Day: October 3, 2022

Oracle Corporation now joins the ignominious group of Foreign Corrupt Practices Act (FCPA) recidivists. Last week, in a Press Release, the Securities and Exchange Commission (SEC) announced an enforcement action which required Oracle to pay more than $23 million to resolve charges that it violated the FCPA when “subsidiaries in Turkey, the United Arab Emirates (UAE), and India created and used slush funds to bribe foreign officials in return for business between 2016 and 2019.” The recidivist label comes from the sad fact that the SEC “sanctioned Oracle in connection with the creation of slush funds. In 2012, Oracle resolved charges relating to the creation of millions of dollars of side funds by Oracle India, which created the risk that those funds could be used for illicit purposes.”

 As reported in the FCPA Blog, Oracle is now one of 15 FCPA recidivists out of a total of 246 FCPA enforcement cases. This gives a recidivism rate of 6.1%. Clearly recidivism is also on the mind of the Department of Justice (DOJ) in the announcement of the Monaco Doctrine and release of the Monaco Memo. Given the overall tenor of the Oracle SEC Order, it is not clear if the SEC has the same level of concern as the DOJ on repeat offenders.

According to the Order, from at least 2014 through 2019, “employees of Oracle subsidiaries based in India, Turkey, and the United Arab Emirates (collectively, the “Subsidiaries”) used discount schemes and sham marketing reimbursement payments to finance slush funds held at Oracle’s channel partners in those markets. The slush funds were used both to (i) bribe foreign officials, and/or (ii) provide other benefits such as paying for foreign officials to attend technology conferences around the world in violation of Oracle’s internal policies.” I guess those employees at the subsidiaries, and specifically those in India, did not receive the Memo about Oracle’s 2012 FCPA settlement, where they promised to institute a series of internal controls to clean up the problem.

During the period in question, Oracle used two sales models, direct and indirect. Under the direct model, Oracle transacted directly with customers who paid Oracle directly. Under the indirect method, Oracle transacted through various types of third parties including straight distributor models, value added distributors (VADs) and value added resellers (VARs). While Oracle used the indirect sales model for a variety of legitimate business reasons, such as local law requirements or to satisfy payment terms, it recognized since at least 2012 that the indirect model also presented certain risks of abuse – including the creation of improper slush funds.

Learning one lesson from the 2012 enforcement action, “Oracle utilized a global on-boarding and due diligence process for these channel partners that Oracle implemented at the regional and country levels. Oracle only permitted its subsidiaries to work with VADs or VARs who were accepted to its Oracle Partner Network (“OPN”). Similarly, Oracle prohibited its subsidiaries from conducting business with companies removed from the OPN.”

Distributor Discounts

According to its policies regarding distributors, a valid and  legitimate business reason was required to provide a discount to a distributor. Oracle used a three-tier system for approving discount requests above designated amounts, depending on the product. In the first level, Oracle at times allowed subsidiary employees to obtain approval from an approver in a subsidiary other than that of the employee seeking the discount. At the next level and for higher level of discounts, Oracle required the subsidiary employee to obtain approval from Oracle corporate headquarters. The final level was a committee which had to approve the highest levels of discount.

The weakness in the Oracle distributor discount policy was that “while Oracle policy mandated that all discount requests be supported by accurate information and Oracle reviewers could request documentary support, Oracle policy did not require documentary support for the requested discounts – even at the highest level.” The standard requests for discounts were those previously seen in the Microsoft FCPA enforcement action, including “budgetary caps at end customers or competition from other original equipment manufacturers.” As the Order noted, “Oracle Subsidiary employees were able to implement a scheme whereby larger discounts than required for legitimate business reasons were used in order to create slush funds with complicit VADs or VARs.” Naturally it allowed distributors which “profited from the scheme by keeping a portion of the excess deal margin” to create a pot of money to pay a bribe.

Marketing Reimbursements

Distributor policies also allowed Oracle sales employees at the Subsidiaries to “request purchase orders meant to reimburse VADs and VARs for certain expenses associated with marketing Oracle’s products.” Once again there was a multi-pronged approval process in place. For marketing reimbursements “under $5,000, first-level supervisors at the Subsidiaries could approve the purchase order requests without any corroborating documentation indicating that the marketing activity actually took place.” Above this $5,000 threshold, additional approvals were required with additional requirements for business justification and documentation.

With these clear and glaring internal control gaps, you can see where it all went wrong for Oracle, the Order noted that “Oracle Turkey sales employees opened purchase orders totaling approximately $115,200 to VADs and VARs in 2018 that were ostensibly for marketing purposes and were individually under this $5,000 threshold.” Yet even when the $5,000 threshold was breached and supervisory approval was required in Turkey and the UAE, “The direct supervisors of these sales employees, who were complicit in the scheme, approved the fraudulent requests.” It is not clear if Oracle compliance had visibility into marketing reimbursement protocols. Of course, the “Oracle subsidiary employees in Turkey and the United Arab Emirates requested sham marketing reimbursements to VADs and VARs as a way to increase the amount of money available in the slush funds held at certain channel partners.” These slush funds were then used to pay bribes.

Please join me tomorrow where I look at the bribery schemes in action and how Oracle was able to obtain such an outstanding resolution and their extensive and aggressive remedial actions.

The risk landscape for organizations has changed significantly in the past few years. Traditional ways of identifying and mitigating risks simply do not work. They focus primarily on external threats when risks from within the organization are just as prevalent and harmful. Additionally, regulations change frequently, and it is difficult for security and compliance leaders to keep up on these changes.

