The Biden Administration promised a new, aggressive approach to corporate crime. Well, the Justice Department just delivered a new, comprehensive policy that raises a number of issues, some of which are likely to be controversial. The new policy incorporates reforms announced last October that largely centered on prior corporate criminal and civil records, the appointment of independent compliance monitors, and expanding the review of responsible persons in an internal investigation. The Justice Department’s new Corporate Enforcement Policy (“CEP”), however, expands on earlier policy changes but includes some new and far-reaching reforms intended to increase individual accountability and promote corporate culture through financial incentives and deterrence policies. This last idea is a significant expansion of DOJ’s CEP and is sure to reverberate through the business and compliance community. Chief compliance officers face a new requirement for their companies — creating an effective system of carrots and sticks to punish misconduct and increase rewards for ethical behavior.DOJ’s new CEP also lays the groundwork for further consideration of corporate responsibility for preserving electronic messaging, ephemeral services, and other electronic data. DOJ’s discussion in this area reflects DOJ’s frustration with a corporate internal investigation that omits access to electronic data, especially in those situations where employees use personal devices for business-related communications. The revised CEP provides guidance to prosecutors and the business community to ensure individual and corporate accountability through the evaluation of various factors, including (1) Corporate History of Misconduct; (2) Self-Disclosure and Cooperation; (3) the Strength of a Company’s Compliance Program; (4) the Use and Monitoring of Corporate Monitors (including their selection and scope of a monitor’s work).
Tag: compliance
In this post, we conclude our exploration of the Foreign Corrupt Practices Act (FCPA) enforcement action involving the now recidivist Oracle Corporation. This enforcement action was concluded with the Securities and Exchange Commission (SEC) resulting in an Order. After having examined the background facts and bribery schemes in some details, we turn to what does it all mean for FCPA enforcement going forward and what lessons can the compliance profession draw from Oracle’s missteps.
Paper Programs Fail
One of the most prominent lessons to be garnered from this matter is that paper compliance programs Do Not Work. That may sound like perhaps the most basic truism in all of compliance but here we are in 2022, looking at a major multinational organization which had a ‘check-the-box’ compliance program around distributors and it eventually bit them in the backside.
After having its first FCPA enforcement action in 2012 involving distributors in India, where deep and unwarranted discounts were used to create a pot of slush funds to pay bribes, Oracle instituted a requirement for a ‘second set of eyes’ outside the business unit for unusual or excessive discounts. According to its policies regarding distributors, a valid and legitimate business reason was required to provide a discount to a distributor. Oracle used a three-tier system for approving discount requests above designated amounts, depending on the product. In the first level, Oracle at times allowed subsidiary employees to obtain approval from an approver in a subsidiary other than that of the employee seeking the discount. At the next level and for higher level of discounts, Oracle required the subsidiary employee to obtain approval from another geographic region and the final level (and for the highest discounts) was from someone at the Oracle corporate headquarters. So far so good.
The problem was there was no requirement for evidence of a business justification to support the requested discount. The Order noted, “Oracle reviewers could request documentary support, Oracle policy did not require documentary support for the requested discounts – even at the highest level.” A statement of why you need a discount without any supporting documents as evidence is simply that – a statement. In other words, there was no way for a higher-level approver to determine if such a request was valid or fraudulent. Ronald Reagan was on to a basic compliance concept when he intoned “Trust, but verify.” Those words still ring true as a basic requirement in any compliance program.
Data Analytics
The Oracle enforcement action emphasized why data analytics is mandatory for any current compliance program. In addition to creating slush funds through discounts to distributors, slush funds were created through fraudulent reimbursement requests for expenses associated with marketing Oracle’s products. If the request were under $5,000, business unit level supervisors at the subsidiaries could approve them without any corroborating documentation indicating that the marketing activity actually took place. In one example from the Order, it noted that an Oracle Turkey sales employees obtained such fraudulent reimbursements totaling approximately $115,200 in 2018 that were “ostensibly for marketing purposes and were individually under this $5,000 threshold.” There was apparently no one looking to see who and how often these reimbursement requests were made by any single employee or approved by any supervisor.
This is as basic a fraud scheme as one can imagine. Think of employee gift, travel and entertainment (GTE) reimbursement where anything over $100 must be preapproved. One BD type or one business unit routinely submits requests after purchases of $99.99 so no preapproval is required. The supervisor approves it, and it is automatically paid to the employee. One reimbursement at $99.99 may not raise a red flag but multiple requests should. The same concept holds true in this situation. However, no one at Oracle was looking at this bigger picture. This is where a data analytics program would pick up such anomalies and flag it for closer inspection and investigation. Oracle appears to have realized this through part of its remediation which included the implementation of a compliance data analytics program moving to proactive auditing.
