Categories
Innovation in Compliance

Innovating Compliance in the Middle East and Africa with Tomell Ceasar

 

Tomell Ceasar is the Group Head of Ethics and Compliance at Careem (An Uber Company). He is one of the founders of the Middle East and Africa Compliance Association (MEACA). This organization strives to raise awareness on business ethics and provides tools to build stronger and more responsible businesses. Essentially, they promote global regulatory compliance and effective governance in the Middle East and Africa. In this week’s episode, he explains to Tom the intricacies of practicing compliance outside the US, specifically the EAME. 

 

 

Compliance Practice in the EAME

Tom asks Tomell to describe what it is like practicing compliance in EAME. Tomell responds that it’s difficult to make broad generalizations on compliance region-wide since the EAME is such a huge territory. Compliance is a “Western value in terms of the way one approaches international business”, Tomell remarks, so adoption would take some time. However, appreciation of compliance roles and professionals grew exponentially over the past decade. International companies are seeing compliance through the US lens, and “they identified values of compliance being important enough to them to adopt similar frameworks and ideological perspectives as it relates to commercial enterprise, to be equivalent to the United States,” Tomell remarks.

 

The Birth of the MEACA 

As a co-founder of the Middle East and Africa Compliance Association, Tom wants to know how Tomell came up with the idea for the MEACA. Tomell explains that “the values of compliance have traditionally not been a staple of commercial enterprises in these regions.” Compliance has had a real maturation process over the last 10 years, and Tomell and his team saw a major opportunity to support the development and growth towards that end. There was a need for an organization willing to serve the distinct purpose of “serving and supporting the compliance community and to give them an avenue to connect, to network, to broaden their skill set.” Thus, the MEACA was born. To this day, they help companies promote and catalyze the compliance movement toward fighting corruption in companies and society. 

 

Resources 

Tomell Ceasar | LinkedIn

The Middle East and Africa Compliance Association

 

Categories
Daily Compliance News

October 11, 2022 the Rethink Edition

In today’s edition of Daily Compliance News:

  • Corruption and money laundering are destroying the planet. (FCPA Blog)
  • UK to ‘rethink’ replacing GDPR. (TechCrunch)
  • Meta appeals €405 million fine. (Cordery Compliance)
  • More whistleblowers at EY (FT)
Categories
Blog

Use Your Eyes in Compliance

One thing compliance professionals are rarely trained to do is trust your eyes. This may be because it seems too obvious. After all the well-known Howard Sklar maxim of “Water is Wet” is largely based on the fact that if something is so obvious you may not need to train on it. Yet two recent events make clear we all need to ‘trust our eyes’ in a variety of settings. The first is in the National Football League (NFL) and it involves Miami Dolphin quarterback, Tua Tagovailoa. Three weeks ago, he was tackled, thrown to the ground and his head snapped against the tuft. This is clearly a sign a concussion may be coming. After Tua got up, he stumbled and fell and then had to be helped up by a teammate and off the field.

I say all of this with absolute certainty as I was watching the game Dolphins v. Bills and saw it along with some 70,000 in the stadium and millions on television. Unfortunately, those who did not see these actions of Tua after the hit was the Dolphins medical staff who, rather amazingly (or perhaps not), cleared him under the NFL Concussion Protocol and sent him back to play in the second half of the game. Again, finding he was fine under the concussion protocol, he was allowed to play. The Dolphins claimed that he had sustained a “back injury” and that was why he stumbled and fell, not motor impairment. The next week, Tua took another shot to his head and this time he did not get up, stumble and fall. He did not get up at all. According to New York Times (NYT), he left the field on a stretcher and was taken immediately to a local hospital.

It was clear to anyone who saw the first concussion, that it was just that a concussion. However, “because of the incident, the league and union said they were considering changing the protocols, which currently allow a player with “gross motor instability” to return to the game if doctors decide there is an orthopedic reason for his unsteadiness.” Some doctor said the instability was due to Tua’s bad back and that was good enough. The NYT went on to further note, “The expected change will be to instead establish ataxia, a term describing impaired balance or coordination caused by damage to the brain or nerves, as a sign that automatically disqualifies a player from returning to the game.”

