Tag: compliance

Categories
The Compliance Life

Bridget Abraham-Bridget Abraham-Into the CCO Chair

The Compliance Life details the journey to and in the role of a Chief Compliance Officer. How does one come to sit in the CCO chair? What skills does a CCO need to navigate the compliance waters in any company successfully? What are some of the top challenges CCOs have faced, and how did they meet them? These questions and many others will be explored in this new podcast series. Over four episodes each month on The Compliance Life, I visit with one current or former CCO to explore their journey to the CCO chair. This month, my guest is Bridget Abraham, CCO at Remitly, who had a decidedly non-traditional path to the CCO Chair.

From Western Union, Bridget moved to the CCO Chair at Remitly, a remittance payment company. She discussed the mission-driven approach of Remitly to do the right thing. She talked about some of her early challenges and how she could leverage her economics background into a full compliance program. Some of her challenges included scaling up the compliance program and moving into new markets.

Resources

Bridget Abraham LinkedIn Profile

Categories
Blog

Great Structures Week II – Structures from Ancient Egypt and Greece and Written Standards

I continue my Great Structures Week with a focus on great structures from the earliest times, ancient Egypt and Greece. I am drawing these posts from The Teaching Company course, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. From Egypt there are of course the Pyramids, of which Ressler says, “They’re important, not just because they’re great structures, but also because they represent some of the earliest human achievements that can legitimately be called engineering. The Great Pyramid of Giza stands today as a testament to the strength and durability of Egyptian structural engineering skills.”

From Greece we derive what Vitruvius called the “Empirical Rules for Temple Design” which define a “single dimensional module equal to the radius of a column in the temple portico, then specify all other dimensions of the building in terms of that module.” These rules are best seen in Greek temples, largely consisting of columns, which are defined as “a structural element that carries load primarily in compression” and beams, which are “structural elements subject to transverse loading and carry load in bending.” My favorite example of the use of columns is seen in the Parthenon; the most famous of all Greek temples still standing.

In many ways these two very different structures stand as the basis of all structural engineering and Great Structures that come later throughout history. For any anti-corruption compliance regime based on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-bribery statutes, the same is true for a Code of Conduct and written policies and procedures. They are both the building blocks of everything that comes thereafter.

In an article Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, stated a company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors that should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the FCPA Resource Guide 2nd edition, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.

Another way to think of policies, procedures and controls was stated by Aaron Murphy, in his book “Foreign Corrupt Practices Act”, when he said that you should think of all three as “an interrelated set of compliance mechanisms.” Murphy went on to say that, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Borrowing from an article in the Houston Business Journal, entitled “Company policies are source and structure of stability”, I found some interesting and important insights into the role of policies in any anti-corruption compliance program. Allen says that the role of policies is “to protect companies, their employees and consumers, and despite an occasional opposite outcome, that is typically what they do. A company’s policies provide a basic set of guidelines for their employees to follow. They can include general dos and don’ts or more specific safety procedures, work process flows, communication guidelines or dress codes. By establishing what is and isn’t acceptable workplace behavior, a company helps mitigate the risks posed by employees who, if left unchecked, might behave badly or make foolhardy decisions.”

Allen notes that policies “are not a surefire guarantee that things won’t go wrong, they are the first line of defense if things do.” The effective implementation and enforcement of policies demonstrate to regulators and the government that a “company is operating professionally and proactively for the benefit of its stakeholders, its employees and the community it serves.” If it is a company subject to the FCPA, by definition it is an international company so that can be quite a wide community.

Allen believes that there are five key elements to any “well-constructed policy”. They are:

  • identify to whom the policy applies;
  • establish the objective of the policy;
  • explain why the policy is necessary;
  • outline examples of acceptable and unacceptable behavior under the policy; and
  • warn of the consequences if an employee fails to comply with the policy.

Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, the logistics alone of such training can appear daunting. Consider gathering small groups of employees, where detailed questions about policies can be raised and discussed, as a powerful teaching tool. Allen even suggests posting Frequently Asked Questions (FAQ’s) in common areas as another technique.

The FCPA Resource Guide 2nd edition ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” Allen puts a bit differently in that “it is important that policies are applied fairly and consistently across the organization.” He notes that the issue can be that “If policies are applied inconsistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated.” This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

Join us tomorrow where we look at the Roman Arch and resourcing your compliance program.