The Compliance Podcast Network is therefore thrilled to have back for a limited series, the Microsoft podcast, The Uncovering Hidden Risks, which will explore the need for enterprises to quickly move to a more holistic approach to data protection and reduce their overall risk. The show will cover an array of topics, across data governance, risk management, and compliance. It will address industry trends and customer pain points.

In each episode Erica Toelle, Sr. Product Marketing Manager for Microsoft Purview, partners with a Microsoft guest host to interview a guest leader in the data governance and compliance industry. These experts have a unique and deep understanding of the challenges organizations face, and the people, processes, and technology used to address them.

We are excited to have this podcast made available to the listeners of the Compliance Podcast Network so that they may listen in to these conversations as Erica and her Microsoft colleagues discuss a range of interesting topics, ranging from trends, best practices, and real-life strategies for developing a holistic data governance and risk management program.

The Uncovering Hidden Risks podcast will launch on Wednesday, September 28^th with the first episode in the series.  

Listen to The Uncovering Hidden Risks podcast trailer below and subscribe on https://www.uncoveringhiddenrisks.com

Or you can listen and subscribe on the following platforms:

• Main show page
• Apple Podcasts
• Google Podcasts
• Spotify
• Amazon Music
• RSS Feed

Here is a preview of the first episode, posting on Wednesday, September 28th:

Transitioning to a holistic approach to data protection

Guest Bret Arsenault, CVP, CISO at Microsoft joins us on this week’s episode of Uncovering Hidden Risks to discuss how a holistic approach to data protection can deliver better results across your organization and the three steps that can get you there. Erica Toelle and Talhah Mir host this week’s episode to chat with Bret about current trends in the data protection space, what data protection issues are top of mind, and how teams should start on their data protection strategy.

Today, we conclude our exploration of the Monaco Memo by considering what all this may mean for compliance professional going forward. Department of Justice (DOJ) officials have emphasized that the changes laid out in the Monaco Memo and the requirements around Chief Compliance Officer (CCO) Certification are to empower compliance professionals. Deputy Attorney General Lisa Monaco said in the speech (Monaco Speech) announcing the Monaco Doctrine, “Companies should feel empowered to do the right thing—to invest in compliance and culture, and to step up and own up when misconduct occurs. Companies that do so will welcome the announcements today. For those who don’t, however, our Department prosecutors will be empowered, too—to hold accountable those who don’t follow the law.”

This was refined by Assistant Attorney General Kenneth A. Polite, who said in a speech (Polite Speech) after the Monaco Doctrine was announced, “in March 2022, I announced that, for all Criminal Division corporate resolutions (including guilty pleas, deferred prosecution agreements, and non-prosecution agreements), we would consider requiring both the Chief Executive Officer and the Chief Compliance Officer (CCO) to sign a certification at the end of the term of the agreement. This document certifies that the company’s compliance program is reasonably designed, implemented to detect and prevent violations of the law, and is functioning effectively. These certifications are designed to give compliance officers an additional tool that enables them to raise and address compliance issues within a company or directly with the department early and clearly. These certifications underscore our message to corporations: investing in and supporting effective compliance programs and internal controls systems is smart business and the department will take notice.”

Finally, Principal Associate Deputy Attorney General Marshall Miller said in a speech (Miller Speech), also after the announcement of the Monaco Doctrine, “I will focus on the ways those policy changes incentivize corporate responsibility and promote individual accountability – by clarifying, rethinking and standardizing policies on voluntary self-disclosure and corporate cooperation. I’ll also address how Department prosecutors are assessing some of the most challenging corporate compliance issues of the day, such as how incentive compensation systems can promote — rather than inhibit — compliance and how companies should be managing data given the proliferation of personal devices and messaging platforms that can take key communications off-system in the blink of an eye.”

However, I think many of these changes will put additional pressures on compliance programs. The new requirements for self-disclosure move beyond those announced under the FCPA Corporate Enforcement Program. The Monaco Memo stated, “it is imperative that Department prosecutors gain access to all relevant, non­privileged facts about individual misconduct swiftly and without delay.” [emphasis supplied] This in turn, puts even more pressure on internal reporting, whether through a hotline, online reporting portal, or simply an employee speaking up to a manager. That pressure means triaging, efficiently elevating and effectively investigating and evaluating the evidence developed. The clock is ticking, and a compliance professional does not know what the DOJ might already know or if a whistleblower has reported to the Securities and Exchange Commission (SEC) or another federal department or agency.

But the pressure does not end when self-disclosure occurs. The DOJ wants speed above all else in the delivery of evidence which could be used in the prosecution of individuals. Miller stated, “In building cases against culpable individuals, we have heard one consistent message from our line attorneys: delay is the prosecutor’s enemy — it can lead to a lapse of statutes of limitation, dissipation of evidence, and fading of memories. The Department will expect cooperating companies to produce hot documents or evidence in real time. [emphasis supplied] And your clients can expect that their cooperation will be evaluated with timeliness as a principal factor. Undue or intentional delay in production of documents relating to individual culpability will result in reduction or denial of cooperation credit. Where misconduct has occurred, everyone involved — from prosecutors to outside counsel to corporate leadership — should be “on the clock,” operating with a true sense of urgency.”

This requirement changes the dynamics of an investigation. Every CCO and compliance professional in such a situation must now speed up not simply their investigation process and turning over documents but their remediation efforts going forward. Of course, remediation is still an equally important part of your overall way forward to receive credit under the FCPA Corporate Enforcement Policy. A root cause analysis is also still a key component as well.

Another area for heat for the compliance professional is the new requirements for clawbacks. In the Miller Speech, he stated, “What we expect now, in 2022, is that companies will have robust and regularly deployed clawback programs. All too often we see companies scramble to dust off and implement dormant policies once they are in the crosshairs of an investigation.”