All of this informs compliance programs and compliance professionals as sometimes actions do not simply pass the eye test. I thought of this in the context of the recent Oracle Corporation Foreign Corrupt Practices Act (FCPA) enforcement action. In this Oracle matter, the bribery schemes involved distributors, which were used as not only conduits to pay bribes, but as the mechanism to create a pot of money to pay bribes. The Oracle compliance program allowed sales employees at the subsidiaries to request monies meant to reimburse distributors for certain marketing expenses associated with selling Oracle products. There was a multi-pronged approval process in place. For marketing reimbursements “under $5,000, first-level supervisors at the Subsidiaries could approve the purchase order requests without any corroborating documentation indicating that the marketing activity actually took place.” Above this $5,000 threshold, additional approvals were required with additional requirements for business justification and documentation.

You can no doubt see where this is going as this internal control gap allowed for abuse. Indeed the Orderstated, “Oracle Turkey sales employees opened purchase orders totaling approximately $115,200 to [distributors] in 2018 that were ostensibly for marketing purposes and were individually under this $5,000 threshold.” That is at least 23 different expense requests to reimburse for marketing made under the threshold. Of course, there were no marketing efforts by the distributors and no follows up audits, inspections or even questions to confirm that the marketing expenses had actually occurred. The entire business unit was in on the fraud, and it stole money from the corporate office to fund it slush fund to pay bribes.

Clearly compliance was not using its eyes for if it had, it would have seen that there was a large number of marketing reimbursement requests at or below the threshold which required additional oversight and approval. Using your eyes does not mean that it is simply your eyes which catch nefarious conduct, it means that you use your eyes and if it something unusual occurs then additional investigation is warranted.

All of this brings to the second lesson from the NFL’s sordid tale involving Tua Tagovailoa; which is if the protocol does not work, change the protocol. Renee Miller, writing The Athletic, said, “The purpose of the onsite concussion “exam is to determine if any symptoms are apparent in a neurological exam (looking at reflexes, cranial nerve function and limited cognitive skills), and if so, whether they arise from a neurological origin.” It does not take into account what we all saw with our eyes, the stumbling, Tua grabbing his helmet and inability to focus. The NFL will now make a change to consider the other factors Tua exhibited. In other words, they changed the protocol to require and allow for additional information about the injured player in making a determination of that player’s returning to the game.

In the case of Oracle, there was a high risk of business unit employees using the marketing reimbursement requests to create a pot of money to pay bribes. We know this because this same bribery scheme was used by Oracle India to pay bribes and do business corruption, all of which was the subject of a prior FCPA enforcement action. Pretty clearly allowing business unit employees to obtain marketing reimbursements was something that would lead to disaster; which it did just as the Dolphins allowing Tua to come back into the second half of the Bills game where he sustained his first concussion was disastrous for Tua as he was much more seriously injured just the next week.

In compliance never forget to ‘use your eyes’ in testing your compliance program. If something does not look right, do additional investigation. If you do not do so, you may end up like Oracle, now one of 15 FCPA recidivists, a list no company wants to be on.

Categories
Blog

Internal Controls Week: Part 5 – Assessing Internal Controls in International Operations

How should you assess your internal controls regime for international operations? It is incumbent that you need to review as much information as you can to understand the financial and operational structure of an entity and how it is integrated with the corporate headquarters, or the U.S. business unit’s financial and operation structure, if the foreign operation is part of a U.S. business unit.

You could begin with the TI-CPI to garner a sense of the reputation of the country in which your business unit is located, as well as the CPI for all other countries in which the location either markets business or has current customers. Another area for inquiry or review is the scope of your foreign operations. This means you will need to consider your sales model, whether employee based or primarily using third party representatives. You will also need to consider if such third-party representatives are coming into a commercial relationship with your company through your supply chain.

Other areas of inquiry should include whether your company’s finance and accounting staff produce financial statements that are integrated into the parent’s financial statements; whether your international business locations utilize a local bank account for local sales receipts as well as funds transfers from the U.S. and whether the account has local check signers and whether dual signatures are required on the checks. You may also want to consider the extent to which disbursements are made in the local currency and, of course, is there a local petty cash fund.

