Categories
Blog

Day 16 of One Month to More Effective Internal Controls-COSO Objective II: Risk Assessments

Integrated Framework (Framework Volume) recognizes that “every entity faces a variety of risks from external and internal sources.” This objective is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner, none of this will sound new or even insightful; however, the COSO Framework requires a component of management input and oversight that was not as well understood. The Framework Volume says, “Management specifies objectives within the category relating to operations, reporting, and compliance with such clarity to identify and analyze risks to those objectives.” But management’s role continues throughout the process as it must consider internal and external changes that can affect or change risk “that may render internal controls ineffective.” This final requirement is also important for any anti-corruption compliance internal control. Changes are coming quite quickly in anti-corruption laws and their enforcement. Management needs to be cognizant of these changes and changes that its business model may make in the delivery of goods or services, which could increase the risk of running afoul of these laws. 

Objective-Risk Assessments

The objective of Risk Assessment consists of four principles. They are: Principle 6 – “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.” Principle 7 – “The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” Principle 8 – “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Principle 9 – “The organization identifies and assesses changes that could significantly impact the internal control system.”

 Principle 6 – Suitable Objectives 

Your risk analysis should always relate to stated objectives. As noted in the Framework Volume, management is responsible for setting the objectives. Rittenberg explained, “Too often, an organization starts with a list of risks instead of considering what objectives are threatened by the risk, and then what control activities or other actions it needs to take.” In other words, your objectives should form the basis for your risk assessments.

Principle 7 – Identifies And Analyzes Risk 

Risk identification should be an ongoing process. While it should begin at senior management, Rittenberg believes that even though a risk assessment may originate at the top of an organization or even in an operating function, “the key is that an overall process exists to determine how risks are identified and managed across the entity.” You need to avoid siloed risks at all costs. The Framework Volume cautions that “Risk identification must be comprehensive.”

Principle 8 – Fraud Risk 

Every compliance practitioner should understand that fraud exists in every organization. Moreover, the monies that must be generated to pay bribes can come from what may be characterized as traditional fraud schemes, such as employee expense account fraud, fraudulent third-party contracting and payments, and even fraudulent over-charging and pocketing of the differences in sales price. This means that it should be considered an important risk analysis. Any company must follow the flow of money, and if the Fraud Triangle is present, management is placed around such risk.

Principle 9 – Identifies And Analyzes Significant Change

It is true that if there is one constant in business, there will always be change. The Framework Volume states, “every entity will require a process to identify and assess those internal and external factors that significantly affect its ability to achieve its objectives.” Rittenberg intones that companies “should have a formal process to identify significant changes, both internal and external and promptly assess the risks and approaches to mitigate the risk.” 

Discussion 

The SEC has clarified that companies should be expanding their view of risk in implementing the COSO 2013 Framework. Risk assessments are a cornerstone of a best practices compliance program as laid out in the 2012 FCPA Guidance and in the DOJ’s Evaluation of Corporate Compliance Programs, issued in February 2017. The regulators are telling companies specifically that they should see new risks that they need to address because of the changes brought about by the new standard. Howell noted that “in the internal control arena, fraud risk, in particular, has been keen interest because of the opportunity to mask fraud through the judgments made in recognizing revenue, no matter what the revenue recognition standard.” He went on to add other risks that companies should be considering in their risk assessments; “One risk is a company’s business practices do not relate to the accounting that they are providing right now because the business practices are changing and internally the company is not recognizing that the business practices are changing.”

Another example is that sales folks give concessions to customers that are not reflected in their understanding of the contract and its accounting.” Howell went on to add might be other activities that are going on to acquire contracts that aren’t being properly accounted for or even recognized at some level that the concessions are being given at the backend for return that isn’t being reported back into how that affects the estimate of cheap revenue going forward. Finally, risks that a company has misstated or underestimated require determining whether revenue should be recognized over time or estimated what that period is to recognize the revenue if it is a rolling time frame. Howell stated, “For example, the period could be longer, which means that your revenue would be recognized over a longer period. There’s always the risk that revenue could be recognized too early and that cost could be pushed out and spread over too long. As we begin to think about these new judgments that are required, we get into this entirely new level of judgment and risk related to the judgment that the companies need to identify and build both preventative controls and detective controls and have the plan to respond if they discover that the risk has happened and they have a failure.” 

