Categories
FCPA Compliance Report

Alastair Parr on New Developments in TPRM

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this special episode, I am joined by Alastair Parr, SVP of Global Products & Delivery at Prevalent to discuss developments in third-party risk management.

In this episode we consider:

  • Why is a comprehensive 3rd risk management solution not simply a nice to have but a must to have now?
  • Why is 3rd party risk management so much critical after the pandemic and the Russian invasion of Ukraine?
  • Improving the UX for TPRM.
  • Why has simplifying the UX for TPRM eluded most providers so far?
  • How can the UX be improved so the information which is the most vital and most relevant is captured and more importantly can be actioned?
  • How can the process of obtaining TPRM information to implementing controls to manage the risk be improved?
  • How can companies automate data gathering by using a single targeted assessment by building in targeted compliance mappings for legal or regulatory requirements?
  • Other areas of compliance such as modern slavery and human trafficking?
  • Do you see continued evolution of 3rd party risk management into 2025 and beyond?

Resources

Alastair Parr on LinkedIn

Prevalent

Being a Compliance Officer is Awesome on Amazon.com

Categories
Blog

Lafarge Part 3: Final Thoughts

We conclude our exploration of one of the most public cases of corporate moral bankruptcy where Lafarge SA and its Syria unit Lafarge Cement Syria, or LCS, each pled guilty to a count of conspiring to provide material support to foreign terrorist organizations and will pay a total of $777.78 million.  According to the Plea Agreement, this amount consisted of a total criminal fine of approximately $91 million and forfeiture of $687 million. As previously noted, this is not a Foreign Corrupt Practices Act (FCPA) enforcement action, but an enforcement action based on USC §2339B for one count of conspiracy to provide material support to one or more foreign terrorist organizations. While this is not a FCPA enforcement action, the mechanisms by which Lafarge paid bribes or otherwise funded the terrorist organizations ISIS and ANF are instructive for the anti-corruption compliance professional. These strategies were laid out in the Statement of Facts and considered in Part 2 of this series.

The Costs of Corruption

One clear message from this matter is the cost of moral bankruptcy and corruption. As noted in the Statement of Facts, “From August 2013 through October 2014, Lafarge and LCS paid ISIS and ANF, through intermediaries, the equivalent of approximately $5.92 million.” For that amount of corruption, through the funding of terrorist and terrorism, Lafarge will pay a total fine of $777.78 million. About the only FCPA matter which comes close to this disparity in the amount of the bribe and penalty was the Avon FCPA enforcement action where bribes totaling $8 million led to led to a reported total penalty of $135 million. By the time of the resolution, Avon also had reported over $300 million in investigative costs.

At the times of the incidents in questions, 2012 to 2014, Lafarge had annual sales in the range of $2 billion plus and annual revenues in the range of $400 to $435 million. Very clearly the bribes paid by Lafarge were not material in the financial accounting sense. That may have been why no one seemed to be looking at the company. However, it drives home the point that a relatively small amount of corporate outgo can generate huge costs in the form of a $777.78 million fine. We have not begun to discuss the pre-resolution costs but in FCPA cases they are in the range of two to six times the final fine. Even if the pre-resolution costs were 1X the fine, that would still drive the all-in cost over $1.5 billion.

Monitoring Non-Standard Communications

One of the areas that bears consideration by the compliance professional is that of internal communications, as, “Many of the Lafarge and LCS executives involved in the scheme used personal email addresses, rather than their corporate email addresses, to carry out of the conspiracy.” In September, the Securities and Exchange Commission (SEC) announced “charges against 15 broker-dealers and one affiliated investment adviser for widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications. The firms admitted the facts set forth in their respective SEC orders, acknowledged that their conduct violated recordkeeping provisions of the federal securities laws, agreed to pay combined penalties of more than $1.1 billion, and have begun implementing improvements to their compliance policies and procedures to settle these matters.”

In a recent speech (Miller speech), Principal Associate Deputy Attorney General Marshall Miller said, after the announcement of the Monaco Doctrine, in a section entitled “Meeting the Compliance Challenges of Communications Technology”, “Now let me turn to an area that we recognize is a big challenge for all organizations — employees’ use of personal devices and third-party messaging platforms for work-related communications… particularly as to detecting their use for misconduct. However a company chooses to address their use for business communications, the end result must be the same: companies need to prevent circumvention of compliance protocols through off-system activity, preserve all key data and communications and have the capability to promptly produce that information for government investigations.”

