout the Company, terminating hundreds of other third-party sales representatives, such as distributors and resellers, and shifting to a direct sales business model;
  • Provided extensive training to its sales team, restructuring compensation and incentives so that compensation is no longer tied to sales amounts;
  • Used data analytics to monitor and measure the compliance program’s effectiveness and
  • It engaged in continuous testing, monitoring, and improvement of all aspects of its compliance program, beginning almost immediately after identifying misconduct.

The NPA noted that Albemarle engaged in holdbacks, as they did not pay bonuses to certain employees involved in the conduct or those with oversight. The NPA said, “During its internal investigation, the Company withheld bonuses totaling $763,453 from employees suspected of wrongdoing.” The illegal behavior involved people who “(a) had supervisory authority over the employee(s) or business area engaged in the misconduct; and (b) knew of, or were willfully blind to, the misconduct.” This effort was important because it allowed Albemarle to get an extra fine reduction of a dollar for every dollar they spent on the investigation.

Indeed, Deputy Attorney General Lisa Monaco cited the Albemarle FCPA resolution: “The company received a clawback credit for withholding bonuses for employees who engaged in misconduct. Not only did Albemarle keep the bonuses that would have gone to wrongdoers, but the company also received an offset against its penalty for the same amount. That’s money saved for Albemarle and its shareholders—and a concrete demonstration of the value of clawback programs.”

SAP

SAP did an excellent job in its remedial efforts to build out its compliance program. In addition to the prior discussions of SAP’s remedial efforts, the DOJ also pointed out the company’s Enhancement of Compliance. Here, the company significantly increased the budget, resources, and expertise devoted to compliance, restructuring its Offices of Ethics and Compliance to ensure adequate stature, independence, autonomy, and access to executive leadership; enhancing its code of conduct and policies and procedures regarding gifts, hospitality, and the use of third parties; and improving its reporting, investigations, and consequence management processes.

Next were the holdback actions SAP engaged in. The DPA noted SAP withheld bonuses totaling $109,141 during its internal investigation from employees who engaged in suspected wrongdoing in connection with the conduct under investigation or who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct, and further engaged in substantial litigation to defend its withholding from those employees, which qualified SAP for an additional fine reduction in the amount of the withheld bonuses under the DOJ’s Compensation Incentives and Clawbacks Pilot Program.

ABB

According to the ABB Plea Agreement, ABB “took a lot of corrective actions,” such as hiring experienced compliance staff and, after figuring out what caused the behavior described in the Statement of Facts, spending a lot more money on compliance testing and monitoring across the whole company; putting in place targeted training programs and extra case-study sessions on-site; and continuing to test and monitor to as This final point was expanded on in the SEC Order, which reported that all employees involved in the misconduct were terminated.

Additionally, ABB essentially created its monitoring program to test its compliance program and report to the DOJ. In a section entitled “Written Work Plans, Reviews, and Reports,” ABB agreed to conduct a first review and prepare a first report, followed by at least two follow-up reviews and reports. But more than simply reporting, ABB decided to create and submit for review a work plan for this ongoing testing of its compliance program, as the program was detailed in the DPA. The DPA specified, “No later than one (I) year from the date this Agreement is executed, the Company shall submit to the Offices a written report setting forth:

  • a complete description of its remediation efforts to date;
  • a complete description of the testing conducted to evaluate the effectiveness of the compliance program and the results of that testing; and
  • It proposes to ensure that its compliance program is reasonably designed, implemented, and enforced so that the program is effective in deterring and detecting violations of the FCPA and other applicable anti-corruption laws.”

The bottom line is that all these companies worked very hard to significantly enhance their compliance programs, with a budget, headcount, and expertise in their reporting, investigations, and consequence management processes. None of the actions by these companies were particularly new or even innovative, as with the innovations around data analytics programs. Indeed, these strategies have been available from the DOJ since at least the first edition of the FCPA Resource Guide in 2012. It was, however, the work of each company to understand the deficiencies in their compliance programs and their superior efforts to upgrade them.