Three Key Takeaways:

  1. Risk assessments are required under the COSO Framework, the 2012 FCPA Guidance, and almost all other best practices compliance programs.
  2. Look at your risks across your organization rather than in a siloed manner.
  3. Risks, determination, and management change over time, so be cognizant of changes in business practices on the ground.

For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. Risk assessments are required under the COSO Framework, the 2012 FCPA Guidance, and all other compliance regimes.

Categories
Blog

Day 14 of One Month to More Effective Internal Controls – What is the COSO Framework?

Internal Control–Integrated Framework”, herein ‘the Framework volume.’ The second is an Illustrative Guide, entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls,” herein ‘the Illustrative Guide,’ which discusses how best to assess your internal control regime and provides forms and worksheets to use in this exercise. The third volume is the Executive Summary of the first volume, herein ‘Executive Summary.’ All three works form an excellent starting point for exploration of the COSO Framework and how you might use it for your best practices anti-corruption compliance program. In the 2013 update, the basic framework was retained with substantial support from user companies, and 3 specific objectives were added:

  1. Operations Objectives – effectiveness and efficiency of operations, including safeguarding assets against loss
  2. Reporting Objectives – internal and external financial reporting
  3. Compliance Objectives – adherence to laws and regulations to which the entity is subject

According to the guidance in the 2013 update, the system of internal controls can be considered effective only if it provides reasonable assurance that the organization, among other things, complies with applicable laws, rules, regulations, and external standards. With the addition of those specific objectives, the COSO framework now specifically includes the need for controls to address compliance with laws and regulations. The COSO Framework defines internal controls, from bottom to top, with the following Objectives: (a) Control Environment, (b) Risk Assessment, (c) Control Activities, (d) Information and Communication, and (e) Monitoring. From these five Objectives come 17 Principles which we will explore throughout this series. Larry Rittenberg, in his book “COSO Internal Control-Integrated Framework,” said that the original COSO framework from 1992 has stood the test of time “because it was built as a conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based on four general principles, which include the following: 

(1) the updated Framework should be conceptual, which allows for updating as internal controls [and compliance programs] evolve; 

(2) internal controls are a process which is designed to help businesses achieve their business goals; 

(3) internal controls apply to more than simply accounting controls, it applies to compliance controls and operational controls; and 

(4) while it all starts with Tone at the Top, “the responsibility for the implementation of effective internal controls resides with everyone in the organization.” 

This final statement is significant for the compliance practitioner because it directly speaks to the need for the compliance practitioner to operationalize internal controls for compliance and not simply rely upon a company’s accounting, finance, or internal audit function to do so. The primary objective is to keep in mind that even if an organization adopts the Framework, there will be very few people within that organization who will have unique knowledge that a compliance officer has that would impact all the framework elements. The compliance officer’s role is to provide input to the Chief Financial Officer (CFO) and others involved in the implementation to be sure that there is a proper focus on the risks that are part of the compliance world. This primarily comes through risk assessment, control activities, and monitoring. Companies typically do risk assessments from an operational standpoint, address business risks going forward, and then develop the controls that deal with those risks, such as project financial results, doing business in certain countries, strategic decisions, and similar issues. This puts the compliance function in the unique position to be the fulcrum on many issues that will come up with a COSO-based analysis or implementation. The updated Framework retained the core definition of internal controls: control environment, risk assessment, control activities, information and communication, and monitoring activities.