Now consider that whopping fine and enforcement action in the context of the fraud of Lafarge executives. The Miller speech focused on both messaging apps and other forms of corporate communications. In the Lafarge matter, the communications were very basic, on company computers using non-company emails through channels like AOL or Gmail. The Lafarge executives were using these outside of standard communication channels to facilitate their crimes with ISIS and ANF. This part of the enforcement action has not received much scrutiny but is something every compliance professional needs to consider – are your employees (or execs) using non-company emails or other forms of communication tools outside of standard company communication methods? The compliance function needs to work with their corporate IT folks to make sure no executives or employees are using such channels for communications and to monitor them if they are.

Failures in M&A Due Diligence

The final area for consideration is that of Mergers and Acquisitions (M&A). The Statement of Facts noted, “LAFARGE and certain of its executives, in fact, failed to disclose LCS’s dealings with ISIS and ANF to Holcim throughout discussions of the transaction and after completion of the deal. LCS had ceased producing cement in Syria by the time the transaction with Holcim was completed, and in the approximately seven months between the completion of the acquisition and the emergence of public allegations regarding the misconduct in Syria, Holcim did not conduct post-acquisition due diligence about LCS’s operations in Syria.”

Not only did the Lafarge executives not disclose this corruption to Holcim, but they also actively discussed continuing the corruption payment so as not to derail the transaction. Moreover, Holcim apparently did not conduct due diligence into LCS or any of these matters. Perhaps the non-material nature of the payments was a factor. Whatever the excuse for this pre-acquisition due diligence failure, it cost Holcim dearly. Even if Holcim was not assessed the fine, they were the entity which bore the administrative and emotional costs of the investigation leading up to the resolution. Dan Chapman once told me that in an all-encompassing investigation, it could take up to 25% of senior executives time. Given the number of investigations across the globe on this matter, that figure might be lower. All of these factors bear witness to the extraordinary costs for the failure of an acquiring company to perform compliance due diligence prior to closing.

We are now at the end of this short blog series. The Lafarge case is perhaps the first corporate matter since the oil-for-food cases where complete corporate moral bankruptcy has played such a factor. We can only hope that it will be that long until we see the next such example.

Categories
Innovation in Compliance

Supply Chain and ESG – What You Need to Know: Episode 5 – Responsible Minerals, Supply Chain and ESG with Jared Connors and Daniel Zamora

 

Jared Connors and Daniel Zamora join Tom Fox in the final episode of the Supply Chain and ESG – What You Need to Know series, to discuss how market expectations have evolved with regards to due diligence in the responsible sourcing field.

 

 

Due diligence used to be a data collection exercise where you get transparency into your supply chain, but now it’s all about what you do with that information after you collect data – how a company can move from being reactive to being proactive. The first step to making this move is collecting data more efficiently; this allows you to have the resources in place to perform risk management within your supply chain. You need to know who’s on your supply chain, and you need to have a specific program in place to identify the risks of smelters.

 

Under the Biden administration, there has been a major focus on critical minerals when it comes to sanctions and regulations. Critical minerals are not specifically tied to the Dodd-Frank Act, but this focus has emphasized to stakeholders in the industry to be vigilant about them in general. Having an entity in your supply chain that is tied to a sanction puts you at risk no matter how direct or indirect that linkage is.

 

Resources

Assent

Categories
Compliance Into the Weeds

Impacts on Compliance of Russian Invasion of Ukraine

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. This week, Matt and Tom take a deep dive into some of the impacts on compliance from the Russian invasion of Ukraine. Highlights include:

·      How will the invasion impact your Supply Chain?

·      What are the attributes of a compliance program that can lead your corporate response?

·      What about cyber?

·      Will all this lead to a more holistic ERM response?

Resources

Matt in Radical Compliance

Categories
Compliance Into the Weeds

Stericycle FCPA Enforcement Action


Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. This week, Matt and Tom take a deep dive into the recently released Stericycle FCPA enforcement action. Highlights include:

  • What is a business strategy based upon corruption?
  • Over-expansion and under due diligence in M&A.
  • Document Document Document
  • The Monaco Doctrine at work.
  • Lessons learned going forward.

Resources
DPA
SEC Order
Matt in Radical Compliance
Tom in FCPA Compliance and Ethics Blog

Categories
FCPA Compliance Report

John Katsos – Due Diligence in Conflict Zones


In this episode of the FCPA Compliance Report, I visit with John Katsos, Assistant Professor and Scholar at American University of Sharjah. John has researched and performed due diligence in conflict zones in the Middle East and Africa. He was part of a research team that published a series in the Big Idea section of the Harvard Business Review entitled Preparing for the Era of Uncertainty, which is a must read for every compliance professional. He brings a unique perspective to a variety of compliance topics. Highlights of this podcast include:

  1. Academic and professional background.
  2. Why due diligence in conflict zones so difficult?
  3. What are some of the important differences in performing DD in conflict zones?
  4. What are some keys to successfully performing DD in conflict zones?
  5. Key lessons you observed on DD in Cyprus?
  6. Where did you come up with the idea for this series of articles, Preparing for the Era of Uncertainty?
  7. A discussion of each article in the series.?
  8. What is it like teaching anti-corruption and other forms of compliance outside the US?
  9. How do you see your work tying into a broader ESG discussion?
  10. How does climate change and migration across borders influence your thinking?

