Tag: compliance

Categories
Blog

Internal Reporting and Triaging of Claims

The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward. This system has become even more important after the 2022 announcement of the Monaco Memo. Further, as the 2022 ABB FCPA resolution made clear, self-disclosing to the DOJ is the vital first step for all discounts under the Corporate Enforcement Policy to begin.

This scenario was driven home by the WPP Foreign Corrupt Practices enforcement action in 2021. Here, a whistleblower reported internally on allegations of bribery and corruption in the company’s India subsidiary. WPP turned over the investigation to an inexperienced accounting firm in India and then allowed the investigation to be controlled by the business unit management that was engaging in the bribery and corruption. The result, unsurprisingly, was no adverse findings. However, the whistleblower did not stop there and reported six more times (seven total) with an increasing amount of documentary support. Finally, the company took the allegations seriously and commissioned an internal investigation.

Internal reporting. The 2020 FCPA Resource Guide, 2nd edition, has as clear and concise a statement about hotlines as any other requirement found in Hallmarks of an Effective Compliance Program. It states:

An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.

The Evaluation reinforced this language with the following found under Reporting and Investigation:

How has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?

This is more than simply maintaining hotlines. Companies have to make real efforts to listen to employees. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.

The reason is that a business’s own employees are a company’s best source of information about what is going on in the company. It is certainly a best practice for a company to listen to its own employees, particularly to help improve its processes and procedures. But more than listening to its employees, a company should provide a safe and secure route for employees to escalate their concerns. This is the underlying rationale behind an anonymous reporting system within any organization. Both the U.S. Sentencing Guidelines and the Organization of Economic Cooperation and Development (OECD) Good Practices list as one of their components an anonymous reporting mechanism by which employees can report compliance and ethics violations. Of course, the Dodd-Frank Whistleblower provisions also give heed to the implementation of a hotline.

What are some of the best practices for a hotline? Start with the following:

Availability. Your reporting mechanism can be easily accessed by your entire employee base. This may require more than one tool, such as telephone report, internet reporting and other mechanisms.

Anonymity. There must be a manner to make reports anonymously if the reporter so desires.

Escalation. You must have a protocol or mechanism to take any reports up the chain if they warrant being heightened within the organization.

Follow-up. There must be a sufficient follow up protocol to make sure any reported events receive the warranted attention. There should also be a way to keep the incident reporter informed as to the progress of the matter within your investigative protocol.

Oversight. There should be multiple levels of review within your organization on reports which come into your organization. This would include senior compliance department staff, senior company management and up to the Board of Directors.

In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

After your investigation is complete, the Fair Process Doctrine demands that any discipline must not only be administered fairly but it must be administered uniformly across the company for a violation of any compliance policy. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

Triaging claims. Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way that a company can determine what resources to bring to bear on a compliance problem.

Jonathan Marks has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, consider what will be the types of evidence to review going forward. Finally, before selecting a triage solution, understand what tools are available, including both forensic and human, to complete the investigation.

Marks’ five-stage process for early assessments are as follows:

Stage 1. These consist of allegations that have a low threat level and do not suggest a breakdown of internal controls. Tips that get grouped into this stage do not have a financial or reputational impact.

Stage 2. These allegations are more serious in nature, and often indicate some deficiency in the design of internal controls. Examples include business rule violations such as recurring employee theft or patterns of falsifying expense reports.

Stage 3. These allegations are serious in nature, generally involve an override of internal controls, and thus are at a minimum a serious deficiency. But they have only a minimal impact on the financial statements or the company’s reputation. More serious allegations in this category include fraud, embezzlement, and bribery involving employees or mid-level management.

Stage 4. These are serious allegations that could have an impact on the completeness and accuracy of the audited financial statements, and that could indicate a material weakness in internal controls. They do not, however, appear to involve any member of the senior management team.

Stage 5. These are serious allegations that involve one or more members of the senior management team or are serious enough to damage the company’s reputation. The receipt of allegations in this stage usually places the company into crisis management mode and could result in the restatement of audited financial statements or added regulatory scrutiny.