Internal Control Upgrades
Putting in compliance enhancements to remediate your control failures is a key part to any FCPA enforcement resolution. In this area, there were improvements in the following capacities: (a) in distributor discounting by improving aspects of the Oracle discount approval process and increasing transparency in the product discounting process through the implementation and expansion of transactional controls; (b) in the Oracle procurement process through the increased oversight of, and controls on, the purchase requisition approval process; (c) by the removal of perverse incentives by limiting financial motivations and business courtesies available to third parties; (d) in basic gifts, travel and entertainment policies (GTE) by improving its customer registration and payment checking processes in connection with Oracle technology conferences.
Basic GTE
I cannot believe that in 2022 we are talking about companies that still do not have the most basic GTE policies in force. Since at least 2007, the Department of Justice (DOJ) made clear what was appropriate in business travel, business courtesies and business entertainment. Oracle’s 112 Project decidedly was not as it was designed to appear as a business trip to Oracle’s home office (then in California) related to Oracle’s bid on a project. However, the trip was designed to be a sham to hide boondoggle travel for four government officials. The alleged business meeting at the corporate headquarters lasted only 15 minutes and for the rest of the week, the Oracle BD folks entertained the government officials in Los Angeles and Napa Valley and then took them to a “theme park” in the greater Los Angeles area. Any travel involving government officials or any other covered persons under the FCPA should be submitted to and approved by your compliance function, including costs and the itinerary.
There was much to consider from the SEC enforcement action under the FCPA involving Oracle. We still have not heard from the DOJ. There may be more to come….
Categories
Caremark
Tom Fox and Jonathan T. Marks kick off the series with a deep dive into the 1996 Caremark decision, the 2006 Stone v. Ritter resolution, and the compliance lessons companies and board members can learn from the facts and patterns of these fundamental cases.
▶️ Caremark with Tom Fox and Jonathan T. Marks
Key points discussed in the episode:
- Tom Fox gives a brief background on the Caremark case.
- Jonathan T. Marks describes how ethical behavior is the backbone of an organization and how this case defined the importance of having proper oversight monitoring.
- Tom Fox lays out Caremark’s penalties. He describes the Stone v. Ritter facts, how the bank was sued for failure to perform due diligence on fraudulent investors and violating the Bank Secrecy Act. These schemes follow a pattern that has been seen repeatedly. It has also defined the duties of board members: avoiding negligence and arising from failures.
- Jonathan T. Marks explains how fundamentals made their way into compliance laws in other countries, how guidelines are warning shots for companies to clean up, and urging companies to step up.
- The Caremark doctrine later refined two conditions for director liability and emphasized why boards must actively engage in oversight.
- Board members must get down to the nitty-gritty of what is truly happening in their organizations, ask tough questions, do a deeper self-assessment, and stop refusing to avoid problems and the ugly truth.
—————————————————————————-
Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
The Department of Justice and the Securities and Exchange Commission reached a $41 million settlement with GOL Linhas Aéreas Inteligentes S.A. (“GOL”) to resolve criminal and civil foreign bribery charges. GOL entered into a three-year deferred prosecution agreement (“DPA”) with the DOJ in exchange for payment of a $17 million criminal penalty. DOJ credited $1.7 million of that penalty against a $3.4 million fine that GOL agreed to pay law enforcement authorities in Brazil to resolve charges in Brazil. In a separate resolution, GOL agreed to pay the SEC $24.5 million over two years. The SEC’s initial settlement calculation was for $70 million, but it was reduced to $24.5 million based on GOL’s financial condition. Michael Volkov reviews the DOJ and SEC FCPA settlement actions in this episode.
In this special 5 part podcast series, I am deeply diving into the Monaco Memo and analyzing it from various angles. In this episode of the FCPA Compliance Report, I am joined by my Compliance into the Weeds co-host Matt Kelly for a deep dive into the weeds of the Monaco Memo. Some of the highlights include:
- Corporate accountability.
- Timeliness in turning over evidence of wrongdoing.
- Baby Carrots in evaluating the corporate history of misconduct.
- Additions to Evaluation of Corporate Compliance Programs.
- Tweaks to the Yates Memo formulation.
- Monitors and Monitorships.
Resources
Matt in Radical Compliance
Tom in the FCPA Compliance and Ethics Blog
- Introduction
- Self-Disclosure
- Corporate Compliance Programs
- Monitors
- What it all means
Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.