Categories
Blog

Great Structures Week I: Vitruvius, the Brooklyn Bridge and Compliance

In “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, by Professor Stephen Ressler, he explores some of the world’s greatest structures and the development of structural engineering throughout history. Many structural engineering concepts are apt descriptors for an anti-corruption compliance program. So today, I will begin the ‘Great Structures Week’ as an entrée into an appropriate topic for an anti-corruption compliance program. Each day I will discuss a structural engineering concept together with one my favorite examples from Professor Ressler’s course.

To open the series I will consider what makes a structure great. Marcus Vitruvius Pollio (Vitruvius) was a Roman author, architect, and civil engineer during the 1st century BC, known for his work entitled De Architectura. Vitruvius is famous for proclaiming that a structure must exhibit the three qualities of firmitas, utilitas and venustas, meaning that it must be solid, useful and beautiful. These are sometimes termed the Vitruvian Triad and today these are loosely translated that great constructions must have form, function or structure. Form is the arrangement of space and harmony. Function is the measure of usefulness. Structure contains innovative techniques in its creation.

My favorite example of a structure that incorporates all three of these concepts is the Brooklyn Bridge. The beauty of the form follows the functions of the scientific principles that underlie the bridge’s structure. As Ressler noted “Each element of the form of the Brooklyn Bridge serves a structural purpose based on mathematical principles.” First the form itself is one of great beauty. The function remains the same, even if the modes of transport have evolved; the Bridge was designed to carry people from Brooklyn to Manhattan. Yet as Ressler notes, “beyond the aesthetic, these features are a direct reflection of the scientific principles underlying the bridge’s design. They are, in a word, structure – a system of load carrying elements that cause the bridge to stand up.” We have a graceful and elegant design, which operates to safely conduct people over the Hudson River, through an engineering design that allows the structure to act as intended.

This convergence of Vitruvius’ tripartite view of what makes a great structure is an appropriate analogy for a best practices anti-corruption compliance program to facilitate compliance with the FCPA, UK Bribery Act or similar regime. Over the years both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear that each company should have a compliance program that fits its needs. Indeed, in the FCPA Guidance, it could not have been made clearer when it stated, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors. When it comes to compliance, there is no one-size-fits-all program.” The Guidance goes on to state the obvious when it notes, “companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs. Indeed, small- and medium-size enterprises likely will have different compliance programs from large multi-national corporations”.

The Guidance goes on to note, “Compliance programs that employ a “check-the-box” approach may be inefficient and, more importantly, ineffective. Because each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.”

Yet when viewed through Vitruvius’ prism, it is clear that an anti-corruption compliance program is much more holistic, with form, function and structure. A good compliance program is really about good financial controls. I think this is one outlook of FCPA compliance which is not discussed enough. Stanley Sporkin, in many ways the progenitor of the law, recognized that if a company was going to engage in corruption it would have to hide such activity through falsified books and records. Hence, he articulated the basis for having the accounting provisions included when Act was originally written and enacted into law. These provisions include both the books and records provision and the internal controls provision. The Guidance says, “the accounting provisions ensure that all public companies account for all of their assets and liabilities accurately and in reasonable detail”. So the form of a compliance program should be largely in financial controls that are baked into a company.

The formula of a compliance program can follow several forms. It can be based on the Hallmarks of an Effective Compliance Program from the FCPA Guidance, the Six Principles of Adequate Procedures as contemplated by the UK Bribery Act; the OECD 13 Good Practices or other formulations. The form of any of these articulations meets the Vitruvius definition.

Next is the function. Here I think it is appropriate to consider what the FCPA Resource Guide 2nd edition says regarding internal controls, that being “Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitor­ing.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.” This language points to function of any best practices compliance program, to make the company a better-run company.

Finally, in the area of structure it is incumbent to recall that any best practices anti-corruption compliance program continues to evolve. It evolves with technological innovations such as transaction or continuous controls monitoring. But a compliance program must evolve as your company evolves. Changing commercial realities and conditions can create new or increased FCPA compliance risks. Your compliance program needs to be able to detect, assess and manage new risk as your business creates new products; moves into new territories or develops new sales channels. The FCPA Resource Guide 2nd edition states, “They are dynamic and evolve as the business and the markets change.” To do so, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its custom­ers, the laws that govern its actions, and the standards of its industry.”