Finally, after you ascertain you have an effective reporting mechanism through your hotline and demonstrate you have a robust and properly scoped investigation protocol, you must use the information you receive to remediate any issues which may arise. It is not enough merely to show that a hotline exists, you must present the data it produces.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 23 – The Investigation Protocol

Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hotline, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate in consultation with other groups, such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties once an allegation is made. This allows the compliance team to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.

Indeed, there are a variety of factors around giving credit to corporate investigations, including: Did management, the board, or committees consisting solely of outside directors oversee the review? Did company employees or outside parties perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm?

Three key takeaways:

1. A written protocol, created before an investigation, is a key starting point.

2. Create specific steps to follow so there will be full transparency and documentation going forward.

3. Consistency in approach is critical.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

The Investigation Protocol

After the internal report comes in and you have properly triaged the matter, you need to scope out and investigate it, promptly, thoroughly and with competent personnel. In the 2023 ECCP, provided these series of questions about your internal investigations:

Properly Scoped Investigations by Qualified Personnel—How does the company determine which complaints or red flags merit further investigation? How does the company ensure that investigations are properly scoped? What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? How does the company determine who should conduct an investigation, and who makes that determination?

Investigation Response—Does the company apply timing metrics to ensure responsiveness? Does the company have a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations?

Resources and Tracking of Results––Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses? Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?

Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hotline, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties, once an allegation is made. This allows the compliance team to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.

Indeed, there are a variety of factors around giving credit to corporate investigations including: Did management, the Board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm?

In a presentation Jay Martin, former Chief Compliance Officer at Baker Hughes, and Jacki Trevino, Director, Relationship Manager at True Office Learning, discussed the specifics of an investigation protocol. It consisted of 1) opening and categorizing the case; 2) planning the investigation; 3) executing the investigation plan; 4) determining appropriate follow-up; and 5) closing the case. If you follow this basic protocol, you should be able to work through most investigations, in a clear, concise and cost-effective manner. Furthermore, you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to “Document, Document, and Document”, not only the steps you took but why and the outcome obtained.

Opening and categorizing the case. This is the first step to categorize a compliance violation. You should notify the relevant individuals, including those on your investigation team and any senior management members under your notification protocols. After notification, you should assemble your investigation team for preliminary meetings and assessments. This step should be accomplished in one to three days after the allegation comes into compliance, either through your reporting structure or other means.

Planning the investigation. After assembling your investigation team, determine the required investigation tasks. These would include document review and interviews. If hard drives need to be copied or documents put on hold or sequestered in any way, or relationships need to be analyzed through relationship software programs or key word search programs, this should also be planned out at this time. These tasks should be integrated into a written investigation or work plan so that the entire process going forward is documented. Also, if there is a variation from the written investigation plan, such variation should be documented, with an explanation provided as to why there was such a variation. Lastly, if international travel is involved this should also be considered and planned for at this step. This step should be accomplished within another one to three days.

Executing the investigation plan. Under this step, the investigation should be completed. I would urge that the interviews not be affected until all documents are reviewed and ready for use in any interviews. Care should be taken to ensure that an appropriate Upjohn warning is issued, and that the interviewee clearly understands that whoever is performing the interview represents the company and not the person being interviewed, whether they are the target of the investigation or not. The appropriate steps should also be taken to preserve the attorney-client privilege and attorney work product ruminations. This step should be accomplished in one to two weeks.

Determining appropriate follow-up. At this step, the preliminary investigation should be complete, and you are ready to move into the final phases. In some investigations, it is relatively easy to determine when the work is essentially complete. For example, if the allegation is both specific and narrow, and the investigation reveals a compelling and benign explanation for the conduct alleged, then the investigation typically is complete, and you are ready to convene the investigation team and the relevant business unit representatives. This group would decide on the appropriate disciplinary steps or other actions to take. This step should be completed in under a week. (Note that at this step, if there are findings of specific or discrete allegations of corruption and bribery, a decision must be made as how to handle such findings going forward.)

Closing the case. Under this final step, communicate the investigation results to the stakeholders and complete the case report. Everything done in the above steps should be documented and stored, either electronically or in hard copy form. The case report should be completed. This step should be completed in under a week.

Categories
31 Days to More Effective Compliance Programs Uncategorized

31 Days to a More Effective Compliance Program – Day 22 – Levels of Due Diligence

Due diligence is generally recognized in three levels: Level I, Level II, and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.

