Tag: DOJ

Categories
Compliance Week Conference Podcast

Compliance Week 2024 Speaker Preview Podcasts – Jonathan Rusch on Clawbacks and Holdbacks

In the Compliance Week 2024 Speaker Preview Podcasts episode, Jonathan Rusch discusses his panel at Compliance Week 2024, “Clawbacks, Incentives, and Remediation.” Some of the issues he will discuss in this podcast and his presentation are:

  • DOJ emphasizes clawbacks in remediation
  • The additional role of holdbacks
  • Learn about cutting-edge topics at Compliance Week 2024

I hope you can join me at Compliance Week 2024. This year’s event will be held April 2-4 at The Westin Washington, DC, Downtown. The line-up for this year’s event is first-rate, with some of the top ethics and compliance practitioners around.

Gain insights and make connections at the industry’s premier cross-industry national compliance event, offering knowledge-packed, accredited sessions and take-home advice from the most influential leaders in the compliance community. Back for its 19th year, join 500+ compliance, ethics, legal, and audit professionals who gather to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs. Compliance, ethics, legal, and audit professionals will gather safely face-to-face to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs, among many others, to:

  • Network with your peers, including C-suite executives, legal professionals, HR leaders, and ethics and compliance visionaries.
  • Hear from 80+ respected cross-industry practitioners, including CEOs, CCOs, regulators, federal officials, and practitioners, to help inform and shape the strategic direction of your enterprise risk management program.
  • Hear directly from panels on leadership, fraud detection, confronting regulatory change, abiding by cross-border rules and regulations, and the always-favorite fireside chats.
  • Bring actionable takeaways from various session types, including cyber, AI, Compliance, Board obligations, data-driven compliance, and many others, to your program for you to listen, learn, and share.
  • Compliance Week aims to arm you with information, strategy, and tactics to transform your organization and career by connecting ethics to business performance through process augmentation and data visualization.

I hope you can join me at the event. For information on the event, click here. As an extra benefit to listeners of this podcast, Compliance Week is offering a $200 discount on the registration price. Enter the discount code TFOX2024 for $200 off.

The Compliance Podcast Network produces the Compliance Week 2024 Preview Podcast series. Compliance Week sponsors this series.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 6, Clawbacks and Holdbacks

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study each of these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation: using extensive remediation to avoid a monitor. They also provide insight for the compliance professional into what the DOJ expects in an ongoing best practices compliance program.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today we continue  with Number 6, Clawbacks and Holdbacks. These strategies are relatively new to the DOJ’s arsenal, and they want companies to employ them in enforcement actions. While the DOJ and SEC have long made clear that they view monetary structure for incentive compensation, as far back as the FCPA Resource Guide, 1st edition (2012), they did not focus as intensely on the disincentive side of the equation. Prior to the Monaco Memo, clawbacks had not been generally seen as a necessary part of a compliance program.

This began to change in the Monaco Memo. It is now unequivocally required by the DOJ and listed as a crucial area of DOJ inquiry in the 2023 Evaluation of Corporate Compliance Programs. Moreover, having such a penalty in place is also seen as part of an excellent corporate culture, which not only penalizes those who engage in unethical behavior in violation of a company’s policies and procedures but will also “promote compliant behavior and emphasize the corporation’s commitment to its compliance programs and its culture.”

The DOJ was told to look into whether companies have “clawback” clauses in their pay agreements and whether “as soon as the company found out about the misconduct, the company has, as much as possible, taken affirmative steps to carry out such agreements and clawback compensation previously paid to current or former executives whose actions or omissions led to or contributed to the criminal conduct at issue.”

The Monaco Memo directed “to develop further guidance by the end of the year on how to reward corporations that develop and apply compensation clawback policies, including how to shift the burden of corporate financial penalties away from shareholders—who in many cases do not have a role in misconduct—onto those more directly responsible.” This clause is an effort by the DOJ to keep companies from shielding recalcitrant executives from the consequences of their own illegal and unethical conduct.

However, the Monaco Memo clarified that it is not simply having a written policy and procedure. If warranted, there must be corporate action under the clawback policy and procedure. In the Albemarle and SAP enforcement actions, the DOJ evaluated the companies’ actions, “Following the corporation’s discovery of misconduct, a corporation has, to the extent possible, taken affirmative steps to execute on such agreements and clawback compensation previously paid to current or former executives whose actions or omissions resulted in or contributed to the criminal conduct at issue.”