As with many other areas around internal controls,it is important to consider the local DOA and whether it is consistent with your corporate DOA. Some of the considerations regarding the local DOA should extend to which corporate or U.S. business unit approvals are required for transactions initiated locally, such as: 1) approval of vendor invoices, 2) disbursements of funds, including wire transfers; 3) execution of facilities leases; 4) execution of contracts with agents; and 5) approval of pricing and credit terms to customers and distributors. You should also review whether the local DOA provides appropriate SODs at the local business unit level.

You should consider how sales of product are conducted. For example, is an inventory maintained at the local operation for shipment to customers; are products drop shipped from U.S. directly to the customers of the local operation or are they drop shipped to distributors for delivery to the ultimate customer?

Hopefully you are already doing the above, but you should review what is being done to determine if employees or local contractors who are local nationals have gone through your due diligence process so that they have been properly vetted to determine whether they are government officials in any capacity or are relatives of government officials. Along the lines of a more formal FCPA analysis you should review to see if there has been any investigation of alleged fraud, including FCPA violations, at the location and, if so, what were the results of the investigation? Around customers, you should review with whom each international location does business to determine the extent to which its current customers are local government entities as well as the extent to which the location is pursuing sales activities for other local government entities.

If there has not been a sufficient assessment of controls, the compliance professional must then decide how to best determine whether the local controls are sufficient to satisfy the requirement of the FCPA and accurately reflect all transactions and prevent concealment of improper transactions. Some of these considerations would be an inadequate SODs because the separation of responsibility for physical custody of an asset from the related record keeping is a critical control. In practice, this means that persons who can authorize purchase orders should not be capable of processing accounts payable transactions. Further, the employee who prepares the deposit should not post the receipts to the customer accounts.

You should look to see if there is inappropriate access to assets. If there are, internal controls should be created to provide safeguards for physical objects such as inventory and cash, restricted information, critical forms and update applications. This means that an employee who only needs to view computer information should be restricted to “read and file scan” access and should not be granted “write and create” access. Moreover, controls should prevent the unauthorized removal of resale inventory and movable fixed assets from the premises.

It is not necessary to prove a that a bribe has been paid to have an enforcement action against a company for violation of the internal controls provisions of the FCPA. That was the situation in the SEC 2018 FCPA enforcement action involving Kinross Gold Corporation. It was this lack of effective internal controls, not the payment of a bribe, which was the basis for the civil enforcement action. This means that you should look to make certain the situation is not one of form over substance, where controls can appear to be well designed but still lack substance, as is often the case with required approvals.

Such a situation could arise in several different scenarios. The first is where an account manager’s signature attests to the accuracy of the payroll voucher information, but if the account manager does not have assurance that the supporting time records are accurate, the approval process lacks substance. Other examples are where a supervisor who approves expense reports but routinely does not look at the supporting documentation; a country manager provides a true control as an approver; or where the country manager or the local finance manager has ability to conceal the true nature of transactions without detection by anyone else.

Another important area involves sales and compensation for a foreign business unit. On the sales side of the equation, you review the three-year historical sales for the location and the budgeted sales for the upcoming year. This can give insight into the relative pressure on employees to grow the business and, accordingly, the possibility of an employee seeing a bribe as a good way to grow the business. The inquiries can lead to questions about compensation such as: What is the sales incentive compensation plan for local sales personnel? For the country manager? Such an inquiry gives insight into the possibility of personal benefit which might result from someone paying a bribe to win a contract which results in a large sales incentive compensation to the employee.

These reviews, questions, inquiries and analyses are designed to locate the pressure points involved in any company’s sales processes. This is because pressure is a key element of occupational fraud and the risk of fraud, including corruption, increases as the pressure increases. Since corruption is viewed as a subset of fraud, it might be a good time to review the “fraud triangle,” which lays out breeding ground for fraud in the corruption context:

  • Pressure which has financial implications, whether it be personal financial needs that are unmet or pressure to reach sales goals;
  • Rationalization. A fraud perpetrator always rationalizes that he/she is not a criminal and when committing fraud for personal benefit, the perpetrator intends to repay the money; when committing fraud for company benefit, the perpetrator rationalizes that the company really wants to meet its goals and that the perpetrator’s actions are in furtherance of the company’s goals; and
  • Opportunity. The perpetrator must be in a situation where the internal controls do not prevent the fraud and its necessary concealment
Categories
All Things Investigations

All Things Investigations: Episode 13 – Tyler Grove on New CFIUS Executive Order

Welcome to the Hughes Hubbard Anti-Corruption and Internal Investigations Practice Group’s Podcast, All Things Investigations. In this podcast, host Tom Fox and returning guest Tyler Grove of the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group, highlight some of the key legal issues in white-collar investigations, locally and internationally.