Further, the well-known three-dimensional “COSO Cube” visually represents these five operational concepts. In addition, the criteria used to assess the effectiveness of an internal control system remain largely unchanged. The effectiveness of internal control is assessed relative to the five components of internal controls and the underlying principles supporting the components. However, the emphasis on the principles is new to the 2013 Framework. Joe Howell noted that the COSO Framework could be seen as a prevent and detect control. He also related that your internal controls need to be sustainable over the long haul. He stated, “You cannot just build one-off things that allow you to do one period and not have a process in place that will help you through all the periods you need to cover. The controls cannot just be a one-and-done. Many companies will find that their initial approach is one and done.” As we explore the COSO Framework, the compliance practitioner should understand how the entire Framework interacts and intersects with the compliance function sustainably throughout the organization. 

Three Key Takeaways:

  1. You must use the COSO Framework or a similar source for your internal control structure.
  2. The 2013 Framework identifies the following areas: (a) Control Environment, (b) Risk Assessment, (c) Control Activities, (d) Information and Communication, and (e) Monitoring.
  3. Your internal controls must be sustainable.

For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. The COSO 2013 Framework for Internal Controls is a great guide for the internal controls required in a compliance regime. 

Categories
FCPA Compliance Report - International Edition

Compliance Report-International Edition-Carlos Ayers on Tropicalizing Your Compliance Program

Categories
Blog

Day 12 of One Month to More Effective Internal Controls-Board Oversight as an Internal Control

Best practices compliance program. The first in Hallmark No. 1 states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources,” which says the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight of the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided sufficient information to enable independent judgment?

The DOJ’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program. I believe that a Board must have a corporate compliance program in place and actively oversee that function.

Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and the compliance function. The Board must ask hard questions and be fully informed of the company’s overall compliance strategy. Lawyers often speak to and advise Boards on their legal obligations and duties. If a Board’s oversight is part of effective financial controls under Sarbanes Oxley (SOX), that includes effective compliance controls. Failure to do either may result in something far worse than bad governance. It may directly lead to an FCPA violation and could even form the basis of an independent FCPA violation. A company must have a corporate compliance program in place and actively oversee that function. A failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Internal controls work together with compliance policies and procedures and are interrelated control mechanisms. There are five general compliance internal controls for a Board or Board subcommittee role for compliance:

  1. Risk Assessment – A Board should assess the compliance risks associated with its business.
  2. Corporate Compliance Policy and Code of Conduct – A Board should have an overall governance document informing the company, its employees, stakeholders, and third parties of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate.
  3. Implementing Procedures – A Board should determine if the company has a written set of procedures that instructs employees on how to comply with the company’s compliance policy.
  4. Training – There are two levels of Board training. The first should be that the Board has a general understanding of what the FCPA is, and it should also understand its role in an effective compliance program.
  5. Monitor Compliance – A Board should independently test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger.
  6. There have been recent FCPA enforcement actions where the DOJ and SEC discussed the failure of internal controls as a basis for FCPA liability. With the questions about the Wal-Mart Board of Directors and their failure to act in the face of allegations of bribery and corruption in the company’s Mexico subsidiary, or contrasting failing even to be aware of the allegations, there may soon be an independent basis for an FCPA violation for a Board’s failure to perform its internal controls function in a best practices compliance program. 

Three Key Takeaways:

  1. GTE compliance internal controls are low-hanging fruit. Pick them.
  2. Compliance with internal controls can be both detected and prevented controls.
  3. Good compliance with internal controls is good for business.

Board oversight of your compliance program can act as an internal control if properly documented. For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

Categories
FCPA Compliance Report

FCPA Compliance Report – Episode 337 – James Gellert on Assessing 3rd Party Financial Health for Compliance

In this episode, I visit with James Gellert, CEO of RapidRatings, a company that uses a financial dialogue to determine third-party supplier health and viability. Gellert explains what supply chain resilience is and how examining your suppliers’ financial health can lead to a more financially efficient supply chain. We then discuss the company’s third-party risk management tools. We consider how a company might evaluate a potential purchaser, partner, or someone buying a part of a business. Finally, we have a lengthy discussion of how a corporate compliance function uses the health of a third party as a tool to determine third-party compliance risk. 