The 2023 ECCP stated, “A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”

The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach with varying levels of due diligence is the appropriate analysis to take going forward.

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions of your program. The Level I, II, and III trichotomies appear to have the greatest favor and are ones that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags, you should do so. And do not forget to “Document, Document, and Document” all your due diligence.

Three key takeaways:

1. Level I due diligence should only be used when there is a low risk of corruption.

2. Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to be cleared.

3. Level III due diligence is a deep-dive, boots-on-the-ground investigation.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Levels of Due Diligence

Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward. Identifying key risk areas is essential to risk mitigation and the protection of your company’s reputation. Corporate and institutional investors need to know who they will be doing business with especially given heightening regulatory compliance actions by the US and other government agencies, and increasing geopolitical risk concerns.

The 2023 Evaluation of Corporate Compliance Programs (ECCP) stated, “A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”

The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.

A three-step approach was discussed in Opinion Release 10-02, in which the DOJ discussed the due diligence that the requesting entity performed:

First, it [the requestor] conducted an initial screening of six potential grant recipients by obtaining publicly available information and information from third-party sources … Second, the Eurasian Subsidiary undertook further due diligence on the remaining three potential grant recipients. This due diligence was designed to learn about each organization’s ownership, management structure and operations; it involved requesting and reviewing key operating and assessment documents for each organization, as well as conducting interviews with representatives of each MFI [microfinance institution] to ask questions about each organization’s relationships with the government and to elicit information about potential corruption risk. As a third round of due diligence, the Eurasian Subsidiary undertook targeted due diligence on the remaining potential grant recipient, the Local MFI. This diligence was designed to identify any ties to specific government officials, determine whether the organization had faced any criminal prosecutions or investigations, and assess the organization’s reputation for integrity.

This Opinion Release sets out a clear break that every compliance practitioner should use in considering an appropriate level of due diligence to engage with third-party risk management process or when considering the level of due diligence required on a potential business venture partner.

Further in October 2023 the DOJ announced the new Mergers and Acquisitions Safe Harbor Policy, which encourages companies to self-report corruption and criminal misconduct found during an acquisition. Companies that cooperate with federal regulators, investigate, and then remediate such misconduct may be eligible for criminal declination by the federal government. This process must be initiated within 6 months of the M&A transaction and is heavily dependent on effective due diligence.

Importantly, you can’t disclose what you don’t know. Understanding FCPA risks in foreign jurisdictions requires a deep level of due diligence based on local and regional intelligence.

Given the increasing sanctions and geopolitical risk environment it behooves a company to identify these risk factors. Due diligence investigations also help to identify national security risks ranging from corruption, and sanctions violations to terrorist financing. The stakes are increasingly serious for all companies working internationally and domestically within the US.

Due diligence investigations can reveal reputational risk, litigation issues, fraud and corruption risks, financial sanctions, criminal activity, supply chain risk, regulatory risk and environmental, social & governance (ESG) risks.

A very good description of the three levels of due diligence was presented by Candice Tal, Founder and CEO of Infortal Worldwide, in an article entitled, Deep Level Due Diligence: What You Need to Know.

Level I. First level due diligence typically consists of checking individual names and company names through over 1400 Global Watch lists comprised of AML, anti-bribery, sanctions lists, coupled with other financial corruption and criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. Tal believes that this basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures—demonstrating a broad intent to actively comply with international regulatory requirements.

Level I should also consider beneficial ownership records when they are available, and company tax information to assess whether the third party is financially sound and in compliance with tax payments as required within its primary country of business, plus a check of perceived business risks in that country. Additionally, the third party’s website should also be reviewed; it is unusual for a company not to have a website and this can be a preliminary flag that there are issues. Tal recommends verifying that the company address also exists; a non-verifiable address should be considered a potential red flag that would indicate the need for a deeper-level due diligence investigation.

Level I will reveal some of the key information needed to make preliminary risk exposure ranking decisions, especially for larger corporations who may have several hundred thousand vendors in their supply chains. However, Level I is very basic in scope and will not identify the majority of corruption risks; it should therefore only be considered a first step.