 

 

Tyler Grove has worked at Hughes Hubbard for over 10 years, starting as a paralegal and then working his way up to full-time associate before taking the position of counsel. Tyler’s specialties include sanctions and export controls in addition to anti-money laundering and foreign investment issues. His practice has three main areas: compliance counseling, enforcement and investigations, and corporate diligence and filings.

Key areas we explore on this podcast are:

  • The genesis of Executive Order 14083 relating to CFIUS, and what it entails.
  • It’s become a standard follow-up question when making CFIUS filings to ask about a US business’ cybersecurity policies.
  • What is excepted foreign state? 
  • The Biden administration has conducted a holistic approach to business issues that may not have been considered national security issues in the past. 
  • CFIUS has been a flexible tool for the Biden administration to apply foreign policy.
  • How companies should be prepared to respond when asked to provide information or assistance in a CFIUS review.

Resources

Hughes Hubbard & Reed website 

Tyler Grove on LinkedIn

 

Categories
The ESG Report

UFLPA, Supply Chain & ESG with Travis Miller and Jamie Wallisch

 

Tom Fox welcomes Travis Miller and Jamie Wallisch to the ESG Report. In this episode, they talk about the Uyghur Forced Labor Prevention Act (UFLPA), and how it impacts the way companies do business across the supply chain.

 

 

The UFLPA is a United States federal law that stops companies from importing products made with forced labor in the Xinjiang region of China or any other part of China with forced labor by workers or other minorities. This law is important because it makes sure that companies are aware of what is happening and take steps to stop it. The UFLPA makes companies use processes that already exist in their business. To follow the UFLPA, your company would need to have a compliance program in place. Jamie also explains how regulators could assess companies’ compliance programs using the UFLPA. 

 

Organizations need to recognize their organizational footprint because each company out there affects more than just the people who work there. It’s not just about who you choose to do business with but also who you choose to profit from. You can’t just condemn bad business practices verbally. You have to be actively engaged in ethical behavior. “It’s this assessment, it’s this realization that you are the sum of your components. You are the sum of your relationships,” Travis adds. 

 

Resources

Travis Miller | LinkedIn 

Jamie Wallash  

Assent

 

Categories
FCPA Compliance Report

Oracle FCPA Enforcement Action

In this episode, I take on a solo pod to discuss and consider the Oracle FCPA enforcement action brought by the Securities and Exchange Commission.

Key areas we discuss on this podcast are:

  • Background facts.
  • Same facts in same country?
  • Failure of a paper program.
  • The need for data analytics.
  • Where is the DOJ?
  • What are the lesson learned going forward?

 Resources

For a White Paper on the Oracle FCPE enforcement action, email tfox@tfoxlaw.com

Categories
Daily Compliance News

October 10, 2022 the Data Privacy Edition

In today’s edition of Daily Compliance News:

  • Weinstein LA trial takes on new urgency. (NYT)
  • Twitter/Musk case study. (Reuters)
  • US tries to fulfill data privacy agreement with EU. (WSJ)
  • Met creates an anti-corruption unit. (BBC)
Categories
Blog

Fighting Transparency and Whistleblowers

We sadly had two more examples of how companies are fighting transparency and the light of day through actions taken against whistleblowers. With these two examples we see once again how businesses which say they have a speak up culture and an open-door policy in writing do not seem to follow these prescriptions in practice. One comes from the world of sports (NBA basketball) and the second involves Exxon Mobil Corporation (Exxon).

If you are any kind of pro basketball fan, you have heard about the ‘altercation’ between Golden State Warriors Draymond Green and Justin Poole. Following an initial report of an ‘altercation’ occurring during a practice this week, TMZ released a video of the incident. After some unknown verbal sparring, Poole pushes Green away from him. Green then winds up and coldcocks Poole, knocking him down. Green’s initial response was essentially, I am sorry you are sorry. After the video was released, Green fully apologized and announced he was taking some time off.

