Categories
Daily Compliance News

Daily Compliance News: March 8, 2024 – The DOJ Whistleblower Day Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News.

All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • The DOJ announces a whistleblower program.  (WSJ)
  • More from DAG Monaco. Changes to ECCP regarding AI. (Compliance Week)
  • The NYT asks for Boeing whistleblowers. (NYT)
  • SEC prepares to be sued for pro- and con-climate reporting rules. (FT)

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 7, Changing Your Business Model

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 7, the Change in Sales Model. This is one of the more intriguing insights from these enforcement actions, as changing a sales model has not been previously called out by the DOJ in prior commentary, iterations of the Evaluations of Corporate Compliance Programs, either in the FCPA Resource Guide or in speeches. However, it is such a self-evident change that you might wonder why it has not been called out previously. One reason may be that it seems like a simple change but is challenging. Therefore, many companies may be reluctant to try to do so.

Albemarle

Albemarle changed its approach to sales and its sales teams. Corrupt third-party agents caused the company such FCPA grief. Many of the quotes in the NPA and Order make it clear that Albemarle executives had an aversion to paying bribes but greater moral flexibility when a third-party agent was involved. This led to the company moving away from third-party agents to a direct sales force.

 SAP

On the external sales side, SAP eliminated its third-party sales commission model globally and prohibited all sales commissions for public sector contracts in high-risk markets. It also enhanced compliance monitoring and audit programs, including creating a well-resourced team devoted to third-party partners and supplier audits. On the internal side, SAP adjusted internal compensation incentives to align with compliance objectives and reduce corruption risk.

Gunvor S.A.

The Gunvor FCPA enforcement action was announced in early March. According to the DOJ Press Release, the company has “pleaded guilty and will pay over $661 million to resolve an investigation by the U.S. Justice Department into violations of the Foreign Corrupt Practices Act (FCPA).” I have not included it in this discussion up to this point. However, the DOJ noted that Gunvor had done away with “eliminating the use of third-party business origination agents.” While this is not a complete change in its sales model, it certainly is a significant part of such an action. It also demonstrates that a company can partly change its overall sales model and sales method in a manner that will draw favor from the DOJ.

Moving to a direct sales force does have its risks that must be managed. Still, those risks can certainly be managed with an appropriate risk management strategy, strategy monitoring, and improvement. Yet there is another reason, and more importantly, a significant business reason, to move towards a direct sales business model. Whenever you have a third-party agent or anyone else between you and your customer, you risk losing that customer because your organization does not have a direct relationship with the customer. By having a direct sales business model, your organization will have a direct relationship with your customers and, therefore, the ability to develop it further.

If your organization is under FCPA investigation, you should examine its sales model to determine its maintenance risks. Suppose your model is fully commission-based or highly commission-dependent. In that case, you may consider moving to a direct sales model to help remediate and manage your risks more effectively.

Categories
Compliance Into the Weeds

Compliance into The Weeds: The Gunvor FCPA Enforcement Action

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt deeply dive into the recently released Gunvor FCPA Enforcement Action.

The Gunvor FCPA case, a high-profile instance of bribery involving Ecuadorian government officials, is a stark reminder of the perils of corruption in international business and the critical need for stringent compliance measures. Tom emphasizes the importance of adherence to anti-corruption laws and regulations. He stresses the necessity for robust compliance programs and internal controls to prevent such violations and the potential fallout of non-compliance, including reputational damage, financial penalties, and legal repercussions.

Matt Kelly sees the Gunvor FCPA case as a significant example of the consequences companies face when engaging in corrupt practices. He would underscore the importance of strong compliance programs, ethical business practices, transparency, and accountability to prevent similar instances of bribery and corruption in the future. Check out the key lessons learned from this matter.