Albemarle

Albemarle went in a different direction—not clawbacks, but holdbacks. While the DOJ has made much noise about clawbacks from recalcitrant executives, Albemarle engaged in holdbacks, where they did not pay bonuses to certain employees involved in the conduct or those who had oversight. The NPA stated, “The company withheld bonuses totaling $763,453 during the course of its internal investigation from employees who engaged in suspected wrongdoing.” The illegal conduct involved those who “(a) had supervisory authority over the employee(s) or business area engaged in the misconduct; and (b) knew of, or were willfully blind to, the misconduct.” The significance of this effort was vital as it qualified Albemarle for an additional fine reduction of a dollar-for-dollar credit of the amount of the withheld bonuses under the Criminal Division’s March 2023 Compensation Incentives and Clawbacks Pilot Program. 

SAP

SAP had extensive holdbacks as well. The DPA noted SAP withheld bonuses totaling $109,141 during the course of its internal investigation from employees who engaged in suspected wrongdoing in connection with the conduct under investigation, or who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct, and further engaged in substantial litigation to defend its withholding from those employees, which qualified SAP for an additional fine reduction in the amount of the withheld bonuses under the DOJ’s Compensation Incentives and Clawbacks Pilot Program.

The DOJ has given significant credit to both Albemarle and SAP for their holdbacks, and we would expect them to continue to do so. If your organization has not instituted a Clawback/Holdback Policy, now is the time to do so rather than wait until you are in the middle of an investigation or enforcement action. Also, remember that the DOJ gives a dollar-for-dollar credit on any settlement where the company engaged in either clawbacks or holdbacks.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 5, Data Analytics

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring, and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 5, Data Analytics. Data analytics was previously seen as cutting-edge in compliance. Now, they are recognized as part of a best practices compliance program. By this time next year, they will be table stakes for every compliance program. However, the DOJ specifically called out the use of data analytics in these three enforcement actions and the incorporation of data analytics into their compliance regimes in the future.

Albemarle

Albemarle’s NPA specifically called out the Company’s use of data analytics in two ways. The first was to monitor the Company’s compliance program, and the second was to measure the compliance program’s effectiveness. While this language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance functions’ access to all company data, this is the first time it has been called out in a settlement agreement in this manner. Moreover, although not explicitly tied to the lack of a required corporate monitor, it would appear that by using data analytics, Albemarle was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation.

Andrew McBride, Chief Risk & Compliance Officer at Albemarle. He noted that if you think about each element of a compliance program—policies and procedures, training, due diligence, and pre-approvals—and your investigation process, a recurring theme throughout is the role of data to test that those program elements are working as you intend. McBride believes there are four critical purposes for using data and data analytics to support the ethics and compliance program, which he listed as follows:

  1. Risk Identification Issues. It can be used as a part of transaction testing and auditing to identify problematic behavior, support investigations, and highlight areas of residual risk.
  2. Risk Response. Data analytics can be used as a form of internal control. Albemarle uses data analytics as a form of gatekeeper.
  3. Compliance Program Testing. Data analytics can be used to determine the effectiveness of your ethics and compliance program.
  4. Finally, and perhaps most significantly for the DOJ’s purposes in FCPA enforcement actions, are the reporting requirements to demonstrate that the company meets its requirements as laid out in the resolution documents, whether a DPA, NPA, or other.

SAP

The SAP resolution made several references to data analytics and data-driven compliance. SAP did so around its third-party program and expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally. The SEC Order also noted that SAP had implemented data analytics to identify and review high-risk transactions and third-party controls. The SAP DPA follows the Albemarle FCPA settlement by stating that SAP now uses data analytics to measure the compliance program’s effectiveness. This language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance function’s access to all company data; this is the second time it has been called out in a settlement agreement in this manner. Additionally, it appears that by using data analytics, SAP was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation, thereby avoiding monitoring.