Categories

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 7, Changing Your Business Model

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 7, the Change in Sales Model. This is one of the more intriguing insights from these enforcement actions, as changing a sales model has not been previously called out by the DOJ in prior commentary, iterations of the Evaluations of Corporate Compliance Programs, either in the FCPA Resource Guide or in speeches. However, it is such a self-evident change that you might wonder why it has not been called out previously. One reason may be that it seems like a simple change but is challenging. Therefore, many companies may be reluctant to try to do so.

Albemarle

Albemarle changed its approach to sales and its sales teams. Corrupt third-party agents caused the company such FCPA grief. Many of the quotes in the NPA and Order make it clear that Albemarle executives had an aversion to paying bribes but greater moral flexibility when a third-party agent was involved. This led to the company moving away from third-party agents to a direct sales force.

 SAP

On the external sales side, SAP eliminated its third-party sales commission model globally and prohibited all sales commissions for public sector contracts in high-risk markets. It also enhanced compliance monitoring and audit programs, including creating a well-resourced team devoted to third-party partners and supplier audits. On the internal side, SAP adjusted internal compensation incentives to align with compliance objectives and reduce corruption risk.

Gunvor S.A.

The Gunvor FCPA enforcement action was announced in early March. According to the DOJ Press Release, the company has “pleaded guilty and will pay over $661 million to resolve an investigation by the U.S. Justice Department into violations of the Foreign Corrupt Practices Act (FCPA).” I have not included it in this discussion up to this point. However, the DOJ noted that Gunvor had done away with “eliminating the use of third-party business origination agents.” While this is not a complete change in its sales model, it certainly is a significant part of such an action. It also demonstrates that a company can partly change its overall sales model and sales method in a manner that will draw favor from the DOJ.

Moving to a direct sales force does have its risks that must be managed. Still, those risks can certainly be managed with an appropriate risk management strategy, strategy monitoring, and improvement. Yet there is another reason, and more importantly, a significant business reason, to move towards a direct sales business model. Whenever you have a third-party agent or anyone else between you and your customer, you risk losing that customer because your organization does not have a direct relationship with the customer. By having a direct sales business model, your organization will have a direct relationship with your customers and, therefore, the ability to develop it further.

If your organization is under FCPA investigation, you should examine its sales model to determine its maintenance risks. Suppose your model is fully commission-based or highly commission-dependent. In that case, you may consider moving to a direct sales model to help remediate and manage your risks more effectively.

Categories

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 6, Clawbacks and Holdbacks

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study each of these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation: using extensive remediation to avoid a monitor. They also provide insight for the compliance professional into what the DOJ expects in an ongoing best practices compliance program.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today we continue  with Number 6, Clawbacks and Holdbacks. These strategies are relatively new to the DOJ’s arsenal, and they want companies to employ them in enforcement actions. While the DOJ and SEC have long made clear that they view monetary structure for incentive compensation, as far back as the FCPA Resource Guide, 1st edition (2012), they did not focus as intensely on the disincentive side of the equation. Prior to the Monaco Memo, clawbacks had not been generally seen as a necessary part of a compliance program.

This began to change in the Monaco Memo. It is now unequivocally required by the DOJ and listed as a crucial area of DOJ inquiry in the 2023 Evaluation of Corporate Compliance Programs. Moreover, having such a penalty in place is also seen as part of an excellent corporate culture, which not only penalizes those who engage in unethical behavior in violation of a company’s policies and procedures but will also “promote compliant behavior and emphasize the corporation’s commitment to its compliance programs and its culture.”

The DOJ was told to look into whether companies have “clawback” clauses in their pay agreements and whether “as soon as the company found out about the misconduct, the company has, as much as possible, taken affirmative steps to carry out such agreements and clawback compensation previously paid to current or former executives whose actions or omissions led to or contributed to the criminal conduct at issue.”

The Monaco Memo directed “to develop further guidance by the end of the year on how to reward corporations that develop and apply compensation clawback policies, including how to shift the burden of corporate financial penalties away from shareholders—who in many cases do not have a role in misconduct—onto those more directly responsible.” This clause is an effort by the DOJ to keep companies from shielding recalcitrant executives from the consequences of their own illegal and unethical conduct.