Categories
FCPA Compliance Report

Erica Salmon Byrne on Ethisphere Partnership with Alpine Investors

In this episode, I visit with Erica Salmon Byrne, now CEO at Ethisphere. We review the firm’s recent acquisition by Alpine Investors, a B-Corp. Key areas we discuss on this podcast are:

  • What does this new partnership mean for Ethisphere?
  • Who is Alpine Investors, and what is a B Corp.
  • What is People Focused Private Equity, and why was this a good fit for Ethisphere?
  • What will be Erica’s role going forward?
  • How this move will refocus Ethisphere’s efforts in ESG.

 Resources

Ethisphere Press Release

Ethisphere

Alpine Investors

Categories
Popcorn and Compliance

Leadership Lessons from The Wolfman

I have always loved the classic Universal monster movies from the 1930s. I am exploring one movie each week to mine it for leadership and compliance lessons this month. For this first entry in this short series on Popcorn and Compliance, I look at the original 1941 version of The Wolfman, which starred Lon Chaney Jr as the Wolfman. Chaney embued the Monster with great pathos, and in this podcast, I explore some of the dichotomies found in the movie, which I believe move beyond simply good v. evil. Some of the supporting roles of Claude Rains as Laurency Talbot’s father, Bela Lugosi as the werewolf who attacks Chaney, and Maria Ouspenskaya as Maleva, the mother of the original werewolf, who is an empathic and wise character that provides guidance, comprehension, and comfort to the others. The movie is very atmospheric and has a ton of fun.

Categories
Great Women in Compliance

GWIC x The Ethics Experts-Mary’s Episode

Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.

For the next two weeks, the GWIC team are presenting a collab with ComplianceLine: GWIC X The Ethics Experts! Mary and Lisa start their throwback Wednesday sessions by harking all the way back to the early days of COVID19, where Mary’s episode was recorded while she was in the New Zealand coronavirus lockdown.

Gio Gallo interviewed Mary about her leadership style – especially focused on giving (junior) staff substantive, meaningful work and wings to fly while setting out a safety net, how not to slip into complacency in your Compliance program by being reassured of historical achievements, and understanding that there is no lowest common denominator. Learn how you can use surveys to tap into your most vulnerable areas you don’t even know you have.

 Check out Lisa’s interview on the Ethics Experts here on the Great Women in Compliance Podcast on 19 October!

 On 26 October, Mary and Lisa will return to their regular programming with a joint episode on learnings, insights, and observations from the Society of Corporate Compliance and Ethics Compliance and Ethics Institute. Want to be a part of the fun? Introduce yourself to Lisa and Mary at the conference – you’ll be able to spot them by their GWIC tote bags that Lisa kindly procured for the duo.

The Great Women in Compliance podcast is excited to look at topics like this one, and we are always open to suggestions for guests.

The Great Women in Compliance Podcast is on the Compliance Podcast Network with a selection of other Compliance related offerings. If you are enjoying this episode, please rate it on your preferred podcast player to help other likeminded Ethics and Compliance professionals find it. If you have a moment to leave a review at the same time, Mary and Lisa would be so grateful.

You can also find the GWIC podcast on Corporate Compliance Insights where Lisa and Mary have a landing page with additional information about them and the story of the podcast. Corporate Compliance Insights is a much-appreciated sponsor and supporter of GWIC, including affiliate organization CCI Press publishing the related book; “Sending the Elevator Back Down, What We’ve Learned from Great Women in Compliance” (CCI Press, 2020). If you enjoyed the book, the GWIC team would be very grateful if you would consider rating it on Goodreads and Amazon and leaving a short review.

You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast.

Join the Great Women in Compliance community on LinkedIn here.

Categories
Blog

Ongoing Compliance Assessments: FCPA, UK Bribery Act and OCED Best Practices

One of the requirements consistent throughout the Principles of Federal Prosecution of Business Organization (US Sentencing Guidelines) and its section on corporate compliance programs; the Organization for Economic Co-operation and Development (OECD) Good Practice Guidance on Internal Controls, Ethics, and Compliance, and the UK Bribery Act’s Consultative Guidance is the need for continued assessment of an anti-corruption and anti-bribery compliance program. This posting will review the specifics of each of these documents and will provide to the compliance and ethics practitioner some ideas on how to implement what each of these protocols stress is key component of any best practices compliance program.