Level II. Level II due diligence encompasses a broader public records search and supplementing Global Watch lists with a negative keyword screening of international media, typically major newspapers and periodicals from all countries, plus detailed internet searches. Negative keywords are not the same as deep media/ OSINT searches as these focus on a smaller selection of keywords only. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company, the third-party’s key executives and associated parties.

Level II should also include everything found in Level I searches plus in-country database searches. Other types of information you should consider obtaining are country of domicile and international government records, use of in-country sources to provide assessments, a check for international derogatory electronic and physical media searches, which should be performed in both English and foreign-languages, in its country of domicile. Further, if you are in a specific industry, use technical specialists and obtain information from sector specific sources.

Level III. This level is a deep dive due diligence with a far more thorough investigation than the Level II scope, enabling a comprehensive assessment of corruption and business risks.

I agree with Tal that a Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence plus a deep dive investigation of online records to identify known and more importantly unknown conditions. It will also require an in-country “boots-on-the-ground” investigation in the country involved. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in-country investigation.”    Further, Tal notes that:

Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English. Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points. These are security-based recommendations designed to highlight issues and themes of information found across different investigative avenues. Without this understanding companies may miss critical information necessary to make informed risk and compliance decisions.

Significantly, thorough Level III due diligence can provide an additional level of fiduciary duty of care for the company’s board.

Level III should include deep web, accessible dark web, and historical Internet searches, also known as Open-Source Intelligence Investigations (OSINT). Although AI can be used for some of this work, it should be noted that AI without investigative analysis will yield less adverse information. AI can ignore  critical information that it cannot identify as missing, also there may be indicators inferring an outcome which is likely to be missed by AI currently. Investigative analysis looks at hidden and undisclosed information and searches for information that should have been found but was not. It is an integrated approach incorporating “boots on the ground”, intelligence gathering, and due diligence investigations. Relying on basic Google searches is a certain mistake as hidden and undisclosed information are unlikely to be discovered.

But more than simply an investigation of the company, including a site visit and coupled with onsite interviews, Tal says that some other things you should investigate include:

An in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.

Tal believes that an in-depth background check should also look for such “Reputational information, undisclosed involvement in other businesses, direct or indirect involvement in other lawsuits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publicly.”

Further, you may need to engage a foreign law firm to investigate the third-party in its home country to determine their compliance with its home country’s laws, licensing requirements and regulations. Lastly, and perhaps most importantly, you should use a Level III to look the proposed third-party in the eye and get a firm idea of the third party’s cooperation and attitude towards compliance—as one of the most important inquiries is based on the response and cooperation of the third-party. More than simply trying to determine if the third party objected to any portion of the due diligence process or objected to the scope, coverage or purpose of the FCPA, you can use a Level III due diligence investigation to determine if the third party is willing to stand up with you under the FCPA and are you willing to partner with the third party?

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II and III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to “Document, Document, and Document” all your due diligence.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 21 – Managing Your Third Parties

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation, and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area that the DOJ specifically articulated in the 2023 ECCP that companies need to consider.

Managing your third parties is where the rubber meets the road in your overall third-party risk management program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are the easy steps. Managing the relationship is where the real work begins.

Three key takeaways:

1. Have a strategic approach to third-party risk management.

2. Rank third parties based upon a variety of factors, including compliance and business performance, length of relationship, benchmarking metrics, and KPIs for ongoing monitoring and auditing.

3. Managing the relationship is where the real work begins.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Sunday Book Review

Sunday Book Review: January 21, 2024 The Books on HR Edition

In the Sunday Book Review, I consider books that would interest the compliance professional, the business executive, or anyone who might be curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest me. Over the month of January, we will review some of the best books reported by People Managing People in various categories. In today’s edition of the Sunday Book Review, we look at four books on HR you should read in 2024.