However, the Monaco Memo clarified that it is not simply having a written policy and procedure. If warranted, there must be corporate action under the clawback policy and procedure. In the Albemarle and SAP enforcement actions, the DOJ evaluated the companies’ actions, “Following the corporation’s discovery of misconduct, a corporation has, to the extent possible, taken affirmative steps to execute on such agreements and clawback compensation previously paid to current or former executives whose actions or omissions resulted in or contributed to the criminal conduct at issue.”

Albemarle

Albemarle went in a different direction—not clawbacks, but holdbacks. While the DOJ has made much noise about clawbacks from recalcitrant executives, Albemarle engaged in holdbacks, where they did not pay bonuses to certain employees involved in the conduct or those who had oversight. The NPA stated, “The company withheld bonuses totaling $763,453 during the course of its internal investigation from employees who engaged in suspected wrongdoing.” The illegal conduct involved those who “(a) had supervisory authority over the employee(s) or business area engaged in the misconduct; and (b) knew of, or were willfully blind to, the misconduct.” The significance of this effort was vital as it qualified Albemarle for an additional fine reduction of a dollar-for-dollar credit of the amount of the withheld bonuses under the Criminal Division’s March 2023 Compensation Incentives and Clawbacks Pilot Program. 

SAP

SAP had extensive holdbacks as well. The DPA noted SAP withheld bonuses totaling $109,141 during the course of its internal investigation from employees who engaged in suspected wrongdoing in connection with the conduct under investigation, or who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct, and further engaged in substantial litigation to defend its withholding from those employees, which qualified SAP for an additional fine reduction in the amount of the withheld bonuses under the DOJ’s Compensation Incentives and Clawbacks Pilot Program.

The DOJ has given significant credit to both Albemarle and SAP for their holdbacks, and we would expect them to continue to do so. If your organization has not instituted a Clawback/Holdback Policy, now is the time to do so rather than wait until you are in the middle of an investigation or enforcement action. Also, remember that the DOJ gives a dollar-for-dollar credit on any settlement where the company engaged in either clawbacks or holdbacks.

Categories

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 5, Data Analytics

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring, and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 5, Data Analytics. Data analytics was previously seen as cutting-edge in compliance. Now, they are recognized as part of a best practices compliance program. By this time next year, they will be table stakes for every compliance program. However, the DOJ specifically called out the use of data analytics in these three enforcement actions and the incorporation of data analytics into their compliance regimes in the future.

Albemarle

Albemarle’s NPA specifically called out the Company’s use of data analytics in two ways. The first was to monitor the Company’s compliance program, and the second was to measure the compliance program’s effectiveness. While this language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance functions’ access to all company data, this is the first time it has been called out in a settlement agreement in this manner. Moreover, although not explicitly tied to the lack of a required corporate monitor, it would appear that by using data analytics, Albemarle was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation.

Andrew McBride, Chief Risk & Compliance Officer at Albemarle. He noted that if you think about each element of a compliance program—policies and procedures, training, due diligence, and pre-approvals—and your investigation process, a recurring theme throughout is the role of data to test that those program elements are working as you intend. McBride believes there are four critical purposes for using data and data analytics to support the ethics and compliance program, which he listed as follows:

  1. Risk Identification Issues. It can be used as a part of transaction testing and auditing to identify problematic behavior, support investigations, and highlight areas of residual risk.
  2. Risk Response. Data analytics can be used as a form of internal control. Albemarle uses data analytics as a form of gatekeeper.
  3. Compliance Program Testing. Data analytics can be used to determine the effectiveness of your ethics and compliance program.
  4. Finally, and perhaps most significantly for the DOJ’s purposes in FCPA enforcement actions, are the reporting requirements to demonstrate that the company meets its requirements as laid out in the resolution documents, whether a DPA, NPA, or other.

SAP

The SAP resolution made several references to data analytics and data-driven compliance. SAP did so around its third-party program and expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally. The SEC Order also noted that SAP had implemented data analytics to identify and review high-risk transactions and third-party controls. The SAP DPA follows the Albemarle FCPA settlement by stating that SAP now uses data analytics to measure the compliance program’s effectiveness. This language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance function’s access to all company data; this is the second time it has been called out in a settlement agreement in this manner. Additionally, it appears that by using data analytics, SAP was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation, thereby avoiding monitoring.