US Sentencing Guidelines

The US Sentencing Guidelines state that there should be periodic reviews of a company’s compliance program, utilizing internal resources, such as a company’s Internal Audit function, and outside professional consultants. The OECD Good Practice states that a compliance program should be periodically re-assessed and re-evaluated to take into account any new developments. The UK Bribery Act Consultative Guidance, recently released by the UK Ministry of Justice, requires ongoing monitoring and review by noting that a compliance program and procedures should be reviewed regularly and a company should consider whether an “external verification [of the compliance program] would help.”

Speaking at the Compliance Week 2010 Annual Conference, Assistant Attorney General for the Criminal Division of the US Department of Justice, Lanny Breuer, indicated that such an external verification or assurance of the effectiveness of a compliance program is a key component to assist a company in maintaining a ‘best practices’ FCPA compliance program. He noted that it is through a mechanism such as an ongoing assessment that a company could continue to evaluate its own compliance program with reference to compliance standards which are evolving on a world wide basis.

OECD

In this same speech, Breuer cited as a benchmark for a best practices compliance and ethics program the protocols set forth in the OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance. In this protocol the OECD suggested that “periodic reviews of the ethics and compliance programs or measures, designed to evaluate and improve their effectiveness in preventing and detecting foreign bribery, taking into account relevant developments in the field, and evolving international and industry standards.” Writing in the Society of Corporate Compliance and Ethics Magazine (SCCE) (Vol. 7 / No. 3), Russ Berland explained that this guidance meant that companies should regularly reassess their anti-bribery and anti-corruption compliance program to evaluate and improve its overall effectiveness. Although he did not give a time frame for this regular assessment, Berland noted that any such assessment “should take into account new developments in the area and evolving standards.

UK Bribery Act 

Principle Six of the UK Bribery Act’s Consultation Guidance discusses the need for ongoing monitoring and review. The Principle states “The commercial organization institutes monitoring and review mechanisms to ensure compliance with relevant policies and procedures and identifies any issues as they arise. The organization implements improvements where appropriate.” The reasons for this continued monitoring was to ensure that if, external events like government changes, corruption convictions, or negative press reports occur, an appropriate compliance response is triggered. The Guidance noted that it would be prudent for companies to consult the publications of relevant trade bodies or regulators that could highlight examples of good or bad practice. Organizations should also ensure that their procedures take account of external methods of issue identification and reporting as a result of the statutory requirements applying to their supporting institutions, for example money laundering regulations reporting by accountants and solicitors.

The Consultative Guidance provided advice for companies which covered several specific suggestions. The senior management of higher risk and larger organizations may wish to consider whether to commission external verification or assurance of the effectiveness of anti-bribery and anti-corruption policies. An independent review can provide to a company, which is undergoing structural change or entering new markets, with an insight into the strengths and weaknesses of its anti-bribery policies and procedures and in identifying areas for improvement. Such independent assessment would also enhance a company’s credibility with business partners or to restore market confidence following the discovery of a bribery incident, to help meet the requirements of both voluntary or industry initiatives and any future pre-qualification requirements.

Ongoing Assessment as ‘Best Practices’ 

All three cornerstones of guidance available to the Foreign Corrupt Practices Act (FCPA) compliance practitioner include ongoing assessments as a key component of any best practices program. The text of each document and the remarks by commentators make clear the reasons for such an ongoing assessment. Not only do best practices evolve but companies and business evolve. An assessment is key to measuring where your program currently stands to allow you to know where it needs to be updated.