For more information on RapidRatings, check out their website by clicking here.

Categories
Compliance Into the Weeds

Compliance into the Weeds – Episode 43 – The Linde Declination

On June 16, 2017, the Department of Justice (DOJ) issued a Declination to Linde North American Inc. and Linde Gas North America LLC (collectively “Linde”). This is the first Declination issued by the DOJ in the era of the Trump Administration. For that reason alone, it was instructive and should be studied by the compliance profession. However, the case presented several interesting factors which merit consideration, so we are discussing in depth to present lessons to be learned for the Chief Compliance Officer (CCO) or compliance practitioner.

Lessons Learned

This was yet another Foreign Corrupt Practices Act (FCPA) action where a company performed insufficient due diligence in the acquisition phase. The timing of the Linde purchase of Spectra Gases and Spectra Gases’ purchase of the income-producing assets is too close in time to be a coincidence. It would certainly appear that Linde purchased Spectra Gases to facilitate its acquisition of the boron column and other assets. If your company is going to make such a multi-step acquisition, you must perform due diligence on all the actors and the assets involved.

The Byzantine corporate structure created for the ownership of the boron column, its operation, and its management contract are clear red flags that any CCO should sniff out immediately. While I am sure the internal corporate excuse for this clear ruse was the ubiquitous ‘tax considerations,’ every such transaction should also be reviewed by compliance. Anytime there is more than one entity to accomplish one task, there is the possibility of fraud. Further, it is unclear how Linde could not have been aware of the company’s ownership interests that it ultimately controlled. It would seem that the company did not even make any inquiries.

Even in 2006, the Republic of Georgia’s reputation for bribery and corruption was quite high. The 2006 Transparency International-Corrupt Perceptions Index (TI-CPI) listed Georgia at 99 out of 176 countries, which warranted red flag scrutiny. Extra care is warranted if you are purchasing an entity in a country with such a well-known affinity for corruption. Perhaps in 2006, Linde did not view the FCPA as something it would deal with in such a situation.

Yet even with all the apparent miss-steps and non-steps of compliance, the company was able to secure a declination from the DOJ. While there may be some additional penalties or sanctions by the Securities and Exchange Commission (SEC) for the failures of internal controls, the result obtained by Linde was certainly superior. The company has met the four pillars under the FCPA Pilot Program through (a) self-disclosure, (b) extraordinary cooperation, (3) full remediation, and (d) profit disgorgement. Interestingly, in this case, the profit disgorgement would have been beyond the five-year limitations for profit disgorgement under the recent Supreme Court decision in Kokesh. If the SEC brings an FCPA enforcement action, additional facts may be recited in any resolution documents.

Nevertheless, kudos are due to Linde and its counsel for obtaining this declination. Every CCO should study it for both the superior result received and underlying facts to see if you face anything similar in the Republic of Georgia or elsewhere.

For a full copy of the Linde Declination, click here

Categories
Blog

Day 17 of One Month to Better Investigations and Reporting – Whom to Suspend During an Internal Investigation and De-confliction