ABB

While not explicitly called out in its DPA, ABB has instituted a significant and company-wide data analytics program as a part of its overall remediation effort. Tapan Debnath, Head of Integrity, Regulatory Affairs, & Data Privacy—Process Automation at ABB, spoke about some of the challenges ABB faced and overcame to institute its data analytics program. He said, “The way data is hosted for us and probably for a lot of organizations is in lots of different places, and there needs to be a lot of data cleanup before we can utilize and use data.” He related that another challenge “for us has also been getting hold of data in different jurisdictions. There may be data privacy laws around data transfer, and there may be blocking statutes around this same thing. So navigating the local law requirements around data transfer, getting a hold of the data, and all of those things have been key challenges, as well as resourcing internally how to do this and getting the external stakeholders to support. I think These key fundamental steps need to be ironed out and looked at early on in the process.”

In November, Nicole Argentieri, Acting Assistant Attorney General for the Criminal Division, speaking at the ACI National FCPA, reported that the DOJ is stepping up its use of data analytics to identify instances of corporate misconduct and will boost its cooperation with overseas law enforcement to bring more anti-corruption cases as well. The DOJ and SEC increasingly focus on data analytics for corporate compliance, signaling higher expectations for larger companies.

Data-driven analytics have become a significant part of any best practices compliance program. The DOJ sees it as a critical remedial step for any company in an FCPA enforcement action. The actions taken by ABB, Albemarle, and SAP demonstrate that the DOJ also wants to impress this upon the greater compliance community.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 4, Start with a Root Cause Analysis

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 4, Root Cause, Risk Assessment, and Gap Analysis. Your remediation should begin with a root cause analysis. From there, move on to a risk assessment and gap analysis, and then you are ready to start your complete remediation.

SAP

The SAP Deferred Prosecution Agreement (DPA) laid out the best example of how this works in practice. The DPA reported extensive remediation by SAP, and the information provided in the DPA is instructive for every compliance professional. SAP engaged in a wide range of remedial actions. It all started with a root cause analysis. Root Cause analysis was enshrined in the FCPA Resource Guide, 2nd edition, as one of the Hallmarks of an Effective Compliance Program. It stated, “The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigation’s structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.”

This means a company should respond to the specific incident of misconduct that led to the FCPA violation. This means your organization “should also integrate lessons learned from misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.” The SAP DPA noted that SAP engaged in the following steps based on these factors:

1. Conducted a root cause analysis of the underlying conduct, then remediated those root causes through enhancement of its compliance program;
2. Conducted a gap analysis of internal controls, remediating those found lacking;
3. Undertook a “comprehensive risk assessment focusing on high-risk areas and controls around payment processes and enhancing its regular compliance risk assessment process”;
4. SAP documented using “comprehensive operational and compliance data” in its risk assessments.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct and remediate those causes promptly and appropriately to prevent future compliance breaches. This SAP did it during its remediation phase.

Albemarle

Albemarle also received credit “because it engaged in extensive and timely remedial measures.” This remedial action began based on the company’s root cause analysis of its FCPA violations.
This root cause analysis led to a risk assessment, which led to remediation. All of these steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out an effective compliance program and had tested it.

ABB

ABB also did an excellent job in its remedial efforts. According to the ABB Plea, ABB “engaged in extensive remedial measures, including hiring experienced compliance personnel and following a root-cause analysis of the conduct,” which led to the FCPA enforcement action. More on the ABB remediation later.

Each entity worked diligently to rebuild its compliance programs from the ground up. Whatever the faults of their prior compliance programs, each company was quite diligent in revamping their compliance regimes. While each company builds out a program based on its own risk, there is quite a bit of guidance you can draw from if your company finds itself in this position.

Here, the DOJ communicates that your remedial measures should start with a root cause analysis of the FCPA violation. From there, move to a risk assessment and internal control gap analysis to create a clear risk management strategy.

Categories
10 For 10

10 For 10: Top Compliance Stories For The Week Ending March 2, 2024

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes, hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  1. Crypto exchange Gemini returns over $1bn to customers.  (WSJ)
  2. Green audits are coming. (FT)
  3. Did Boeing violate the DPA? (NYT)
  4. Will ComEd defendants walk free? (Chicago Sun-Times)
  5. Boeing has 90 days to fix the QA/QC issue.  (NYT)
  6. SBF says he only deserves 6 years in prison. (FT)
  7. Did McKinsey work for or not work for the Chinese government? (FT)
  8. How did Iraqi corruption cost the country. (OilPrice)
  9. An ex-Vitol Trading trader was found guilty of bribery.  (WSJ)
  10. Exec’s husband pleads guilty to insider trading. (WSJ)

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day here.