Companies should take note: compensation clawback policies matter, and those policies should be deployed regularly. A paper policy not acted upon will not move the needle — it is really no better than having no policy at all.

To up the ante, the Deputy Attorney General has instructed the Criminal Division to examine how to provide incentives for companies to clawback compensation, with particular attention to shifting the burden of corporate financial penalties away from shareholders — who frequently play no role in misconduct — onto those who bear responsibility. In addition to this stick, Miller also noted the carrot the DOJ wants to see, noting, “compensation systems to promote compliance isn’t just about clawbacks. It’s also about rewarding compliance-promoting behavior. For years, companies have designed and fine-tuned sophisticated incentive compensation systems that reward behavior that enhances profits.” She concluded, “We’ll be evaluating whether corporations are making the same types of investments in adopting and calibrating compensation systems that reward employees who promote an ethical corporate culture and mitigate compliance risk.”

The final area where the heat is on is the type of conduct which leads to the FCPA violations. Three of the criteria for determining whether a monitor will be mandated to deal with the length or pervasiveness of the conduct and whether senior management was involved; was the violation caused by the “exploitation of an inadequate compliance program or system of internal controls”; and finally, if “compliance personnel were involved or were basically negligent in failing to “appropriately escalate or respond to red flags.””

Compliance professionals should use the Monaco Doctrine, Memo, and related speeches to explain to senior management to educate C-Suite and Board leadership why and how an investment in compliance can pay off. For compliance professionals your work became much more important.

Today, we continue our exploration of the Monaco Memo by considering the sections relating to the evaluation of cooperation during the pendency of the investigation and the evaluation of a company’s compliance program at the conclusion of the resolution. These portions of the Monaco Memo should be studied intently by every compliance professional as they lay out what the Department of Justice (DOJ) will require to grant discounts under the FCPA Corporate Enforcement Policy. Today, I want to look at the provisions regarding monitors and monitorships. In many ways, they are some of the most interesting parts of the Monaco Memo.

The section on monitors and monitorships is broken down into three parts; (1) criteria for determining if a monitor is warranted; (2) criteria for selection of a monitor; and (3) monitor oversight. I am going to focus on the first prong, the criteria for determining if a monitor is warranted. You may recall the prior test to determine whether a monitor was warranted was last

articulated in the Benczkowski Memo. The test basically had an organization implement an effective compliance program and then test it. However, now there is a 10-factor test, which as Washington & Lee University, School of Law Professor Karen Woody says, greatly increases the temperature on corporations. The 10 factors are:

1. Whether the corporation voluntarily self-disclosed the underlying misconduct in a manner that satisfies the particular DOJ component’s self-disclosure policy;
2. Whether, at the time of the resolution and after a thorough risk assessment, the corporation has implemented an effective compliance program and sufficient internal controls to detect and prevent similar misconduct in the future;
3. Whether, at the time of the resolution, the corporation has adequately tested its compliance program and internal controls to demonstrate that they would likely detect and prevent similar misconduct in the future;
4. Whether the underlying criminal conduct was long-lasting or pervasive across the business organization or was approved, facilitated, or ignored by senior management, executives, or directors (including by means of a corporate culture that tolerated risky behavior or misconduct, or did not encourage open discussion and reporting of possible risks and concerns);
5. Whether the underlying criminal conduct involved the exploitation of an inadequate compliance program or system of internal controls;
6. Whether the underlying criminal conduct involved active participation of compliance personnel or the failure of compliance personnel to appropriately escalate or respond to red flags;
7. Whether the corporation took adequate investigative or remedial measures to address the underlying criminal conduct, including, where appropriate, the termination of business relationships and practices that contributed to the criminal conduct, and discipline or termination of personnel involved, including with respect to those with supervisory, management, or oversight responsibilities for the misconduct;
8. Whether, at the time of the resolution, the corporation’s risk profile has substantially changed, such that the risk of recurrence of the misconduct is minimal or nonexistent;
9. Whether the corporation faces any unique risks or compliance challenges, including with respect to the particular region or business sector in which the corporation operates or the nature of the corporation’s customers; and
10. Whether and to what extent the corporation is subject to oversight from industry regulators, or a monitor imposed by another domestic or foreign enforcement authority or regulator.

The old Benczkowski Memo test is found in factors 2 and 3. However, factor 1 is whether or not the company self-disclosed the incident(s) at issue. Moreover, factors 4-6 all related to conduct and actions when the illegal activity occurred, not after discovery and self-disclosure. Factor 4 relates to the length or pervasiveness of the conduct and whether senior management was involved. Factor 5 reviews “the exploitation of an inadequate compliance program or system of internal controls.” Factor 6, asks if compliance personnel were involved or were basically negligent in failing to “appropriately escalate or respond to red flags.” Factors 7-10 refine company actions post-reporting and do relate to actions after a company became aware such as investigations and remedial actions (factor 7), a reduction in the company’s risk profile (factor 8), or unique regulatory or business challenges (factors 9 and 10).

The Monaco Memo states, “prosecutors will not apply any general presumption against requiring an independent compliance monitor (“monitor”) as part of a corporate criminal resolution, nor will they apply any presumption in favor of imposing one.” The Monaco Memo also states, “Prosecutors should analyze and carefully assess the need for a monitor on a case­ by-case basis, using the following non-exhaustive list off actors when evaluating the necessity and potential benefits of a monitor.” Finally, the DOJ believes “compliance monitors can be an effective means of reducing the risk of further corporate misconduct and rectifying compliance lapses identified during a corporate criminal investigation.” This statement leads me to believe the DOJ is very concerned about corporate recidivism. Whatever the ultimate reasons are it does appear that, as Professor Woody noted, the heat is definitely turned up.