Scope of VW Suspensions Grows”, William Boston reported on the ongoing internal investigation by the company’s outside counsel Jones Day. Boston noted that VW had “suspended a larger number of engineers than previously acknowledged, following a recommendation from the law firm conducting” the investigation. The article went on to state, “Jones Day urged suspension of anyone who could have been involved in the scam – from high-level decision makers to ordinary engineers – to prevent possible perpetrators from tampering with the evidence.” This final statement emphasizes a key consideration in an FCPA investigation, which is to tie down the evidence. Former Arnold & White partner Mara Senn has said that “probably from the government’s perspective, the most important aspect of setting up an investigation in a way that makes them feel comfortable, is ensuring that all data is locked down.” However, if you are worried about evidence tampering, you may have a bigger problem. Pointing up the difficulties in making such a blanket sweep, an unnamed source, who provided this information to Boston, quoted the WSJ piece as saying, “We had to suspend everyone in this area to get them out of the way of this process. This is necessary for the investigation, but it’s tough because we are now missing their professional knowledge and experience.” This issue brings up another point that Senn has discussed: when to suspend or discipline an employee during an internal investigation. Senn said, “That is a very case-by-case difficult question to answer, but in general, I think it’s better to keep them around for as long as you need them. Once they’ve been fired or otherwise disciplined, even if you keep them around, they will be less cooperative with you and possibly, if you fire them, not cooperative. You can require them to cooperate in the termination agreement, but, in practice, cooperation can mean many different things.” Given the Schrems decision by the European Court of Justice (ECJ), I wonder how the investigation will be fair with the German-based employees. Data in the US would be deemed company-owned, but in Europe, it may be private to the investigated employee. This problem became even greater with the recent decision by Privacy Regulators from 28 EU nations that backed the EC J’s Schrems decision that invalidated the Safe Harbor regime. As reported by Jo Sherman in the FCPA Blog, “that closed the legal pipeline by which data has flowed freely from the EU to the U.S. for the last 15 years. The rationale for the court decision and the subsequent backing of the EU Data Protection Authorities is that the U.S. government’s surveillance powers are considered too excessive and disproportionate and can override the data protections for EU citizens under the Safe Harbor framework.” Lanny Breuer, the former number two at the Department of Justice (DOJ) and now a partner at Covington and Burling LLP raised an interesting concern in the Justice Department’s FCPA Pilot Program context. It is around what Breuer terms “de-confliction.” This involves the government asking a company to halt its investigation for the government to be the first to interview witnesses. At the FCPA Blog Conference, Breuer said that if “de-confliction” is required as cooperation to gain the benefits of the pilot program, such a request from the DOJ would be “an extraordinary request, in my view” because it “could lead companies to be unable to disclose to other agencies or shareholders, and it could keep a board in the dark about the alleged wrongdoing.” Breuer added, “In general, publicly traded companies can’t just stand down from doing an investigation when such an allegation comes in.” He also commented that “he’d been asked to do so a couple of times.” Breuer raised four questions during his presentation, which every investigator must consider in de-confliction. 

(1) Would complying with the request be consistent with directors’ and corporate officers’ fiduciary duty of oversight?; 

(2) How can a company make decisions without speaking with its employees?; 

(3) How will a delay affect the company’s other regulatory obligations?;

(4) How can external counsel advise a company without knowing the facts? Companies hire external counsel to conduct thorough investigations, evaluate their clients’ conduct, and provide informed legal advice. These tasks can be difficult, if not impossible, to accomplish where external counselors have their hands tied behind their backs. The DOJ could have a broader remit or be involved with other ongoing investigations where they might make such requests. However, such ‘de-confliction’ could stop a company from engaging in a root cause analysis or even a robust investigation. At the same conference, an earlier panelist, Gerald Kral, the Chief Ethics and & Compliance Officer (CECO) of Brown-Forman, said on his panel that his company did an extensive root cause analysis of every claim or incident so it can not only understand what happened but put sufficient risk management protections in place to try and make sure it does not happen again. 

Three Key Takeaways:

  1. Decisions on whom to discipline and when are critical decisions during any investigation.
  2. Take a case-by-case approach.
  3. The de-confliction question can be quite troubling during an internal investigation.

 Whom to suspend and when coupled with de-confliction are bedeviling issues in any internal investigation. 