  • The Essential HR Handbook by Sharon Armstrong and Barbara Mitchell
  • Irresistible: The 7 Secrets of the World’s Most Enduring, Employee-Focused Organizations by Josh Bersin
  • Built for People: Transform Your Employee Experience by Jessica Swaan
  • Remote Not Distant by Gastavo Ruzzetti

Resource:

28 Best HR Books You Should Read in 2024

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 20 – The Third Party Risk Management Process

The DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management that will fulfill the DOJ requirements as laid out in the 2023 FCPA Resource Guide, 2nd edition, and in the Hallmarks of an Effective Compliance Program. The five steps in the lifecycle of third-party management are:

1. Business Justification by the Business Sponsor.

2. Questionnaire to Third-party.

3. Due Diligence on the Third Party.

4. Compliance Terms and Conditions, including payment terms.

5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

1. Use the full 5-step process for third-party management.

2. Make sure you have business development involvement and buy-in.

3. Operationalize all steps going forward by including business unit representatives.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

The Third Party Risk Management Process

As every compliance practitioner is well aware, even in 2023, third parties still present the highest risk under the FCPA. The 2023 ECCP devotes an entire prong to third-party management. It begins with the following:

Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region. Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.

This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2020 FCPA Resource Guide, 2nd edition, and in the Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:

1. Business Justification by Business Sponsor;

2. Questionnaire to Third-party;

3. Due Diligence on Third-party;

4. Compliance Terms and Conditions, including payment terms; and

5. Management and Oversight of Third Parties After Contract Signing.

Business Justification. The first step breaks down into two parts: business sponsor and business justification. The purpose of the business justification is to document the satisfactoriness of the business case to retain a third-party. The business justification should be included in the compliance review file assembled on every third-party at the time of initial certification and again if the third-party relationship is renewed. It is mandatory this document be filled out and completed by the business sponsor, who will be the primary contract with the third-party for the life of the business relationship.

Questionnaire. The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Resource Guide. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. This requirement is not only a key step but also a mandatory step for any third-party that desires to do work with your company. If a third-party does not want to fill out the questionnaire or will not fill it out completely; run, don’t walk, away from doing business with such a party.

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, most proposed agents that have done business with U.S. or U.K. companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to U.S. businesses.

Due diligence. Most compliance practitioners understand the need for a robust due diligence program to investigate third parties but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner.

The purpose is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from engaging in bribery and corruption on their behalf. Due diligence acts as both a procedure for anti-bribery risk assessment and a risk mitigation technique. Further, both operate as compliance internal controls.

With this due diligence, you should then perform a triage. Triage is how you determine where each third party falls in the ranking of priorities. Asha Palmer, EVP at Convercent by One Trust, has noted that: “Appropriate due diligence may vary based upon company size, transaction, and type of third party. These categories and several others may determine how you choose to design your triage process.” Some of the common factors that determine how high-risk a third-party relationship may be:

• Type of third party (bank, consultancy, reseller, etc.)

• Contract value

• Country

• Government interaction

• Industry

After you have completed Steps 1–3 you are ready to move onto to Step 4, the contract. According to the 2012 FCPA Resource Guide, additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third-party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

The contract. You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are red flags, which have appeared, these red flags must be cleared, or you must demonstrate how you will manage the risks identified. In other words, you must document that you have read, synthesized and evaluated the information garnered in the business justification, questionnaire and due diligence steps beforehand. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a “check the box” exercise.

Management of the relationship. While the work done in the four steps above are absolutely critical, if you do not manage the relationship, it can all go downhill very quickly, and you might find yourself with a potential FCPA violation. There are several different ways that you should manage your post-contract relationship. The Evaluation clearly is focused on several key components that you need to evaluate and then re-evaluate during the pendency of the relationship. Incentivizing through compensation issues, training and ongoing monitoring through oversight and auditing are all key tools that the DOJ expects you to use going forward after the contract is signed.

Categories
Blog

The SAP FCPA Enforcement Action-Part 5: Lessons Learned

We conclude our series on the initial Foreign Corrupt Practices Act (FCPA) enforcement action. It involved the German software giant SAP. While the conduct which led to the enforcement action occurred for a lengthy period of time and was literally worldwide in scope, the response by SAP is to be both noted and commended. The hard and impressive work that SAP did during the pendency of the investigation and enforcement action led to a very favorable result for the company in the reduced amount of its assessed fine and penalty as well as the fact that no monitor was mandated by the Department of Justice (DOJ) or Securities and Exchange Commission (SEC). Today, in our final post, we review key lessons learned from the SAP enforcement action.