One thing did strike me about this list is that provides a clear roadmap for compliance professionals to use in proactive manner. You now know the precise factors the DOJ will review so you can look at them on an ongoing basis to (1) determine if your organization has issues which need to be addressed; (2) allows you to remediate before the government comes knocking or you have to self-disclose; and (3) if you use an independent third-party as a part of this proactive process, you can document compliance if you need to do so going forward if the government comes knocking independently of your self-reporting.

I hope you will join me for my next post to wrap up with some final thoughts.

Today, we continue our exploration of the Monaco Memo by considering the sections relating to the evaluation of cooperation during the pendency of the investigation and the evaluation of a company’s compliance program at the conclusion of the resolution. These portions of the Monaco Memo should be studied intently by every compliance professional as they lay out what the Department of Justice (DOJ) will require to grant discounts under the FCPA Corporate Enforcement Policy.

Evaluation of Cooperation

Cooperation with the DOJ during the pendency of an investigation has always been a critical factor of the overall costs of a Foreign Corrupt Practices Act (FCPA) resolution since this factor can be added as a discount under the US Sentencing Guidelines and the FCPA Corporate Enforcement Policy. Essentially a company can double dip in discounts with superior cooperation. Indeed, we have seen companies have the fines and penalties increase by tens of millions when they failed to cooperate.

The Monaco Memo acknowledges what a corporation can obtain by stating, “Cooperation can be a mitigating factor, by which a corporation – just like any other subject of a criminal investigation – can gain credit in a case that is appropriate for indictment and prosecution.” Further, “Credit for cooperation takes many forms and is calculated differently based on the degree to which a corporation cooperates with the government’s investigation and the commitment that the corporation demonstrates in doing so. The level of a corporation’s cooperation can affect the form of the resolution, the applicable fine range, and the undertakings involved in the resolution.”

Principal Associate Deputy Attorney General (DAG) Marshall Miller, recently said in a speech, “I trust one thing came through loud and clear: the Department is placing a new and enhanced premium on voluntary self-disclosure.” This is where the timeliness issue becomes so critical. Miller went on to state, “The DAG also provided important guidance on corporate cooperation. The key point I want to highlight relates to timeliness. In building cases against culpable individuals, we have heard one consistent message from our line attorneys: delay is the prosecutor’s enemy — it can lead to a lapse of statutes of limitation, dissipation of evidence, and fading of memories. The Department will expect cooperating companies to produce hot documents or evidence in real time. And your clients can expect that their cooperation will be evaluated with timeliness as a principal factor. Undue or intentional delay in production of documents relating to individual culpability will result in reduction or denial of cooperation credit. Where misconduct has occurred, everyone involved — from prosecutors to outside counsel to corporate leadership — should be “on the clock,” operating with a true sense of urgency.”

Miller fleshed out the Monaco Memo regarding this DOJ expectation when he intoned that the DOJ expects “cooperating companies to produce hot documents or evidence in real time.” Moreover, “The key point I want to highlight relates to timeliness.” This could mean literally when you find a smoking, still hot or even cold gun you had better pick up the phone and call the DOJ. Finally, when it comes to cooperation credit the DOJ will evaluate companies “timeliness as a principal factor.” It cannot be stated any plainer or more simply than that.

Evaluation of Corporate Compliance Programs

Equally important for compliance professionals was the section on evaluating compliance program. The DOJ has presented significant information to the compliance community with the release of the 2019 Evaluation of Corporate Compliance Programs and its 2020 Update. The Monaco Memo recognizes these documents as key components for the DOJ to review compliance programs of companies under investigation. Moreover, although there is no compliance defense to prosecution of illegal conduct, such compliance programs have “a direct and significant impact on the terms of a corporation’s potential resolution with the Department.”

To that end, the Monaco Memo directs prosecutors to “evaluate a corporation’s compliance program as a factor in determining the appropriate terms for a corporate resolution, including whether an independent compliance monitor is warranted. Prosecutors should assess the adequacy and effectiveness of the corporation’s compliance program at two points in time: (1) the time of the offense; and (2) the time of a charging decision. The same criteria should be used in each instance.”

However, the Monaco Memo focused attention on an area given little weight previously in determining the effectiveness of an effective compliance program, that being clawbacks. While compensation, particularly in the form of bonus or other compensation based on positive compliance actions, has long been a part of a best practices compliance program (the carrot) we have not previously seen its equivalent disincentive (the stick).

The Monaco Memo stated, “Corporations can best deter misconduct if they make clear that all individuals who engage in or contribute to criminal misconduct will be held personally accountable. In assessing a compliance program, prosecutors should consider whether the corporation’s compensation agreements, arrangements, and packages (the “compensation systems”) incorporate elements ­ such as compensation clawback provisions – that enable penalties to be levied against current or former employees, executives, or directors whose direct or supervisory actions or omissions contributed to criminal conduct. Since misconduct is often discovered after it has occurred, prosecutors should examine whether compensation systems are crafted in a way that allows for retroactive discipline, including through the use of clawback measures, partial escrowing of compensation, or equivalent arrangements.” This is a change.

Miller expanded on this when he said the DOJ would start with two questions:

1. Has the company clawed back incentives paid out to employees and supervisors who engaged in or did not stop wrongdoing?
2. Is the company targeting bonuses to employees and supervisors who set the right tone, make compliance a priority, and build an ethical culture?

Miller went on to add, “What we expect now, in 2022, is that companies will have robust and regularly deployed clawback programs. All too often we see companies scramble to dust off and implement dormant policies once they are in the crosshairs of an investigation. Companies should take note: compensation clawback policies matter, and those policies should be deployed regularly. A paper policy not acted upon will not move the needle — it is really no better than having no policy at all.”