Connect with Tom:

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 3, Extensive Remediation

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 3, Extensive Remediation. The DOJ expects extensive remediation, well documented with data analytics to support everything you have done. Each of the companies engaged in extensive remediation.

ABB

The plea agreement said that ABB “took a lot of corrective action,” such as hiring experienced compliance staff and, after figuring out what caused the behavior described in the Statement of Facts, putting a lot more money into testing and monitoring compliance across the whole company; putting in place targeted training programs and extra case-study sessions on-site; and continuing to test and monitor to see how things are going. This final point was expanded on in the SEC Order, which reported that all employees involved in the misconduct were terminated.

At this point, there are not many specific components of the ABB remediation available, but we do know that ABB was given credit for hiring “experienced compliance personnel,” starting with the hiring of Natalia Shehadeh, SVP and Chief Integrity Officer, and then allowing Shehadeh to hire a dream team of compliance professionals to work with her.

Albemarle

The NPA cited several remedial actions by the company that helped Albemarle obtain a superior result regarding the discounted fine and penalty. These steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out an effective compliance program and had tested it. The NPA provided that Albemarle engage in the following remedial efforts:

  • Strengthening its anti-corruption compliance program by investing in compliance resources, expanding its compliance function with experienced and qualified personnel, and taking steps to embed compliance and ethical values at all levels of its business organization;
  • Transformed its business model and risk management process to reduce corruption risk in its operation and to embed compliance in the business, including implementing a go-to-market strategy that resulted in eliminating the use of sales agents throughout the Company, terminating hundreds of other third-party sales representatives, such as distributors and resellers, and shifting to a direct sales business model;
  • Provided extensive training to its sales team, restructuring compensation and incentives so that compensation is no longer tied to sales amounts;
  • Used data analytics to monitor and measure the compliance program’s effectiveness and
  • We are engaged in continuous testing, monitoring, and improving all aspects of its compliance program, beginning immediately after identifying misconduct.

SAP

SAP also did an excellent job in its remedial efforts, whether SAP realized that, as a recidivist in dire straits, it was after the publicity in South Africa around corruption or some other reason that the company made major steps to create an effective, operationalized compliance program that met the requirements of the Hallmarks of an Effective Compliance Program as laid out in the 2020 FCPA Resource Guide, 2nd edition.

The remedial actions by SAP can be grouped as follows:

  1. Root Cause, Risk Assessment, and Gap Analysis. After doing a gap analysis of internal controls and fixing any problems found, the company did a root cause analysis of the behavior in question and fixed the issues it found. It then did a full risk assessment, focusing on high-risk areas and controls around payment processes, and used the results to improve its compliance risk assessment process.
  2. Enhancement of Compliance. Here, the company significantly increased the budget, resources, and expertise devoted to compliance; restructured its Offices of Ethics and Compliance to ensure adequate stature, independence, autonomy, and access to executive leadership; enhanced its code of conduct and policies and procedures regarding gifts, hospitality, and the use of third parties; enhanced its reporting, investigations and consequence management processes;
  3. Change in sales models. On the external sales side, SAP eliminated its third-party sales commission model globally, prohibited all sales commissions for public sector contracts in high-risk markets, and enhanced compliance monitoring and audit programs, including creating a well-resourced team devoted to audits of third-party partners and suppliers. On the internal side, SAP adjusted internal compensation incentives to align with compliance objectives and reduce corruption risk.
  4. Data Analytics. Here, SAP expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally, and comprehensively used data analytics in its risk assessments.

Each of these entities worked quite diligently to rebuild their compliance programs from the ground up. Whatever the faults of their prior compliance programs, each company was quite diligent in revamping their compliance regimes. While each company builds out a program based on its own risk, there is quite a bit of guidance you can draw from if your company finds itself in this position.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 2, The Need for Speed

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point to a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 2, the Need for Speed. The DOJ expects a company to share information with regulators as quickly as it finds those facts without necessarily knowing how such admissions might affect its overall case and settlement chances.