ABB

While not explicitly called out in its DPA, ABB has instituted a significant and company-wide data analytics program as a part of its overall remediation effort. Tapan Debnath, Head of Integrity, Regulatory Affairs, & Data Privacy—Process Automation at ABB, spoke about some of the challenges ABB faced and overcame to institute its data analytics program. He said, “The way data is hosted for us and probably for a lot of organizations is in lots of different places, and there needs to be a lot of data cleanup before we can utilize and use data.” He related that another challenge “for us has also been getting hold of data in different jurisdictions. There may be data privacy laws around data transfer, and there may be blocking statutes around this same thing. So navigating the local law requirements around data transfer, getting a hold of the data, and all of those things have been key challenges, as well as resourcing internally how to do this and getting the external stakeholders to support. I think These key fundamental steps need to be ironed out and looked at early on in the process.”

In November, Nicole Argentieri, Acting Assistant Attorney General for the Criminal Division, speaking at the ACI National FCPA, reported that the DOJ is stepping up its use of data analytics to identify instances of corporate misconduct and will boost its cooperation with overseas law enforcement to bring more anti-corruption cases as well. The DOJ and SEC increasingly focus on data analytics for corporate compliance, signaling higher expectations for larger companies.

Data-driven analytics have become a significant part of any best practices compliance program. The DOJ sees it as a critical remedial step for any company in an FCPA enforcement action. The actions taken by ABB, Albemarle, and SAP demonstrate that the DOJ also wants to impress this upon the greater compliance community.

Categories

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 4, Start with a Root Cause Analysis

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 4, Root Cause, Risk Assessment, and Gap Analysis. Your remediation should begin with a root cause analysis. From there, move on to a risk assessment and gap analysis, and then you are ready to start your complete remediation.

SAP

The SAP Deferred Prosecution Agreement (DPA) laid out the best example of how this works in practice. The DPA reported extensive remediation by SAP, and the information provided in the DPA is instructive for every compliance professional. SAP engaged in a wide range of remedial actions. It all started with a root cause analysis. Root Cause analysis was enshrined in the FCPA Resource Guide, 2nd edition, as one of the Hallmarks of an Effective Compliance Program. It stated, “The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigation’s structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.”

This means a company should respond to the specific incident of misconduct that led to the FCPA violation. This means your organization “should also integrate lessons learned from misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.” The SAP DPA noted that SAP engaged in the following steps based on these factors:

1. Conducted a root cause analysis of the underlying conduct, then remediated those root causes through enhancement of its compliance program;

2. Conducted a gap analysis of internal controls, remediating those found lacking;

3. Undertook a “comprehensive risk assessment focusing on high-risk areas and controls around payment processes and enhancing its regular compliance risk assessment process”;

4. SAP documented using “comprehensive operational and compliance data” in its risk assessments.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct and remediate those causes promptly and appropriately to prevent future compliance breaches. This SAP did it during its remediation phase.

Albemarle

Albemarle also received credit “because it engaged in extensive and timely remedial measures.” This remedial action began based on the company’s root cause analysis of its FCPA violations.

This root cause analysis led to a risk assessment, which led to remediation. All of these steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out an effective compliance program and had tested it.

ABB

ABB also did an excellent job in its remedial efforts. According to the ABB Plea, ABB “engaged in extensive remedial measures, including hiring experienced compliance personnel and following a root-cause analysis of the conduct,” which led to the FCPA enforcement action. More on the ABB remediation later.

Each entity worked diligently to rebuild its compliance programs from the ground up. Whatever the faults of their prior compliance programs, each company was quite diligent in revamping their compliance regimes. While each company builds out a program based on its own risk, there is quite a bit of guidance you can draw from if your company finds itself in this position.

Here, the DOJ communicates that your remedial measures should start with a root cause analysis of the FCPA violation. From there, move to a risk assessment and internal control gap analysis to create a clear risk management strategy.