My suggestion is that you develop a clawback policy and write it into the contracts of your senior management going forward.

I hope you will join me tomorrow where I look at guidance around monitors and monitorships.

Today, we continue our exploration of the Monaco Memo by considering the section entitled “Timely Disclosures and Prioritization of Individual Investigations”. This portion of the Monaco Memo re-emphasized the reinstitution of the Yates Memo, first announced by Deputy Attorney General (DAG) Lisa Monaco in October 2021. Clearly the Department of Justice (DOJ) wants to increase the accountability of individuals who have engaged in criminal activities such as bribery and corruption under the Foreign Corrupt Practices Act (FCPA).

It is well-settled under the FCPA Corporate Enforcement Policy that for a company to be considered for a Declination or cooperation credit, the company must self-disclose its illegal conduct. However, self-disclosure is not enough; it now must be timely. The DOJ wants speed as well because, “If disclosures come too long after the misconduct in question, they reduce the likelihood that the government may be able to adequately investigate the matter in time to seek appropriate criminal charges against individuals. The expiration of statutes of limitations, the dissipation of corroborating evidence, and other factors can inhibit individual accountability when the disclosure of facts about individual misconduct is delayed.”

The Monaco Memo stated, “it is imperative that Department prosecutors gain access to all relevant, non­privileged facts about individual misconduct swiftly and without delay.” [emphasis supplied] This means, “ to receive full cooperation credit, corporations must produce on a timely basis all relevant, non-privileged facts and evidence about individual misconduct such that prosecutors have the opportunity to effectively investigate and seek criminal charges against culpable individuals.” If a company fails to meet this burden, it will “place in jeopardy their eligibility for cooperation credit.” The DOJ goes the next step by placing the burden on companies to demonstrate timeliness, stating they “bear the burden of ensuring that documents are produced in a timely manner to prosecutors.”

Moreover, it is not simply data or information. A company must seek out and disclose on this ‘timely’ basis, the evidence “that is most relevant for assessing individual culpability.” This type of evidence could include “information and communications associated with relevant individuals during the period of misconduct.” While the DOJ may well ask companies to prioritize evidence they are seeking in investigation, even with no such instruction or request from the DOJ, “cooperating corporations should understand that information pertaining to individual misconduct will be most significant.”

All of this was driven home by adding this timeliness requirement to the analysis of factors surrounding a company’s cooperation with the DOJ, as laid out in the FCPA Corporate Enforcement Policy. The Monaco Memo stated, “in connection with every corporate resolution, Department prosecutors must specifically assess whether the corporation provided cooperation in a timely fashion.” Some of the factors in this new analysis could include “whether a company promptly notified prosecutors of particularly relevant information once it was discovered, or if the company instead delayed disclosure in a manner that inhibited the government’s investigation.” And then the stick is lowered when “prosecutors identify undue or intentional delay in the production of information or documents – particularly with respect to documents that impact the government’s ability to assess individual culpability ­ cooperation credit will be reduced or eliminated.” There are no percentages as to how much this might entail but conceivably it could reduce a cooperation credit by between 25% to 50%. Of course, if this analysis is factored into the fine and penalty calculation under the US Sentencing Guidelines, the cost could even be higher to a company.

This new requirement presents several challenges for any company and compliance professionals involved in the corporate investigatory process. The DOJ emphasis is now on ‘timeliness’ which equates to speed. When a whistleblower or other report comes in, there should now be even more urgency to assess and triage and then elevate the report to the appropriate level. Remember, this is not about a corporate decision to self-disclose or not; although there are clear implications in that decision, this is about turning over evidence of culpable individuals. If the DOJ deems your turning over evidence as not timely, it could seriously impact your ability to get the full 25% credit under the FCPA Corporate Enforcement Policy for cooperation and remediation.

In terms of your investigation protocol, under the prior Policy interpretations, you complete the investigation and then bring it to DOJ. But now the DOJ may have an argument that you were untimely because you took three months, six months, nine months; however long it takes you to perform an investigation. James Koukios also provided some other examples, “you learn that there is going to be a newspaper article which is coming out shortly and it will allege your company of corruption. Ordinarily, you would go to DOJ first, even if do not have an investigative plan in place yet because you need to get ahead of that article.”

A similar situation could involve a whistleblower or if the government comes knocking. In these situations, your organization may not have been aware of the allegations or facts. “This means you will have to investigate and at that point, it is hard to say that you will deliver timely information at any point, because you do not know things up front.” This begs the question “is it timely that I bring it to you?” This can be even more problematic “if a prosecutor thinks, you should have brought this to me two months earlier, or you should have brought this to me three months earlier.” This may be even more true as the burden is on the company to demonstrate timeliness.

As I said there are many questions on this topic going forward.

I hope you will join me tomorrow where I look at guidance on corporate accountability.

Last week saw the announcement of two significant and related releases of information from the Department of Justice (DOJ) around Foreign Corrupt Practices Act (FCPA) enforcement and corporate compliance programs. They were the Monaco Memo and a Speech by Assistant Attorney General Kenneth A. Polite made at the University of Texas Law School. Every compliance professional should study them both.

Over the next several days, I will be blogging about each of them and other DOJ announcements. I will also have a series of podcasts about different aspects of the releases with a variety of guests including Affiliated Monitors, Inc. (AMI) founder Vin DiCianni, Morrison & Foerster LLP (MoFo) partner James Koukios and my Compliance into the Weeds co-host, Matt Kelly. The Memo is broken down into four main sections: I. Guidance on Individual Accountability; II. Guidance on Corporate Accountability; III. Independent Compliance Monitorships; and IV. Commitment to Transparency in Corporate Criminal Enforcement. Today I want to introduce each release and try to place it into the overall context of DOJ communications to the compliance community, compliance professionals and Chief Compliance Officers (CCOs).