Key Highlights:

  • Bribery Scheme in Gunvor’s Ecuador Dealings
  • Ethical Practices and Regulatory Compliance Strengthening
  • Gunvor’s Bribery Scheme: FCPA Enforcement Consequences
  • Proactive Transparency in Mitigating Legal Penalties

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Week Conference Podcast

Compliance Week 2024 Speaker Preview Podcasts – Jonathan Rusch on Clawbacks and Holdbacks

In the Compliance Week 2024 Speaker Preview Podcasts episode, Jonathan Rusch discusses his panel at Compliance Week 2024, “Clawbacks, Incentives, and Remediation.” Some of the issues he will discuss in this podcast and his presentation are:

  • DOJ emphasizes clawbacks in remediation
  • The additional role of holdbacks
  • Learn about cutting-edge topics at Compliance Week 2024

I hope you can join me at Compliance Week 2024. This year’s event will be held April 2-4 at The Westin Washington, DC, Downtown. The line-up for this year’s event is first-rate, with some of the top ethics and compliance practitioners around.

Gain insights and make connections at the industry’s premier cross-industry national compliance event, offering knowledge-packed, accredited sessions and take-home advice from the most influential leaders in the compliance community. Back for its 19th year, join 500+ compliance, ethics, legal, and audit professionals who gather to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs. Compliance, ethics, legal, and audit professionals will gather safely face-to-face to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs, among many others, to:

  • Network with your peers, including C-suite executives, legal professionals, HR leaders, and ethics and compliance visionaries.
  • Hear from 80+ respected cross-industry practitioners, including CEOs, CCOs, regulators, federal officials, and practitioners, to help inform and shape the strategic direction of your enterprise risk management program.
  • Hear directly from panels on leadership, fraud detection, confronting regulatory change, abiding by cross-border rules and regulations, and the always-favorite fireside chats.
  • Bring actionable takeaways from various session types, including cyber, AI, Compliance, Board obligations, data-driven compliance, and many others, to your program for you to listen, learn, and share.
  • Compliance Week aims to arm you with information, strategy, and tactics to transform your organization and career by connecting ethics to business performance through process augmentation and data visualization.

I hope you can join me at the event. For information on the event, click here. As an extra benefit to listeners of this podcast, Compliance Week is offering a $200 discount on the registration price. Enter the discount code TFOX2024 for $200 off.

The Compliance Podcast Network produces the Compliance Week 2024 Preview Podcast series. Compliance Week sponsors this series.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 6, Clawbacks and Holdbacks

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study each of these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation: using extensive remediation to avoid a monitor. They also provide insight for the compliance professional into what the DOJ expects in an ongoing best practices compliance program.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today we continue  with Number 6, Clawbacks and Holdbacks. These strategies are relatively new to the DOJ’s arsenal, and they want companies to employ them in enforcement actions. While the DOJ and SEC have long made clear that they view monetary structure for incentive compensation, as far back as the FCPA Resource Guide, 1st edition (2012), they did not focus as intensely on the disincentive side of the equation. Prior to the Monaco Memo, clawbacks had not been generally seen as a necessary part of a compliance program.

This began to change in the Monaco Memo. It is now unequivocally required by the DOJ and listed as a crucial area of DOJ inquiry in the 2023 Evaluation of Corporate Compliance Programs. Moreover, having such a penalty in place is also seen as part of an excellent corporate culture, which not only penalizes those who engage in unethical behavior in violation of a company’s policies and procedures but will also “promote compliant behavior and emphasize the corporation’s commitment to its compliance programs and its culture.”

The DOJ was told to look into whether companies have “clawback” clauses in their pay agreements and whether “as soon as the company found out about the misconduct, the company has, as much as possible, taken affirmative steps to carry out such agreements and clawback compensation previously paid to current or former executives whose actions or omissions led to or contributed to the criminal conduct at issue.”

The Monaco Memo directed “to develop further guidance by the end of the year on how to reward corporations that develop and apply compensation clawback policies, including how to shift the burden of corporate financial penalties away from shareholders—who in many cases do not have a role in misconduct—onto those more directly responsible.” This clause is an effort by the DOJ to keep companies from shielding recalcitrant executives from the consequences of their own illegal and unethical conduct.

However, the Monaco Memo clarified that it is not simply having a written policy and procedure. If warranted, there must be corporate action under the clawback policy and procedure. In the Albemarle and SAP enforcement actions, the DOJ evaluated the companies’ actions, “Following the corporation’s discovery of misconduct, a corporation has, to the extent possible, taken affirmative steps to execute on such agreements and clawback compensation previously paid to current or former executives whose actions or omissions resulted in or contributed to the criminal conduct at issue.”