In late 2018, Mary and Lisa began advertising the launch of the Great Women in Compliance podcast, which would air on 6 December 2018. Margarita Derelanko was one of the people who saw the marketing collateral and grew excited about the incoming podcast. She affords Lisa and Mary the opportunity to hear what the launch of the podcast was like from the other side of the fence – the to-date missing aspect of their origin story – what the listenership was thinking and how the podcast was received. Margarita shares how the podcast has impacted her life, including her takeaways from having her first article published, and the benefits she has gained from the encouragement of the hosts and guests.
Unlike many of the GWIC and certainly unlike Mary and Lisa, Margarita had the opportunity to choose whether or not to be in Compliance and she shares what it’s like for the new generation to consider joining the field – spoiler alert, Compliance Destiny appears yet again! It’s a real thing folks!
Margarita shares some advice for helping to overcome biases when you don’t look like you fit the part. She is of very small stature and is lucky enough to have youthful looks – causing some to make unfair judgments. Listen in for how she overcomes the biases and consider how you can turn some of your perceived greatest weaknesses into a strength.
Following on from Mia Reini’s tips for putting together an engaging line up for the The Home Depot’s Compliance Summit, Margarita lends some tips from her experience on the planning team for the Waud Capital Partner’s Compliance Symposium to have a successful event.
The Great Women in Compliance Podcast is on the Compliance Podcast Network with a selection of other Compliance related offerings. If you are enjoying this episode, please rate it on your preferred podcast player to help other likeminded Ethics and Compliance professionals find it. If you have a moment to leave a review at the same time, Mary and Lisa would be so grateful.
You can also find the GWIC podcast on Corporate Compliance Insights where Lisa and Mary have a landing page with additional information about them and the story of the podcast. Corporate Compliance Insights is a much-appreciated sponsor and supporter of GWIC, including affiliate organization CCI Press publishing the related book; “Sending the Elevator Back Down, What We’ve Learned from Great Women in Compliance” (CCI Press, 2020). If you enjoyed the book, the GWIC team would be very grateful if you would consider rating it on Goodreads and Amazon and leaving a short review.
You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast.
Join the Great Women in Compliance community on LinkedIn here.
Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. In this episode, we look at the recently announced Monaco Doctrine as encapsulated in the Monaco Memo. Highlights include:
- Corporate accountability.
- Timeliness in turning over evidence of wrongdoing.
- Baby Carrots in evaluating the corporate history of misconduct.
- Additions to Evaluation of Corporate Compliance Programs.
- Tweaks to the Yates Memo formulation.
- Monitors and Monitorships.
Resources
Matt in Radical Compliance
Tom in the FCPA Compliance and Ethics Blog
- Introduction
- Self-Disclosure
- Corporate Compliance Programs
- Monitors
- The heat is on
The Compliance Life details the journey to and in the role of a Chief Compliance Officer. How does one come to sit in the CCO chair? What are some of the skills a CCO needs to success navigate the compliance waters in any company? What are some of the top challenges CCOs have faced and how did they meet them? These questions and many others will be explored in this new podcast series. Over four episodes each month on The Compliance Life, I visit with one current or former CCO to explore their journey to the CCO chair. This month, my guest is Maria D’Avanzo. We discuss Maria’s journey from a real estate and small business lawyer to compliance, then CCO chair, and now as the Chief Evangelist Officer at Traliant.
In this concluding episode, Maria discussed how she used the tools and skills she learned to move to a Traliant, where she is well positioned to help compliance professionals gain insights into their programs and help them better appreciated how Traliant can support their efforts. She is working with with Traliant’s executive team as we not only develop new products but also enhance our existing offerings by listening tours with customers, customer advisory councils and expounding on training’s role in speak-up culture.
Resources
Maria D’Avanzo LinkedIn Profile
In this special 5 part podcast series, I am deeply diving into the Monaco Memo and analyzing it from various angles. In this episode of the FCPA Compliance Report, I am joined by my Affiliated Monitors founder Vin DiCianni to take a deep dive into the monitors and monitorship portions of the Monaco Memo. Some of the highlights include:
- Determination of Monitor Need.
- Roadmap to proa-active compliance.
- Timely self-disclosure as criteria for monitorship?
- Monitor selection criteria.
- Monitor review and oversight.
Resources
Vin DiCianni on Affiliated Monitors
Tom 5-Part blog post series in the FCPA Compliance and Ethics Blog
- A Jolt for Compliance
- Timely Self-Disclosure
- Corporate Compliance Programs
- Monitors
- Polite Speech
Corporate culture is all the rage now, meaning it is an often used topic to signal commitment, sensitivity to issues of employee concern, and awareness of governance trends. In practice, as we all know, culture is not just about words but about action. As the often repeated phrase goes — talk is cheap. In this Corporate Culture Roundup Episode, Michael Volkov examines some culture-related issues involving: Culture + Action Steps, Civility in the Workplace, and What Happens when HR and Compliance are Disconnected.