Resources
Preparing for the Era of Uncertainty-Harvard Business Review
John Katsos website, including some great research and papers
John Katsos LinkedIn profile

Categories
Compliance Into the Weeds

FinCen DD Pronouncements-Did they Hurt More than Help?


Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode Matt and Tom go into the weeds to look at two recent pronouncements by FinCen on customer and PEP due diligence. We ask the question: Is the Guidance so vague as to actually hurt the efforts of a compliance practitioner.
Resources
See Matt’s blog posts on Radical Compliance
Regulators Talk PEPs and Due Diligence
FinCen Gives Guidance, Says Little

Categories
The Affiliated Monitors Expert Podcast

Eric Feldman on the Why’s, What’s and How’s of a M&A Compliance Assessment


In this episode I visit with Eric Feldman on the why’s, what’s and how’s of an independent assessment of a target. Feldman began with the observation that most of the issues in the M&A context come from the target or acquired company and most usually from the acquiring entity simply not paying enough attention during the pre-acquisition phase and making a discovery post-closing. This one of the reasons the Department of Justice (DOJ) has put such important stock in the pre-acquisition phase where a company needs to perform compliance due diligence and a risk assessment which will inform the entire process.
Near and dear to my mantra of Document, Document, and Document, was Feldman’s thoughts on keeping a thorough record of your entire process. Not only should the target (or at least you would hope) have a documented process of all of the above issues, but you should be sure to document your entire pre-acquisition process as well. This could be important if you discover any nefarious conduct in the pre-acquisition phase which you should report to the DOJ or if such discovery occurs after closing. If it happens after closing you will need to be able to document the reasonable steps you took in pre-closing and how you will remediate the issue(s) going forward.
Finally, your pre-acquisition investigation and due diligence will inform your post-acquisition steps. Hallmark 10 of the Ten Hallmarks of an Effective Compliance Program mandates that companies will develop and implement policies and procedures for mergers and acquisitions requiring the company to conduct appropriate risk based due diligence on potential new business entities including Foreign Corrupt Practices Act (FCPA) and anti-corruption due diligence. Obviously, this should be a documented process. By having an independent third party do this, with a documented process, it can lower the risk if there is a problem. As problems are identified, the acquiring entity can decide whether to go forward with the M&A. If there is a very specific identification of misconduct, the company can make a disclosure to the DOJ. By using this process, there is a road map created for remediating the issue as a part of your post-acquisition steps after closing.

Categories
31 Days to More Effective Compliance Programs

Levels of due diligence


Due diligence is generally recognized in three levels, each of which is appropriate for a different level of corruption risk. The key is for you to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.
There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II and III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to “Document, Document, and Document” all your due diligence.
Three key takeaways:

  1. A Level I due diligence should only be used where there is a low risk of corruption.
  2. A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to clear.
  3. Level III due diligence is deep dive, boots on the ground investigation.
Categories
31 Days to More Effective Compliance Programs

Due diligence


Most companies fully understand the need to comply with the requirements around third-parties as they represent the greatest risks for bribery and corruption. However, most companies are not created out of new cloth but are ongoing enterprises with a fully up and running business in place. This means they may need to bring resources to bear to do so while continuing operating an ongoing business. This can be particularly true in the area of performing due diligence on third-parties. Many companies understand the need for a robust due diligence program to investigate third-parties but have struggled with how to create an inventory to define the basis of third-party risk and, thereby, perform the requisite due diligence required.
Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. The information that you gathered in Steps 1-Business Justification and 2-Questionnaire of the third-party management process should provide you with the initial information to consider the level of due diligence needed. This leads to Step 3 of the third-party management process: due diligence. The 2020 Resource Guide stated, “as part of risk-based due diligence, companies should understand the qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials. The degree of scrutiny should increase as red flags surface.”
Three key takeaways:

  1. Risk rank your third-parties and use this as a basis to begin with an adequate level of due diligence.
  2. Any red flags which appear must be cleared and there must be documented evidence of such clearance.
  3. There must be documented evidence of review of the due diligence.