Albemarle

Albemarle went in a different direction—not clawbacks, but holdbacks. While the DOJ has made much noise about clawbacks from recalcitrant executives, Albemarle engaged in holdbacks, where they did not pay bonuses to certain employees involved in the conduct or those who had oversight. The NPA stated, “The company withheld bonuses totaling $763,453 during the course of its internal investigation from employees who engaged in suspected wrongdoing.” The illegal conduct involved those who “(a) had supervisory authority over the employee(s) or business area engaged in the misconduct; and (b) knew of, or were willfully blind to, the misconduct.” The significance of this effort was vital as it qualified Albemarle for an additional fine reduction of a dollar-for-dollar credit of the amount of the withheld bonuses under the Criminal Division’s March 2023 Compensation Incentives and Clawbacks Pilot Program. 

SAP

SAP had extensive holdbacks as well. The DPA noted SAP withheld bonuses totaling $109,141 during the course of its internal investigation from employees who engaged in suspected wrongdoing in connection with the conduct under investigation, or who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct, and further engaged in substantial litigation to defend its withholding from those employees, which qualified SAP for an additional fine reduction in the amount of the withheld bonuses under the DOJ’s Compensation Incentives and Clawbacks Pilot Program.

The DOJ has given significant credit to both Albemarle and SAP for their holdbacks, and we would expect them to continue to do so. If your organization has not instituted a Clawback/Holdback Policy, now is the time to do so rather than wait until you are in the middle of an investigation or enforcement action. Also, remember that the DOJ gives a dollar-for-dollar credit on any settlement where the company engaged in either clawbacks or holdbacks.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 5, Data Analytics

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring, and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 5, Data Analytics. Data analytics was previously seen as cutting-edge in compliance. Now, they are recognized as part of a best practices compliance program. By this time next year, they will be table stakes for every compliance program. However, the DOJ specifically called out the use of data analytics in these three enforcement actions and the incorporation of data analytics into their compliance regimes in the future.

Albemarle

Albemarle’s NPA specifically called out the Company’s use of data analytics in two ways. The first was to monitor the Company’s compliance program, and the second was to measure the compliance program’s effectiveness. While this language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance functions’ access to all company data, this is the first time it has been called out in a settlement agreement in this manner. Moreover, although not explicitly tied to the lack of a required corporate monitor, it would appear that by using data analytics, Albemarle was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation.

Andrew McBride, Chief Risk & Compliance Officer at Albemarle. He noted that if you think about each element of a compliance program—policies and procedures, training, due diligence, and pre-approvals—and your investigation process, a recurring theme throughout is the role of data to test that those program elements are working as you intend. McBride believes there are four critical purposes for using data and data analytics to support the ethics and compliance program, which he listed as follows:

  1. Risk Identification Issues. It can be used as a part of transaction testing and auditing to identify problematic behavior, support investigations, and highlight areas of residual risk.
  2. Risk Response. Data analytics can be used as a form of internal control. Albemarle uses data analytics as a form of gatekeeper.
  3. Compliance Program Testing. Data analytics can be used to determine the effectiveness of your ethics and compliance program.
  4. Finally, and perhaps most significantly for the DOJ’s purposes in FCPA enforcement actions, are the reporting requirements to demonstrate that the company meets its requirements as laid out in the resolution documents, whether a DPA, NPA, or other.

SAP

The SAP resolution made several references to data analytics and data-driven compliance. SAP did so around its third-party program and expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally. The SEC Order also noted that SAP had implemented data analytics to identify and review high-risk transactions and third-party controls. The SAP DPA follows the Albemarle FCPA settlement by stating that SAP now uses data analytics to measure the compliance program’s effectiveness. This language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance function’s access to all company data; this is the second time it has been called out in a settlement agreement in this manner. Additionally, it appears that by using data analytics, SAP was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation, thereby avoiding monitoring.