Categories
Blog

Day 16 of One Month to Better Investigations and Reporting – Privacy Concerns in Internal Investigations

Schrems’ decision by the European Court of Justice, US-based law firms could rely on Safe Harbor to use and analyze information from investigations conducted in Europe. However, the Schrems decision and subsequent EU privacy rulings and regulations have brought the entire issue around internal investigations into question. In a podcast interview with UK solicitor and data privacy expert Jonathan Armstrong about the decision, Armstrong noted that the decision puts real roadblocks in the path of a US company that could be investigating potential anti-corruption allegations in the UK or EU member country. The biggest issue would be personal privacy and information. Unlike the US, work emails are covered by the privacy rights afforded to individuals and are not the company’s property. The same is true of other information. Under the Schrems decision, the ability of a US corporation to access that information and then take it back to the US under the safe harbor provision is no longer available. I asked Armstrong how a company might be able to move forward and internally investigate potential FCPA violations. Armstrong suggested that the only way at this point was to obtain the consent of the investigated person. However, obtaining such consent raises a host of other problems. He said, “Can I get consent for an internal investigation? Can I speak to my Austrian agent and say, “Peter, I just need you to sign this form to transfer your data to the US”? Now, for consent to be valid, the European legislation has to be fully explained, it has to be honest, and it can’t be deceptive. I’ve got to say to him, “I want you to sign this form because I want to investigate you. I want to run a full FCPA investigation; you’re the prime suspect. I want to take a look at your emails, and I have to inform you that you have the right not to consent, and if you don’t consent, there’s no way I can investigate you. Could you sign the form, please?” As Armstrong went on to note, “What answer is he likely to give in an internal investigation, and how would the US authorities feel if I go and tip off the main suspect that he’s under investigation?” With these two key components of any best practices compliance program, hotlines, and internal investigations, seemingly now unavailable to CCOs or compliance practitioners for EU-sourced information, I believe additional pressure will be put on the compliance function. Any US company with EU-based operations will have to take steps immediately to ring-fence such data originating in Europe. It may also mean locally based-compliance practitioners must head any inquiries. Moreover, if you couple this ruling in the Schrems decision with the Yates Memo, you immediately see the issue involved for any company seeking cooperation credit because such a company is required to turn over any information to the Department of Justice (DOJ) as soon as possible. But now, even if companies can still develop facts and data through internal investigations, in the manner suggested by Pirrotta in using local law firms, you might not be able to get the information back to the US to use. Worse yet, is the option laid out by Armstrong to obtain consent from an investigation target? Not only do I find it improbable that anyone, European or otherwise, would give such consent, but in the unlikely event such consent is given, you have told the target they are the target, and other data sources might well begin to disappear. Armstrong put it starkly when he said, “you’re going to get no sympathy from the bribery prosecutors, bribery regulators if you mess this up. The SFO [Serious Fraud Office] allegedly lost the case on how the US firm involved conducted the investigation. They will have, rightly, I think, no sympathy at all for people whose investigations are themselves conducted unlawfully. It will need much careful thought to structure data transfers and interviews. How do you move those interview notes? How do you look at emails? All this stuff will be critical so that you don’t break data privacy data protection laws and tip off witnesses, you know, interfering with the scene of an investigation, et cetera, et cetera. All of these things are critical.” How does the Schrems decision contribute to compliance at the tipping point? If you can use two of the key components in a best practices compliance program; based upon the DOJ/Securities and Exchange Commission (SEC) Ten Hallmarks of an Effective Compliance Program or another standard, it will put significant pressure on other parts of the program. A compliance program will have to be structured more rigorously to prevent FCPA violations through internal controls and transaction monitoring tools. CCOs and compliance practitioners will also have to be more involved and have more visibility into the entire lifecycle of transactions so they can determine how to begin to move from even prevention to prescription of any FCPA violations. Just as the compliance world changed with the announcement of the Yates Memo, the DOJ Compliance Counsel, and the VW emissions-testing scandal, the Schrems decision will change the need for a more robust compliance program from now on to help protect a company. 

Three Key Takeaways:

  1. The Schrems decision significantly impacted US-based internal investigations.
  2. Study the privacy laws of the country where you are performing your investigation.
  3. Informed consent is difficult to obtain, but it may be critical for your investigation.