The Monaco Memo builds on many of the topics first articulated by Deputy Attorney General (DAG) Lisa Monaco last October in a speech to the ABA White Collar Bar conference. Koukios said he had two major reactions to the Monaco Memo. First, “I think it’s great when the department puts out a Memo like this, that lays out very clearly.” It sets out the DOJ expectations which Koukios believes the DOJ strives to do for the corporate compliance professional and the white-collar defense bar, which they have done so in an iterative matter. From releases of documents such as the Phillips Memo, to the FCPA Corporate Enforcement Policy to the Evaluation of Corporate Compliance Program and its Update. He added, “I think this is another one of those really helpful memos that sets out the factors that the DOJ will consider.”

He sees the Monaco Memo going further by delineating the implications of the factors it sets out.  He went on to note, “I think that there is a lot more in this Memo than there have been in some other, more recent memos.” Moreover, it lays out multiple changes at both “a high level and at the more granular level as well.” Koukios concluded, “I think it’s a very impactful Memo that practitioners’ compliance officers and other people dealing with this space really should spend time reading and understanding.”

I visited with DiCianni on the Independent Compliance Monitorships component. DiCianni believes the Monaco Memo is both further clarification and further guidance for line prosecutors when they are considering whether or not to put a monitor in place. Echoing Koukios in this section of the Memo, he noted that it lays out both broad goals and guidelines and then drills down into specific requirements in a way “we’ve  never seen before.” Further, while many of the factors “are really quite interesting there are not really anything new and from the monitors perspectives.” And while we have seen these factors in a disparate manner, in disparate places, “here they are in writing.” Once again this echoed something Koukios told me, that perhaps the greatest significance is that the Memo sets down all of these matters in writing which leads to a blueprint for DOJ thinking and a roadmap for anyone who finds themselves in an FCPA investigation or enforcement action.

I see the Monaco Memo and the Speech as complimentary releases which drive home several key changes in DOJ enforcement. Perhaps changes is too strong, but they these announcements make clear the DOJ is dedicated to individual accountability and prosecution. Corporations will have to reorient their approach to investigations and sharing of information with the DOJ to this new approach. Next the DOJ is strongly shifting the burden in the investigatory and negotiation phases to make clear the company must come forward with evidence to support lower fines and penalties and greater discounts, particularly in the area of individual financial penalties and incentives, i.e., clawbacks. Finally, the Monaco Memo lays out not simply how to avoid a monitor but a program of proactive monitoring which can lead to the prevention of a crime before the FCPA is violation.

The Memo itself said that the DOJ had established the Corporate Crime Advisory Group (“CCAG”)  to evaluate and recommend further guidance and consideration after the Monaco Speech from October 2021. This CCAG included leaders and experienced prosecutors from “components of the Department that handle corporate criminal matters: the Criminal Division; the Antitrust Division; the Executive Office of United States” to both evaluate and provide “revisions and reforms to enhance our approach to corporate crime, provide additional clarity on what constitutes cooperation by a corporation, and strengthen the tools our attorneys have to prosecute responsible individuals and companies.”

The DOJ review considered input from “a broad cross-section of individuals and entities with relevant expertise and representing diverse perspectives, including public interest groups, consumer advocacy organizations, experts in corporate ethics and compliance, representatives from the academic community, audit committee members, in-house attorneys, and individuals who previously served as corporate monitors, as well as members of the business community and defense bar.”

The Memo itself is designed to “promote consistency across the Department” by applying it  Department-wide. Some announcements establish the first-ever DOJ-wide policies on certain areas of corporate crime, “such as guidance on evaluating a corporation’s compensation plans; others supplement and clarify existing guidance. The policies set forth in this Memorandum, as well as additional guidance on subjects like cooperation, will be incorporated into the Justice Manual through forthcoming revisions, including new sections on independent corporate monitors.”

I hope you will join me tomorrow where I look at individual accountability and internal investigations.

I recently had the opportunity to visit with several folks from Assent Inc. for a sponsored podcast series entitled Supply Chain and ESG – What You Need to Know. We discussed: ESG drivers with Jared Connors and James Calder; UFLPA, Supply Chain and ESG with Travis Miller and Jamie Wallisch; the New World of Product Compliance and ESG, with Cally Edgren and Devin O’Herron; Emissions Reporting Strategies with Devin O’Herron and Jared Connors; and Responsible Minerals, Supply Chain and ESG, with Jared Connors and Daniel Zamora. Today, we consider a Scope 3 emissions reporting strategy.

We began with a discussion of the requirements for emissions reporting. There are three Scope levels within the emissions reporting strategy. Scope 1 and 2 are those emissions that are owned or controlled by a company, whereas Scope 3 emissions are a consequence of the activities of the company but occur from sources not owned or controlled by it. Connors provided some examples of each Scope, “Scope 1 is such things as your own vehicle fleets or things you are doing around your facility. Scope 2 is purchases such as heat or electricity for your facility, such as from your municipal power source. Scope 3 is all those variables outside your four walls.”

Connors went on to note, “This makes Scope 3 the most important of the three Scope emissions reporting, because it is so broad. It even includes things like employee travel. The most important aspect of Scope 3 is purchased goods, which has a very large impact on organizations that may not necessarily take in raw materials and directly manufacture from fabrication of those raw materials into a finished goods. Even if your organization designs products and influences those products, you typically will obtain your raw materials components through your supply chain. So purchased goods or supply chain is a very huge impact on the overall emission strategy for companies.”