ABB

While not explicitly called out in its DPA, ABB has instituted a significant and company-wide data analytics program as a part of its overall remediation effort. Tapan Debnath, Head of Integrity, Regulatory Affairs, & Data Privacy—Process Automation at ABB, spoke about some of the challenges ABB faced and overcame to institute its data analytics program. He said, “The way data is hosted for us and probably for a lot of organizations is in lots of different places, and there needs to be a lot of data cleanup before we can utilize and use data.” He related that another challenge “for us has also been getting hold of data in different jurisdictions. There may be data privacy laws around data transfer, and there may be blocking statutes around this same thing. So navigating the local law requirements around data transfer, getting a hold of the data, and all of those things have been key challenges, as well as resourcing internally how to do this and getting the external stakeholders to support. I think These key fundamental steps need to be ironed out and looked at early on in the process.”

In November, Nicole Argentieri, Acting Assistant Attorney General for the Criminal Division, speaking at the ACI National FCPA, reported that the DOJ is stepping up its use of data analytics to identify instances of corporate misconduct and will boost its cooperation with overseas law enforcement to bring more anti-corruption cases as well. The DOJ and SEC increasingly focus on data analytics for corporate compliance, signaling higher expectations for larger companies.

Data-driven analytics have become a significant part of any best practices compliance program. The DOJ sees it as a critical remedial step for any company in an FCPA enforcement action. The actions taken by ABB, Albemarle, and SAP demonstrate that the DOJ also wants to impress this upon the greater compliance community.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 4, Start with a Root Cause Analysis

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 4, Root Cause, Risk Assessment, and Gap Analysis. Your remediation should begin with a root cause analysis. From there, move on to a risk assessment and gap analysis, and then you are ready to start your complete remediation.

SAP

The SAP Deferred Prosecution Agreement (DPA) laid out the best example of how this works in practice. The DPA reported extensive remediation by SAP, and the information provided in the DPA is instructive for every compliance professional. SAP engaged in a wide range of remedial actions. It all started with a root cause analysis. Root Cause analysis was enshrined in the FCPA Resource Guide, 2nd edition, as one of the Hallmarks of an Effective Compliance Program. It stated, “The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigation’s structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.”

This means a company should respond to the specific incident of misconduct that led to the FCPA violation. This means your organization “should also integrate lessons learned from misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.” The SAP DPA noted that SAP engaged in the following steps based on these factors:

1. Conducted a root cause analysis of the underlying conduct, then remediated those root causes through enhancement of its compliance program;
2. Conducted a gap analysis of internal controls, remediating those found lacking;
3. Undertook a “comprehensive risk assessment focusing on high-risk areas and controls around payment processes and enhancing its regular compliance risk assessment process”;
4. SAP documented using “comprehensive operational and compliance data” in its risk assessments.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct and remediate those causes promptly and appropriately to prevent future compliance breaches. This SAP did it during its remediation phase.

Albemarle

Albemarle also received credit “because it engaged in extensive and timely remedial measures.” This remedial action began based on the company’s root cause analysis of its FCPA violations.
This root cause analysis led to a risk assessment, which led to remediation. All of these steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out an effective compliance program and had tested it.

ABB

ABB also did an excellent job in its remedial efforts. According to the ABB Plea, ABB “engaged in extensive remedial measures, including hiring experienced compliance personnel and following a root-cause analysis of the conduct,” which led to the FCPA enforcement action. More on the ABB remediation later.

Each entity worked diligently to rebuild its compliance programs from the ground up. Whatever the faults of their prior compliance programs, each company was quite diligent in revamping their compliance regimes. While each company builds out a program based on its own risk, there is quite a bit of guidance you can draw from if your company finds itself in this position.

Here, the DOJ communicates that your remedial measures should start with a root cause analysis of the FCPA violation. From there, move to a risk assessment and internal control gap analysis to create a clear risk management strategy.