 Take care to protect privacy concerns when performing investigations outside the US.

Categories
Blog

Day 15 of One Month to Better Investigations and Reporting-the Parameters of Privileges

In the Evolving Attorney-Client Privilege: Business Entities”, David E. Keltner wrote that under US federal law, the attorney/client applies when the following are present:

  1. A client is seeking legal advice or a lawyer’s services;
  2. The person to whom the communication is made is a lawyer or his or her representative;
  3. The communication relates to a fact disclosed from a client (a representative) to a lawyer (a representative);
  4. Strangers are not present;
  5. A client requires confidentiality.

The significance of meeting each of these five prongs is critical. If they are met, “Absent privilege, once the attorney-client privilege is properly invoked – the privilege is absolute.” However, the failure to meet Prong 1 doomed former co-CEO Sigelman’s efforts, as he was not seeking legal advice. Former GC Weisman flew to Sigelman’s home to confront him over the fact that the FBI had come to his house asking questions about the payments made in Columbia. Finally, it is important to note that the attorney/client privilege belongs to the corporation and not to any one individual. The attorney/client privilege can be waived. While there is a general recognition that “only an authorized agent of a corporation may waive the privilege of the corporation,” Keltner advises that the “most frequently encountered instances of losing the privilege through selective disclosure” are in responding to a government investigation, supplying information to a government agency; information disclosed in certain Securities and Exchange Commission (SEC) filings or other required financial disclosures; in certain circumstances disclosures to external corporate auditors or accounting responses; any disclosure made to a third party not affiliated with a lawyer; and insurance disclosures. How should we apply the above to the situation faced by former co-CEO Sigelman? Was he meeting with his lawyer or seeking legal advice? As reported by Joel Schectman in the Wall Street Journal (WSJ), in an article entitled “Secret Informant Recordings to be Allowed in PetroTiger Case,” the trial court distinguished between having an attorney/client relationship from the attorney/client privilege. Schectman reported, “a judge in U.S. District Court in Camden said last week that having an attorney-client relationship isn’t enough to make all conversations privileged–a client needs to be actively seeking legal advice. “I cannot find a shred of indication that Weisman is there to give legal advice to Sigelman,” Judge Joseph Irenas said, “or the converse, that Sigelman was seeking legal advice from Weisman.” Interestingly the trial court did not opine on the question of who the client was in this situation. My experience is that most CEO-types think of a GC as their lawyer. That view is also misplaced as a GC works for a company, and the client is the corporation. While he did not have to reach the question of who the client was in the Sigelman/Weisman meeting, the trial court might have allowed the current corporate owners of PetroTiger to waive any privilege asserted by a former co-CEO. Schectman quoted G. Derek Andreson, a lawyer specializing in the Foreign Corrupt Practices Act, that “Attorney-client privilege is often misinterpreted as broader than it is.” Did the FBI take advantage of some special relationship between Sigelman and Weisman? As reported in the article, in his brief attempt to suppress the evidence, Sigelman’s counsel said, “Messrs. Sigelman and Weisman had a “long-standing attorney-client relationship, one that fostered candor and trust between them–as any good attorney-client relationship should. The government took advantage of this trust.” Such would seem to be the nature of wiring up cooperating witnesses; if they cannot engender trust with those they are speaking to and surreptitiously taping, it would seem they are of little use to authorities. For the attorney/client privilege to be of use to you, certain hard work must be done to establish the attorney/client privilege in the corporate context. The five prongs listed by Keltner must be fulfilled for the privilege to apply. Simply chatting with your lawyer or company’s lawyer will not invoke the privilege or protect you. In addition to the attorney/client privilege, another privilege can come into play around internal investigations. It is the attorney/work product privilege. Keltner noted, “The attorney-client privilege and the attorney work-product doctrine are often asserted interchangeably. While there is some overlap between the two, the attorney-client privilege is significantly different from the attorney work-product doctrine.” Moreover, as “codified in Fed R.Civ. P. 26(b)(3), [the attorney/work product] provides a qualified protection to materials prepared by party’s counsel or other representatives in anticipation of litigation.” The doctrine exists “because it permits lawyers to “work with a certain degree of privacy, free from unnecessary intrusion by opposing parties . . .” The key is that it be prepared in anticipation of litigation. Unlike the attorney-client privilege, which belongs to a client, work-product immunity may be asserted by the lawyer or the client. While the attorney-client privilege is included in the Rules of Evidence, the work-product doctrine is included in the Rules of Civil Procedure in the series relating to discovery. This makes it problematic to assert in the context of a criminal investigation. For in-house lawyers in the UK or EU countries, however, there is no such work product privilege. Two recent examples highlighted this key difference between the US, UK, and EU legal systems. First was the raid by German prosecutors of Volkswagen’s outside counsel, Jones Day’s offices, for information surrounding the law firm’s investigation of the company’s emissions-testing scandal. The raid was based on a court-issued subpoena. The second is the recent judicial decision out of the UK involving Eurasian Natural Resources Corp. (ENRC). The UK’s highest court held that the company must produce to the UK’s Serious Fraud Office (SFO) documents the company claimed were privileged, including attorneys’ notes of employee interviews conducted during the company’s internal investigation. The SFO sought the documents as part of its criminal investigation into fraud, bribery, and corruption allegations. The court largely rejected ENRC’s claims of the work product privilege, holding that it does not apply when a document is not prepared for the sole or dominant purpose of conducting adversarial litigation. ENRC was required to produce the bulk of the contested documents because the investigation was a fact-finding exercise. 