O’Herron pointed to a recent Accenture study which estimated that Scope 3 emissions are typically 11 times larger than an organization’s Scope 1 and 2 emissions combined. With the increasing use of carbon taxes, and as they progress as a key tool, “the overall mission strategy frankly needs to start accounting for Scope 3.” But it is not simply risks but also opportunities, “because when it comes to Scope 3 emissions in particular, as we think about things like carbon taxes, risk in terms of risk, if you don’t understand what exactly that applies to your organization, you are missing a big opportunity.”

He further cautioned that while the conversation today is dominated by carbon, there may well be other minerals which fall under regulatory ambit. Moreover, there are other environmental factors at play, such waste management, recycled content in products, water usage. All of these additional costs that have not been traditionally quantified and accounted for when thinking about the product life cycle and design of the product. He stated, “when we are talking about Scope 3, in a broader context of just carbon, it’s about broadening the measure of impact burn closer to understanding and identifying the truthful cost of how we provision ourselves today.”

The bottom line is that organizations need to get a handle on their total emissions footprint, which includes what they are collecting from their suppliers upstream, their purchased goods or services, and those in Scope 3 emissions. You cannot manage what you do not measure. This means the “idea of diving into these details, has gained such relevancy and traction in the market.” It is providing a common language and identifying these common topics to focus on in terms of getting that information.

This is a big part of the overall strategy, the data collection at each level in the supply chain and how we may interact with our Tier 1 suppliers, but the disclosure that we get from them, there should be policies, procedures and programs around also creating transparency with their upstream suppliers. Connors concluded, “they have an element of pass down accountability as the phrase was coined so many years ago. I actually try to think of it as pass up accountability, because we are thinking about our supply chain upstream and what we need to collect from those organizations in order to meet the expectations of these regulatory pressures or these market disclosure requirements to create and promote transparency, not only in my operations, my four walls, but upstream of me as well.”

Please plan to join us tomorrow for our final post in this series, on responsible minerals, supply chain and ESG.

To listen to the podcast this blog post is based upon, click here.

I recently had the opportunity to visit with several folks from Assent Inc. for a sponsored podcast series entitled Supply Chain and ESG – What You Need to Know. We discussed: ESG drivers with Jared Connors and James Calder; UFLPA, Supply Chain and ESG with Travis Miller and Jamie Wallisch; the New World of Product Compliance and ESG, with Cally Edgren and Devin O’Herron; Emissions Reporting Strategies with Devin O’Herron and Jared Connors; and Responsible Minerals, Supply Chain and ESG, with Jared Connors and Daniel Zamora. Today, in our final post, we consider responsible minerals, supply chains and ESG.

We began with a review of the evolution on responsible mineral sourcing. It started with conflict minerals, which has been around for 10 years or so. This led to a rather dramatic shift in the worldwide corporate mindset and companies and stakeholders determined that there needed to be more engagement all levels within the supply change. Zamora pointed to the example of due diligence. “It began as a data collection exercise where you get transparency into your supply chain, but now it’s all about, what can you do  with that information after you collect data? What you see from the expectations of stakeholders is performing risk management, right to diligence activities within your supply chain.” This means going beyond regulatory requirements, it means risk management activities related to identifying sanctions within your supply chain.

One of the key themes of this series has been how a comprehensive ESG program can bring a much more integrated, holistic approach to not simply regulatory compliance but also in overall business operations. That also presents the opportunity to use an ESG approach to move from simply a reactive to proactive program. With Zamora, we look at steps a company can take to facilitate this change.

Zamora said, the “first step is you need to collect data efficiently. Once you do that officially, it allows your organization to have the resources in place to focus at how to perform risk management from within your supply chain. Number two, you need to have a specific program in place that would allow you to see and identify the risks so you can see where minerals are coming from and where the minerals are going afterwards. This allows you to identify those risks ahead of time, having risk assess verifiable sources out there that will allow determine who the bad actors are before then engage in bad behaviors.”

All of this allows a company to make better business decisions in terms of risk management. Zamora said, “it gives them time. It gives them a lot of power to take corrective actions, according to those risks. It could be communicating that those risks within their own supply chain. It could be passing that information along to their legal team. Once you have that ability to see these risks live as if an organization is being proactive about it instead of being reactive and waiting for those risks to show up in your supply change; a company will have a lot of power to have corrective action in order to mitigate those risks.”

We concluded with a discussion of the stakeholders who might be concerned with responsible minerals and how a corporation can use an overall ESG program to engage with them. This can include the shareholders, it could include customers, it could include employees, it could include third parties your organization does business with, and it could include the locales where a company does business or operates. Zamora said, “conversations have definitely changed,”. Now it has expanded to “even metal associations.” These conversations are also at “multiple levels within the supply chain. It is no longer the downstream companies and the shareholders right now, you see expectations at the mid-tier suppliers, you see these conversations at the smelters and at the upstream level.” All these levels are getting engaged in discussions and conversations around the ESG requirements.

To listen to the podcast this blog post is based upon, click here.

The UFLPA is a law which targets goods made, whole or in part, by forced labor in the China Jing Jang region or made by forced labor in other parts of China by Uighurs, or other minorities. Wallisch explained that it is designed to operate as a de facto trade ban on goods from the Jing Jang region of China. US businesses will face the high burden needed to overcome an expectation of forced labor presumption. Wallisch believes this is the most “significant law placed around the issue of forced labor, and it has the most tangible and concrete terms of repercussions, that companies can potentially face.” Further, she believes the key will be around your documentation to provide to US Customs and Border Protection. Miller noted that this means if you are “asking companies to look back into where the actual sand came from, that got turned into the silica, that got turned into the semiconductor, that got turned into the circuit board, that got turned into the device that finds its way into your laptop. There’s just never been anything like it.”