In a 2023 speech, Assistant Attorney General Kenneth Polite announced the change I called ‘The Need for Speed.’ Polite characterized the change as going from ‘full’ cooperation to ‘extraordinary’ cooperation. He noted the DOJ has differences between corporations and individuals in both investigations and enforcement, but “concerning how we consider cooperation, the lens and framework through which we analyze the level and degree of cooperation aren’t so different.”

Polite named three concepts, “immediacy, consistency, degree, and impact—that apply to cooperation by both individuals and corporations, which will help to inform our approach to assessing what is “extraordinary.”He went on to note that “In assessing the quality of a cooperator’s assistance, we value: when an individual begins to cooperate immediately, and consistently tells the truth; individuals who allow us to obtain evidence we otherwise couldn’t get, like quickly obtaining and imaging their electronic devices or having recorded conversations; cooperation that produces results, like testifying at a trial or providing information that leads to additional convictions.” He emphasized that there are “examples in the individual context.”

Then came the puzzling part. Polite stated, “We know “extraordinary cooperation” when we see it, and the differences between “full” and “extraordinary” cooperation are perhaps more in degree than kind.  To receive credit for extraordinary cooperation, companies must go above and beyond the criteria for full cooperation set in our policies—not just run of the mill, or even gold-standard cooperation, but truly extraordinary.” He stated, “At the same time, the government will not affirmatively direct a company’s internal investigation if it chooses to do one, and companies are often well positioned to know the steps they can take to best cooperate in a particular given case.” He concluded, “And, of course, the facts and circumstances of each case will be unique.”

Perhaps Polite is simply channeling his inner Potter Stewart with his line, ‘We know it…when we see it’. Of course, if two or more people look at the same set of facts, there is always the chance for two or more interpretations. The question then becomes how to define extraordinary cooperation.

It also ties directly into what Deputy Attorney General Lisa Monaco said in announcing the Monaco Doctrine when she stated, “Department prosecutors must gain access to all relevant, non-privileged facts about individual misconduct swiftly and without delay.” [emphasis supplied] This meant, “to receive full cooperation credit, corporations must produce on a timely basis all relevant, non-privileged facts and evidence about individual misconduct such that prosecutors have the opportunity to effectively investigate and seek criminal charges against culpable individuals.” If a company fails to meet this burden, it will “place in jeopardy their eligibility for cooperation credit.” The DOJ goes the next step by placing the burden on companies to demonstrate timeliness, stating they “bear the burden of ensuring that documents are produced promptly to prosecutors.”

In the ABB enforcement action, ABB received credit for extraordinary cooperation based on the following: “(i) promptly providing information obtained through its internal investigation, which allowed the Offices to preserve and obtain evidence as part of their independent investigation; (ii) making regular and detailed factual presentations to the Offices; (iii) voluntarily making foreign-based employees available for interviews in the United States; (iv) producing relevant documents located outside the United States to the Offices in ways that did not implicate foreign data privacy laws; and (v) collecting, analyzing, and organizing voluminous evidence and information that it provided to the Offices, including the translation of certain foreign language documents.”

Some additional insight is found in the SEC Order, which states, “ABB’s cooperation included real-time sharing of facts learned during its internal investigation.”  This meant “ABB was sharing information with regulators as quickly as it found those facts, without necessarily knowing how such admissions might affect its overall case and settlement chances.” [emphasis supplied]

Since the SAP enforcement action, extraordinary cooperation has become more difficult to ascertain. While there was no mention of the super duper, extra-credit giving extensive remediation that Kenneth Polite discussed, when SAP began to cooperate, it moved to collaborate extensively. The DPA noted SAP “immediately began to cooperate after South African investigative reports made public allegations of South Africa-related misconduct in 2017 and providing regular, prompt, and detailed updates to the Fraud Section and the Office regarding factual information obtained through its internal investigation, which allowed the government to preserve and obtain evidence as part of its independent investigation…” Most interestingly, the DPA reported that SAP imaged “the phones of relevant custodians at the beginning of the company’s internal investigation, thus preserving relevant and highly probative business communications sent on mobile messaging applications.” This is explicit instruction around messaging apps in FCPA enforcement actions.