Three Key Takeaways:

  1. Note the differences in the attorney/client and work product privileges.
  2. Both privileges can be waived intentionally or through negligent conduct.
  3. Take care of attorney work products outside the US, where there may be no privilege.

Remember who can assert privileges in an investigation and who can waive them. 

Categories
This Week in FCPA

This Week in FCPA-Episode 56

  • The Kokesh case at the US Supreme Court is significant for SEC enforcement of the FCPA around profit disgorgement. For what it means to the compliance practitioner, see Tom’s piece in the FCPA Compliance & Ethics Blog. For a legal review of the decision, see Miller & Chevalier client alert authored by Saskia Zandieh. Marc Bohn considered the case in the FCPA Blog. Marc and I discuss the case on the FCPA Compliance Report, Episode 332.
  • Trevor McFadden to leave the DOJ for federal bench. See article by Matt Kelly in Radical Compliance. Hui Chen’s contract not to be renewed, her position is posted for job applicants. Apply for the position here. Andrew Weissman leaves as head of the Fraud Section to go Special Prosecutor’s staff.
  • Former PetroTiger General Counsel Gregory Weismann is banned from SEC practice. See article in the FCPA Blog.
  • Matthew Stephenson considers what a Wal-Mart settlement might look like. See his article in the Global Anti-Corruption Blog.
  • The federal judge who sentenced Samuel Mebiame, the bag man for Och-Ziff; criticized the DOJ for its lack of prosecution of any individuals from the company. See article by Sam Rubenfeld in WSJ Risk and Compliance Report.
  • Jay previews his weekend report.
  • Tom continues to talk about the release of his new book 2016 – The Year in Corporate FCPA Enforcement. For more information and to purchase, click here.
  •  
    [tweet_box design=”default” url=”http://wp.me/p6DnMo-3kx” float=”none”]
    When do Mike & Mike agree on anything? Find out on This Week in FCPA. [/tweet_box]
    Jay Rosen can be reached:
    Mobile (310) 729-6746
    Toll Free (866)-201-0903
    JRosen@affiliatedmonitors.com
    Tom Fox can be reached:
    Phone: 832-744-0264
    Email: tfox@tfoxlaw.com]]>