Attention should be paid to who and how the assessment is conducted. The entity, be it a law firm; professional consultant or other, which designed the FCPA compliance program for your company should not be the assessor. Such assessment would obviously be a conflict of interest. Additionally a drafter usually has blind spots when assessing one’s own work. An outside FCPA compliance professional should be engaged to assess your compliance policy, at no less than every two years, to review and make recommendations to keep your program at the best practices standard.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

 

© Thomas R. Fox, 2010

Categories
Innovation in Compliance

Innovating Compliance in the Middle East and Africa with Tomell Ceasar

 

Tomell Ceasar is the Group Head of Ethics and Compliance at Careem (An Uber Company). He is one of the founders of the Middle East and Africa Compliance Association (MEACA). This organization strives to raise awareness on business ethics and provides tools to build stronger and more responsible businesses. Essentially, they promote global regulatory compliance and effective governance in the Middle East and Africa. In this week’s episode, he explains to Tom the intricacies of practicing compliance outside the US, specifically the EAME. 

 

 

Compliance Practice in the EAME

Tom asks Tomell to describe what it is like practicing compliance in EAME. Tomell responds that it’s difficult to make broad generalizations on compliance region-wide since the EAME is such a huge territory. Compliance is a “Western value in terms of the way one approaches international business”, Tomell remarks, so adoption would take some time. However, appreciation of compliance roles and professionals grew exponentially over the past decade. International companies are seeing compliance through the US lens, and “they identified values of compliance being important enough to them to adopt similar frameworks and ideological perspectives as it relates to commercial enterprise, to be equivalent to the United States,” Tomell remarks.

 

The Birth of the MEACA 

As a co-founder of the Middle East and Africa Compliance Association, Tom wants to know how Tomell came up with the idea for the MEACA. Tomell explains that “the values of compliance have traditionally not been a staple of commercial enterprises in these regions.” Compliance has had a real maturation process over the last 10 years, and Tomell and his team saw a major opportunity to support the development and growth towards that end. There was a need for an organization willing to serve the distinct purpose of “serving and supporting the compliance community and to give them an avenue to connect, to network, to broaden their skill set.” Thus, the MEACA was born. To this day, they help companies promote and catalyze the compliance movement toward fighting corruption in companies and society. 

 

Resources 

Tomell Ceasar | LinkedIn

The Middle East and Africa Compliance Association

 

Categories
Blog

Use Your Eyes in Compliance

One thing compliance professionals are rarely trained to do is trust your eyes. This may be because it seems too obvious. After all the well-known Howard Sklar maxim of “Water is Wet” is largely based on the fact that if something is so obvious you may not need to train on it. Yet two recent events make clear we all need to ‘trust our eyes’ in a variety of settings. The first is in the National Football League (NFL) and it involves Miami Dolphin quarterback, Tua Tagovailoa. Three weeks ago, he was tackled, thrown to the ground and his head snapped against the tuft. This is clearly a sign a concussion may be coming. After Tua got up, he stumbled and fell and then had to be helped up by a teammate and off the field.

I say all of this with absolute certainty as I was watching the game Dolphins v. Bills and saw it along with some 70,000 in the stadium and millions on television. Unfortunately, those who did not see these actions of Tua after the hit was the Dolphins medical staff who, rather amazingly (or perhaps not), cleared him under the NFL Concussion Protocol and sent him back to play in the second half of the game. Again, finding he was fine under the concussion protocol, he was allowed to play. The Dolphins claimed that he had sustained a “back injury” and that was why he stumbled and fell, not motor impairment. The next week, Tua took another shot to his head and this time he did not get up, stumble and fall. He did not get up at all. According to New York Times (NYT), he left the field on a stretcher and was taken immediately to a local hospital.

It was clear to anyone who saw the first concussion, that it was just that a concussion. However, “because of the incident, the league and union said they were considering changing the protocols, which currently allow a player with “gross motor instability” to return to the game if doctors decide there is an orthopedic reason for his unsteadiness.” Some doctor said the instability was due to Tua’s bad back and that was good enough. The NYT went on to further note, “The expected change will be to instead establish ataxia, a term describing impaired balance or coordination caused by damage to the brain or nerves, as a sign that automatically disqualifies a player from returning to the game.”