Albemarle was credited with significant cooperation by the DOJ during the pendency of its investigation. The NPA noted that the company also received credit for its substantial cooperation and extensive and timely remediation. However, there was only a standard list of items relating to this cooperation and nothing on extraordinary collaboration.

We are back where we started; there is a need for speed. However, the only functional definition we have for it comes from the SEC and not the DOJ. As laid out in the SEC Order for ABB, it is a real-time sharing of facts.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 1, Self-Disclosure

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring, and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions. Today, we begin with Number 1, self-disclosure. The first and most important thing is that a company should self-disclose a potential FCPA violation to the DOJ.

The DOJ expects and will reward self-disclosure above all else. The ABB enforcement action all began with ABB’s putative attempt to self-disclose. ABB set up a meeting where they intended to self-disclose but only set up the meeting without telling the DOJ the reason for the meeting. Unfortunately for ABB, this attempt was unsuccessful, as the South African press broke the story of ABB’s bribery and corruption between the time ABB called to set up a meeting and sat down with the DOJ. Yet the DOJ spent significant time discussing the underlying facts, and it was clear it positively impacted the DOJ.

Kenneth Polite, then Assistant Attorney General, said of ABB’s conduct around this attempt, “Before the meeting, however, a media report drew public attention to the wrongdoing.  But because the company could demonstrate intent and efforts to self-disclose before, and without any knowledge of, the media report, the Department weighed both the early detection of the misconduct and the intent to disclose it significantly in ABB’s favor.”

In the Albemarle enforcement action, there was a significant discussion in the NPA around Albemarle’s voluntary self-disclosure to the DOJ. “The disclosure was not “reasonably prompt,” as it was made approximately 16 months ago to the DOJ after initial discovery by the company. This meant the self-disclosure “was not within a reasonably prompt time after becoming aware of the misconduct in Vietnam,” and it means that Albemarle did not meet the standard for voluntary self-disclosure. While the DOJ “gave significant weight” to the company’s voluntary, even if untimely, disclosure of the misconduct, it is certainly cautionary.

Equally interesting was the SAP enforcement action. Although this factor was not present in the SAP enforcement action, the DOJ’s message regarding the DOJ’s expectation of self-disclosure and the obvious and palpable benefits could not be any clearer. Under the Corporate Enforcement Policy, SAP’s failure to self-disclose cost it an opportunity of at least 50% and up to a 75% reduction off the low end of the U.S. Sentencing Guidelines fine range. Its actions as a criminal recidivist resulted in it not receiving a reduction of at least 50% and up to 75% from the low end of the U.S.S.G. fine range but rather at 40% from above the low end. SAP’s failure to self-disclose cost it an estimated $20 million under the Sentencing Guidelines. SAP’s failure to self-disclose and recidivism cost it a potential $94.5 million in discounts under the Corporate Enforcement Policy. The DOJ’s message could not be any clearer.

In addition to these enforcement actions, Kenneth Polite, in a speech announcing changes in the Corporate Enforcement Policy, made clear the importance of self-disclosure in the eyes of the DOJ. “Our existing policy provides that if a company voluntarily self-discloses, fully cooperates, and timely and appropriately remediates, there is a presumption that we will decline to prosecute absent certain aggravating circumstances involving the offense’s seriousness or the offender’s nature. These aggravating circumstances include, but are not limited to, involvement by executive management of the company in the misconduct; a significant profit to the company from the wrongdoing; egregiousness or pervasiveness of the misconduct within the company; or criminal recidivism.” If a company self-discloses, but a criminal resolution is warranted, our existing policy offers 50% off of the low end of the applicable Sentencing Guidelines penalty range.

He re-emphasized this position: “When a company has uncovered criminal misconduct in its operations, the clearest path to avoiding a guilty plea or an indictment is voluntary self-disclosure.  It is also the clearest path to the greatest incentives that we offer, such as a declination with disgorgement of profits.” While noting the difficulty of a company deciding to self-disclose, “we are underscoring that a corporation that falls short of our expectations does so at its own risk. Make no mistake – failing to self-report, cooperate, and remediate fully can lead to dire consequences.” [emphasis supplied]

The DOJ could not be clearer. The No. 1 lesson is that you need to self-disclose if you want any of the benefits available.