Interestingly, this ties directly into a company’s overall ESG framework as it is combining all elements in such a program. When you tie the UFLPA, together with anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA), export controls laws and regulations enacted by both the Trump and Biden Administrations and anti-money laundering (AML) laws, such as the AML Law of 2020, you begin to see a more integrated approach by the government and how companies must respond with an integrated approach such as a corporate ESG program. Wallisch concluded, “it’s really signaling the intersectionality of all these particular topics under ESG.”

Miller noted, interestingly, about how much this law and its guidance weave together existing business processes. He believes the UFLPA was “birthed out of the America Supply Chain Executive Order in the US/China trade war, which was focused on semiconductors, critical, raw materials elements that are the subject of the extractives. To comply with it, you could not actually start unless you already had a product compliance program in place. This means that if you do not know the bill of materials, if you do not have an approved vendor list, if you do not know where your components are being manufactured; how do you even begin the ESG program? So really in my opinion, the UFLPA is not novel in that it created something new; it is  novel in that it is forcing companies to use all the existing business processes to tie back the breadcrumbs and figure out things that they should already know and then to be responsible for reporting on them.”

Miller believes that even with the UFLPA and other regulatory initiatives, the real driver here is business and business operations. He believes it will require organizations to recognize that their organizational footprint, for each business extends beyond the four corners of the organization. This will come into play for financing whether through private equity investment, public market offerings, bank loans or other mechanisms. It has not extended down into individual responses to requests for quotes in the business world.

Equally importantly, he said, “it’s also about who you chose to do business with, who you chose to profit from, and it’s not enough that you can just say, well, I outsource the bad stuff; slaves being used in my supply chain and bribery occurring in the same place. That is no longer a sufficient answer. It’s this assessment, it’s this realization that you are the sum of your components. You are the sum of your relationships. The business is not an island. It’s everything being pulled together and your entire impact on the globe, on the people on the world, on the business processes that derives your profitability now must be considered. And that’s quite revolutionary. If you think about it.”

Join us in Part 3, where we consider the new world of product compliance and ESG.

To listen to the podcast this blog post is based upon, click here.

I recently had the opportunity to visit with several folks from Assent Inc. for a sponsored podcast series entitled Supply Chain and ESG – What You Need to Know. We discussed: ESG drivers with Jared Connors and James Calder; UFLPA, Supply Chain and ESG with Travis Miller and Jamie Wallisch; the New World of Product Compliance and ESG, with Cally Edgren and Devin O’Herron; Emissions Reporting Strategies with Devin O’Herron and Jared Connors; and Responsible Minerals, Supply Chain and ESG, with Jared Connors and Daniel Zamora. Today we review the intersection of the Uyghur Forced Labor Prevention Act (UFLPA), Supply Chains and ESG.

The UFLPA is a law which targets goods made, whole or in part, by forced labor in the China Jing Jang region or made by forced labor in other parts of China by Uighurs, or other minorities. Wallisch explained that it is designed to operate as a de facto trade ban on goods from the Jing Jang region of China. US businesses will face the high burden needed to overcome an expectation of forced labor presumption. Wallisch believes this is the most “significant law placed around the issue of forced labor, and it has the most tangible and concrete terms of repercussions, that companies can potentially face.” Further, she believes the key will be around your documentation to provide to US Customs and Border Protection. Miller noted that this means if you are “asking companies to look back into where the actual sand came from, that got turned into the silica, that got turned into the semiconductor, that got turned into the circuit board, that got turned into the device that finds its way into your laptop. There’s just never been anything like it.”

Interestingly, this ties directly into a company’s overall ESG framework as it is combining all elements in such a program. When you tie the UFLPA, together with anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA), export controls laws and regulations enacted by both the Trump and Biden Administrations and anti-money laundering (AML) laws, such as the AML Law of 2020, you begin to see a more integrated approach by the government and how companies must respond with an integrated approach such as a corporate ESG program. Wallisch concluded, “it’s really signaling the intersectionality of all these particular topics under ESG.”

Miller noted, interestingly, about how much this law and its guidance weave together existing business processes. He believes the UFLPA was “birthed out of the America Supply Chain Executive Order in the US/China trade war, which was focused on semiconductors, critical, raw materials elements that are the subject of the extractives. To comply with it, you could not actually start unless you already had a product compliance program in place. This means that if you do not know the bill of materials, if you do not have an approved vendor list, if you do not know where your components are being manufactured; how do you even begin the ESG program? So really in my opinion, the UFLPA is not novel in that it created something new; it is  novel in that it is forcing companies to use all the existing business processes to tie back the breadcrumbs and figure out things that they should already know and then to be responsible for reporting on them.”

Miller believes that even with the UFLPA and other regulatory initiatives, the real driver here is business and business operations. He believes it will require organizations to recognize that their organizational footprint, for each business extends beyond the four corners of the organization. This will come into play for financing whether through private equity investment, public market offerings, bank loans or other mechanisms. It has not extended down into individual responses to requests for quotes in the business world.

Equally importantly, he said, “it’s also about who you chose to do business with, who you chose to profit from, and it’s not enough that you can just say, well, I outsource the bad stuff; slaves being used in my supply chain and bribery occurring in the same place. That is no longer a sufficient answer. It’s this assessment, it’s this realization that you are the sum of your components. You are the sum of your relationships. The business is not an island. It’s everything being pulled together and your entire impact on the globe, on the people on the world, on the business processes that derives your profitability now must be considered. And that’s quite revolutionary. If you think about it.”

Join us in Part 3, where we consider the new world of product compliance and ESG.

To listen to the podcast this blog post is based upon, click here.