Remediation

SAP did an excellent job in its remedial efforts. Whether SAP realized as a recidivist of the dire straits it was in after the publicity in South Africa around is corruption or some other reason, the company made major steps to create an effective, operationalized compliance program which met the requirement of the Hallmarks of an Effective Compliance Program as laid out in the 2020 FCPA Resource Guide, 2nd edition.

The remedial actions by SAP can be grouped as follows.

  1. Root Cause, Risk Assessment and Gap Analysis. Here the company conducted a root cause analysis of the underlying conduct then remediating those root causes, conducted a gap analysis of internal controls, remediating those found lacking; and then performed a comprehensive risk assessment focusing on high-risk areas and controls around payment processes, using the information obtained to enhance its compliance risk assessment process;
  2. Enhancement of Compliance. Here the company significantly increasing the budget, resources, and expertise devoted to compliance; restructuring its Offices of Ethics and Compliance to ensure adequate stature, independence, autonomy, and access to executive leadership; enhanced its code of conduct and policies and procedures regarding gifts, hospitality, and the use of third parties; enhanced its reporting, investigations and consequence management processes;
  3. Change in sales models. On the external sales side, SAP eliminated its third-party sales commission model globally, and prohibiting all sales commissions for public sector contracts in high-risk markets and enhanced compliance monitoring and audit programs, including the creation of a well-resourced team devoted to audits of third-party partners and suppliers. On the internal side, SAP adjusted internal compensation incentives to align with compliance objectives and reduce corruption risk;
  4. Data Analytics. Here SAP expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally; and comprehensively used data analytics in its risk assessments.

Data Analytics

The references to data analytics and data driven compliance warrant additional consideration. SAP not only did incorporate data analytics into its third-party program but also expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally. The SEC Order also noted that SAP had implemented data analytics to identify and review high- risk transactions and third-party controls. The SAP DPA follows the Albemarle FCPA settlement by noting that data analytics is now used by SAP to measure the compliance program’s effectiveness. This language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance functions access to all company data; this is the second time it has been called out in a FCPA settlement agreement in this manner. Additionally, it appears that by using data analytics, SAP was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation; thereby avoiding a monitor.

Holdbacks

Next was the holdback actions engaged in by SAP. The DPA noted, SAP withheld bonuses totaling $109,141 during the course of its internal investigation from employees who engaged in suspected wrongdoing in connection with the conduct under investigation, or who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct, and further engaged in substantial litigation to defend its withholding from those employees, which qualified SAP for an additional fine reduction in the amount of the withheld bonuses under the DOJ’s Compensation Incentives and Clawbacks Pilot Program.

Self-Disclosure

While this factor was not present in the SAP enforcement action, the message sent by the DOJ could not be clearer on not simply the expectation of the DOJ for self-disclosure but also the very clear and demonstrable benefits of self-disclosure. Under the Corporate Enforcement Policy, SAP’s failure to self-disclose cost it an opportunity of at least 50% and up to a 75% reduction off the low end of the U.S. Sentencing Guidelines fine range. Its actions as a criminal recidivist, resulted in it not receiving a reduction of at least 50% and up to 75% from the low end of the U.S.S.G. fine range but rather at 40% from above the low end. SAP’s failure to self-disclose cost it an estimated $20 million under the Sentencing Guidelines. It’s failure to self-disclose and recidivism cost it a potential $94.5 million in discounts under the Corporate Enforcement Policy. The DOJ’s message could not be any clearer.

Extensive Cooperation

There were also lessons to be garnered from SAP’s cooperation with the DOJ. While there was no mention of the super duper, extra-credit giving extensive remediation which Kenneth Polite discussed last year; when SAP began to cooperate, it moved to extensively cooperate. The DPA noted SAP “immediately beginning to cooperate after South African investigative reports made public allegations of the South Africa-related misconduct in 2017 and providing regular, prompt, and detailed updates to the Fraud Section and the Office regarding factual information obtained through its own internal investigation, which allowed the government to preserve and obtain evidence as part of its independent investigation…” Most interestingly, the DPA reported that SAP imaged “the phones of relevant custodians at the beginning of the Company’s internal investigation, thus preserving relevant and highly probative business communications sent on mobile messaging applications.” This is clear instruction around messaging apps in FCPA enforcement actions.

Resources

SEC Order

DOJ DPA