Categories
Blog

Self-Disclosure is Now the Key

The Department of Justice (DOJ) has been making significant strides in emphasizing the importance of voluntary self-disclosure in corporate enforcement cases, particularly in the Foreign Corrupt Practices Act (FCPA) realm. This shift in approach is evident in recent policy announcements and enforcement actions, beginning with the 2022 ABB Foreign Corrupt Practices Act (FCPA) settlement to the 2023 Albemarle FCPA resolution and continuing to the 2024 SAP Foreign Corrupt Practices Action settlement. Through these three resolutions,  the DOJ clarified that its most important criteria for evaluating a company for a fine under the FCPA is whether or not it self-discloses.

Representatives of the DOJ Kenneth Polite and Lisa Monaco further discussed this incentive in speeches in 2023. In announcing a revision to the 2017 FCPA Corporate Enforcement Policy, which became the 2023 Corporate Enforcement Policy, Kenneth Polite emphasized the ‘need for speed’ both in self-disclosure and during the pendency of any FCPA or compliance real compliance-related involving the DOJ.

The DOJ’s focus on incentivizing self-disclosure is a strategic move to encourage companies to come forward with violations and cooperate with authorities. The new Corporate Enforcement Policy offered up to a 75% reduction in penalties for voluntary disclosure. This discount is available even if there were ‘aggravating factors’ in the matter, such as C-Suite involvement in bribery and corruption. The DOJ could not send a more precise signal and be more transparent about what they want and will incent. This approach reflects a broader trend toward rewarding companies that proactively address compliance issues and work collaboratively with law enforcement agencies.

One of the key factors influencing the DOJ’s enforcement actions is the impact of recidivism. In October 2021, the DOJ, through a speech by Lisa Monaco and memorialized in the 2023 Evaluation of Corporate Compliance Programs (2023 ECCP), made it clear that it will not tolerate repeat offenders and is prepared to impose harsh penalties on companies that fail to self-disclose violations. However, even recidivist companies are encouraged to come forward and address compliance issues head-on, with the potential for significant penalty reductions if they demonstrate genuine cooperation and remediation efforts. The ABB resolution, in which the company was the first three-time FCPA recidivist yet received a superior outcome, once more demonstrated the DOJ’s current focus. The attempted self-disclosure fell short by only a day or two, as ABB had scheduled a meeting with the DOJ to self-disclose but had not formally done so. In the interim, a news story broke in South Africa about ABB’s systemic bribery and corruption in that country.

Although this factor was absent from the SAP enforcement action, the DOJ’s message regarding the benefits of self-disclosure and the DOJ’s expectation of self-disclosure could not have been clearer. Under the Corporate Enforcement Policy, SAP’s failure to self-disclose costs it an opportunity of at least 50% and up to a 75% reduction off the low end of the acceptable range of the US Sentencing Guidelines. Its actions as a criminal recidivist resulted in it not receiving a reduction of at least 50% and up to 75% from the low end of the USSG acceptable range but rather at 40% from above the low back. SAP’s failure to self-disclose cost it an estimated $20 million under the Sentencing Guidelines. Its inability to self-disclose and recidivism cost it a potential $94.5 million in discounts under the Corporate Enforcement Policy. The DOJ’s message could not be any clearer.

There was a significant discussion in the NPA around Albemarle’s voluntary self-disclosure to the DOJ. However, NPA noted that “the disclosure was not “reasonably prompt” as defined in the Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy and the US Sentencing Guidelines.” The NPA reported that Albemarle learned of allegations regarding possible misconduct in Vietnam approximately 16 months before disclosing them to the DOJ. Interestingly, the SEC Order only stated, “Albemarle made an initial self-disclosure to the Commission of potential FCPA violations in Vietnam after completing an internal investigation of such conduct and, simultaneously, self-reported potential violations it was investigating in India, Indonesia, and China. Albemarle later self-disclosed potential violations in other jurisdictions to the Commission as part of an expanded internal investigation.”

This meant the self-disclosure “was not within a reasonably prompt time after becoming aware of the misconduct in Vietnam,” which means that Albemarle did not meet the standard for voluntary self-disclosure under the Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy. While the DOJ “gave significant weight” to the Company’s voluntary disclosure, even if untimely, disclosure of the misconduct is undoubtedly cautionary.