What was the Warriors response to all this? According to ESPN, the public airing of the video and ensuing transparency, “has impacted the way the team has been able to move forward from the altercation. “In 32 years, I’ve probably seen 20-plus fights. It should not make it out of our walls,” Kerr said. “When things are kept internally, it’s almost easy to handle,” he continued. “As soon as things are leaked, all hell breaks loose. That affects every single player, coach. … It’s like if you had a camera in your family and there was a family dispute. Would you really want to discuss it with the world? No.”” According to Fox Sports, “the Warriors are taking “every legal course of action” to discover how the video was released to the public.”

For those NBA fans who do not remember, Laker Kermit Washington severely injured Rocket Rudy in 1978 with a similar punch to the face. So, this is not a ‘boys will be boys’ or a hyper competitive player dancing on the edge issue, but a full personal safety at work issue. What do the Warriors want too about it? Apparently not much as Outkick.com wrote, “Warriors general manager Bob Myers discussed the situation on Thursday. He stated that Green’s punishment would be “dealt with internally,” with little expectation for the 10-year veteran to miss any games in the upcoming season as a result. “There’s nothing that warranted the situation yesterday. I want to make that clear. It’s also something we feel like won’t derail our season and that’s with Draymond a part of that,” Myers told reporters.”

In a case from the more traditional corporate world, involving Exxon. The Wall Street Journal (WSJ) reported, “The Labor Department said it found Exxon Mobil Corp. illegally fired two company scientists over suspicions they shared information with The Wall Street Journal about concerns the pair had earlier raised with the company. The department’s Occupational Safety and Health Administration on Friday said Exxon must reinstate the two employees and pay them more than $800,000 in back wages, interest and damages.” In other words, Exxon has been found to have fired two whistleblowers.

The WSJ further noted, “Citing current and former employees, the Journal reported in September 2020 that some staff assigned to the Permian, the most active U.S. oil field, thought Exxon had been overly optimistic about an earlier projection it could increase oil and gas production in the New Mexico and West Texas region to 1 million barrels of oil equivalent per day as early as 2024. The people told the Journal that Exxon had overestimated how quickly it could drill wells there, which they said led the company to overvalue the asset by billions of dollars. Exxon later fired two scientists. The Labor Department determined the firings were prompted by Exxon’s suspicions the pair had brought information to the Journal.”

“Exxon denied the allegations at the time and has repeatedly said it has met and exceeded its drilling targets.” The WSJ went on to note, “Exxon claimed it had fired one of the scientists for mishandling proprietary information and another for “a negative attitude,” job hunting and losing management’s confidence.” Exxon spokesman Casey Norton, as quoted in the WSJ, said, “The terminations in late 2020 were unrelated to the ill-founded concerns raised by the employees in 2019.” Exxon has said that it will appeal.

Interestingly, in 2021, the WSJ “reported the Securities and Exchange Commission launched an investigation following an employee’s whistleblower complaint alleging the company’s overvaluation of the Permian had misled investors. The agency earlier this year closed the investigation and said it would not recommend an enforcement action against Exxon.” Additionally, “A federal judge in Texas dismissed a lawsuit last week brought by Exxon shareholders alleging the company misled investors about the value of its Permian assets. The judge determined the plaintiffs had not shown enough evidence that Exxon executives deliberately defrauded investors. The judge said they can refile the complaint with additional evidence.”

It is not clear if there was new evidence brought forward in this OSHA case that was not available to the SEC or federal district court. Perhaps OSHA found Exxon’s version of events not plausible. Nevertheless, coupled with the Warriors response to the leaking of Green punching a teammate, it seems that corporate America will try to prevent transparency at all costs. Compliance professionals would do well to make sure their organizations not simply welcome whistleblowers but embrace them to prevent fraud, waste and abuse and illegal conduct from moving forward in their organization.

Categories
Sunday Book Review

October 9, 2022 the Dracula edition

In today’s edition of Sunday Book Review:

Dracula by Bram Stoker

Interview with the Vampire by Anne Rice

I am Legend by Richard Matheson

Fevre Dream by George R. R. Martin