All of this informs compliance programs and compliance professionals as sometimes actions do not simply pass the eye test. I thought of this in the context of the recent Oracle Corporation Foreign Corrupt Practices Act (FCPA) enforcement action. In this Oracle matter, the bribery schemes involved distributors, which were used as not only conduits to pay bribes, but as the mechanism to create a pot of money to pay bribes. The Oracle compliance program allowed sales employees at the subsidiaries to request monies meant to reimburse distributors for certain marketing expenses associated with selling Oracle products. There was a multi-pronged approval process in place. For marketing reimbursements “under $5,000, first-level supervisors at the Subsidiaries could approve the purchase order requests without any corroborating documentation indicating that the marketing activity actually took place.” Above this $5,000 threshold, additional approvals were required with additional requirements for business justification and documentation.

You can no doubt see where this is going as this internal control gap allowed for abuse. Indeed the Orderstated, “Oracle Turkey sales employees opened purchase orders totaling approximately $115,200 to [distributors] in 2018 that were ostensibly for marketing purposes and were individually under this $5,000 threshold.” That is at least 23 different expense requests to reimburse for marketing made under the threshold. Of course, there were no marketing efforts by the distributors and no follows up audits, inspections or even questions to confirm that the marketing expenses had actually occurred. The entire business unit was in on the fraud, and it stole money from the corporate office to fund it slush fund to pay bribes.

Clearly compliance was not using its eyes for if it had, it would have seen that there was a large number of marketing reimbursement requests at or below the threshold which required additional oversight and approval. Using your eyes does not mean that it is simply your eyes which catch nefarious conduct, it means that you use your eyes and if it something unusual occurs then additional investigation is warranted.

All of this brings to the second lesson from the NFL’s sordid tale involving Tua Tagovailoa; which is if the protocol does not work, change the protocol. Renee Miller, writing The Athletic, said, “The purpose of the onsite concussion “exam is to determine if any symptoms are apparent in a neurological exam (looking at reflexes, cranial nerve function and limited cognitive skills), and if so, whether they arise from a neurological origin.” It does not take into account what we all saw with our eyes, the stumbling, Tua grabbing his helmet and inability to focus. The NFL will now make a change to consider the other factors Tua exhibited. In other words, they changed the protocol to require and allow for additional information about the injured player in making a determination of that player’s returning to the game.

In the case of Oracle, there was a high risk of business unit employees using the marketing reimbursement requests to create a pot of money to pay bribes. We know this because this same bribery scheme was used by Oracle India to pay bribes and do business corruption, all of which was the subject of a prior FCPA enforcement action. Pretty clearly allowing business unit employees to obtain marketing reimbursements was something that would lead to disaster; which it did just as the Dolphins allowing Tua to come back into the second half of the Bills game where he sustained his first concussion was disastrous for Tua as he was much more seriously injured just the next week.

In compliance never forget to ‘use your eyes’ in testing your compliance program. If something does not look right, do additional investigation. If you do not do so, you may end up like Oracle, now one of 15 FCPA recidivists, a list no company wants to be on.

Categories
Corruption, Crime and Compliance

Episode 249 – DOJ Issues New Corporate Enforcement Policy

The Biden Administration promised a new, aggressive approach to corporate crime. Well, the Justice Department just delivered a new, comprehensive policy that raises a number of issues, some of which are likely to be controversial. The new policy incorporates reforms announced last October that largely centered on prior corporate criminal and civil records, the appointment of independent compliance monitors, and expanding the review of responsible persons in an internal investigation. The Justice Department’s new Corporate Enforcement Policy (“CEP”), however, expands on earlier policy changes but includes some new and far-reaching reforms intended to increase individual accountability and promote corporate culture through financial incentives and deterrence policies. This last idea is a significant expansion of DOJ’s CEP and is sure to reverberate through the business and compliance community. Chief compliance officers face a new requirement for their companies — creating an effective system of carrots and sticks to punish misconduct and increase rewards for ethical behavior.DOJ’s new CEP also lays the groundwork for further consideration of corporate responsibility for preserving electronic messaging, ephemeral services, and other electronic data. DOJ’s discussion in this area reflects DOJ’s frustration with a corporate internal investigation that omits access to electronic data, especially in those situations where employees use personal devices for business-related communications. The revised CEP provides guidance to prosecutors and the business community to ensure individual and corporate accountability through the evaluation of various factors, including (1) Corporate History of Misconduct; (2) Self-Disclosure and Cooperation; (3) the Strength of a Company’s Compliance Program; (4) the Use and Monitoring of Corporate Monitors (including their selection and scope of a monitor’s work).