The tradeoffs involved in balancing different factors, such as self-disclosure, cooperation, and remediation, can present challenges for companies navigating the complex landscape of FCPA enforcement. While the DOJ’s emphasis on self-disclosure offers potential benefits regarding penalty reductions and monitoring requirements, companies must carefully weigh the risks and rewards of voluntary disclosure against the possible consequences of non-disclosure.

The importance of considering the impact of decisions about the DOJ’s FCPA enforcement actions cannot be overstated. Companies that prioritize a culture of compliance, proactive monitoring, and data-driven analytics are better positioned to detect and address potential violations before they escalate into costly enforcement actions. By aligning their compliance programs with the DOJ’s expectations and demonstrating a commitment to ethical business practices, companies can mitigate the risks associated with FCPA violations and build a strong foundation for long-term success.

What the DOJ wants is self-disclosure as soon as possible. One only needs to recall the case of Cognizant Technologies, where the company received a complete declination, and there were allegations of C-Suite involvement in the bribery schemes. This Declination was provided mainly because the company self-disclosed only two weeks after the information was filtered to the Board of Directors. While Cognizant Technologies may be the gold standard, a company’s timely self-disclosures can be considered for a full Declination.

Categories
All Things Investigations

All Things Investigations – Huneke and Carlson on Directors’ Accountability for Compliance and Risk Management

Welcome to the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group’s podcast, All Things Investigation. In this podcast, I was joined by HughesHubbardReed partner Mike Huneke and Brent Carlson, Director at BRG, to discuss the concepts around their recent paper, Boards of Directors Lovin’ It after McDonald’s? A Fresh Look at Directors’ Duty of Oversight in the New Era of Sanctions & Export Control Corporate Enforcement.

Mike Huneke and Brent Carlson are seasoned professionals specializing in fraud compliance, corruption issues, sanctions, and export control enforcement. Huneke’s perspective on the duties of directors in sanctions and export controls is that boards need to be proactive and engaged in understanding and addressing these risks, emphasizing the importance of caution, skepticism, and diligence in overseeing these critical areas of compliance. His views are shaped by his experience in investigating, litigating, remediating, and preventing fraud, as well as his belief in the importance of good corporate governance and risk management. Carlson emphasizes the significance of understanding geopolitics in the context of company operations and advocates for a return to fundamental principles amidst rapid regulatory changes. His perspective is shaped by his experience in assisting companies navigate the complexities of sanctions and export controls, and his belief in the importance of boards actively engaging with management, asking questions, and ensuring thorough investigations are conducted.

Key Highlights:

  • Directors’ Role in Export Control Compliance
  • McDonald’s Case: Duty of Oversight Emphasis
  • Dynamic Compliance Monitoring for Export Controls
  • Directors’ Accountability for Compliance and Risk Management
  • Proactive Board Oversight for Compliance Excellence

Resources:

Hughes Hubbard & Reed website

Brent Carlson on Linkedin

This podcast is based on: 

Brent & Mike’s blog post on directors’ duty of oversight can be found here: Boards of Directors Lovin’ It after McDonald’s? A Fresh Look at Directors’ Duty of Oversight in the New Era of Sanctions & Export Control Corporate Enforcement (Jan. 12, 2024).

For more on sanctions and export control compliance in the new era of FCPA-like corporate enforcement, see Brent’s and Mike’s prior posts here:

— Brent’s piece that launched the seriesWhen Loopholes Create Liability Pitfalls: A Fresh Look at Export Controls (Aug. 25, 2023).

— How can you assess your risk of sanctions violations?  Know Your Customer, But Also Yourself: A Fresh Look at Sanctions & Export Controls Risk Assessments in the Era of the “New FCPA” (Sept. 28, 2023).

— If you discover a sanctions problem, how can you efficiently investigate and remediate it?  Slow is Smooth, Smooth is Fast: A Fresh Look at Planning and Executing Internal Investigations into Allegations of Sanctions or Export Controls Evasion (Oct. 30, 2023).

— What does that mean for future fines and penalties for export control evasion?  From Peanuts to Prison Time – A Fresh Look at the Evolution of Export Controls Penalties (Nov. 14, 2023).

— Why is an FCPA “mindset” required for sanctions and export control compliance, and how to apply one?  The Blind Men and the Elephant (Dec. 18, 2023).