Categories
10 For 10

10 For 10: Top Compliance Stories For The Week Ending March 2, 2024

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes, hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  1. Crypto exchange Gemini returns over $1bn to customers.  (WSJ)
  2. Green audits are coming. (FT)
  3. Did Boeing violate the DPA? (NYT)
  4. Will ComEd defendants walk free? (Chicago Sun-Times)
  5. Boeing has 90 days to fix the QA/QC issue.  (NYT)
  6. SBF says he only deserves 6 years in prison. (FT)
  7. Did McKinsey work for or not work for the Chinese government? (FT)
  8. How did Iraqi corruption cost the country. (OilPrice)
  9. An ex-Vitol Trading trader was found guilty of bribery.  (WSJ)
  10. Exec’s husband pleads guilty to insider trading. (WSJ)

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day here.

Connect with Tom:

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 3, Extensive Remediation

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 3, Extensive Remediation. The DOJ expects extensive remediation, well documented with data analytics to support everything you have done. Each of the companies engaged in extensive remediation.

ABB

The plea agreement said that ABB “took a lot of corrective action,” such as hiring experienced compliance staff and, after figuring out what caused the behavior described in the Statement of Facts, putting a lot more money into testing and monitoring compliance across the whole company; putting in place targeted training programs and extra case-study sessions on-site; and continuing to test and monitor to see how things are going. This final point was expanded on in the SEC Order, which reported that all employees involved in the misconduct were terminated.

At this point, there are not many specific components of the ABB remediation available, but we do know that ABB was given credit for hiring “experienced compliance personnel,” starting with the hiring of Natalia Shehadeh, SVP and Chief Integrity Officer, and then allowing Shehadeh to hire a dream team of compliance professionals to work with her.

Albemarle

The NPA cited several remedial actions by the company that helped Albemarle obtain a superior result regarding the discounted fine and penalty. These steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out an effective compliance program and had tested it. The NPA provided that Albemarle engage in the following remedial efforts:

  • Strengthening its anti-corruption compliance program by investing in compliance resources, expanding its compliance function with experienced and qualified personnel, and taking steps to embed compliance and ethical values at all levels of its business organization;
  • Transformed its business model and risk management process to reduce corruption risk in its operation and to embed compliance in the business, including implementing a go-to-market strategy that resulted in eliminating the use of sales agents throughout the Company, terminating hundreds of other third-party sales representatives, such as distributors and resellers, and shifting to a direct sales business model;
  • Provided extensive training to its sales team, restructuring compensation and incentives so that compensation is no longer tied to sales amounts;
  • Used data analytics to monitor and measure the compliance program’s effectiveness and
  • We are engaged in continuous testing, monitoring, and improving all aspects of its compliance program, beginning immediately after identifying misconduct.

SAP

SAP also did an excellent job in its remedial efforts, whether SAP realized that, as a recidivist in dire straits, it was after the publicity in South Africa around corruption or some other reason that the company made major steps to create an effective, operationalized compliance program that met the requirements of the Hallmarks of an Effective Compliance Program as laid out in the 2020 FCPA Resource Guide, 2nd edition.

The remedial actions by SAP can be grouped as follows:

  1. Root Cause, Risk Assessment, and Gap Analysis. After doing a gap analysis of internal controls and fixing any problems found, the company did a root cause analysis of the behavior in question and fixed the issues it found. It then did a full risk assessment, focusing on high-risk areas and controls around payment processes, and used the results to improve its compliance risk assessment process.
  2. Enhancement of Compliance. Here, the company significantly increased the budget, resources, and expertise devoted to compliance; restructured its Offices of Ethics and Compliance to ensure adequate stature, independence, autonomy, and access to executive leadership; enhanced its code of conduct and policies and procedures regarding gifts, hospitality, and the use of third parties; enhanced its reporting, investigations and consequence management processes;
  3. Change in sales models. On the external sales side, SAP eliminated its third-party sales commission model globally, prohibited all sales commissions for public sector contracts in high-risk markets, and enhanced compliance monitoring and audit programs, including creating a well-resourced team devoted to audits of third-party partners and suppliers. On the internal side, SAP adjusted internal compensation incentives to align with compliance objectives and reduce corruption risk.
  4. Data Analytics. Here, SAP expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally, and comprehensively used data analytics in its risk assessments.

Each of these entities worked quite diligently to rebuild their compliance programs from the ground up. Whatever the faults of their prior compliance programs, each company was quite diligent in revamping their compliance regimes. While each company builds out a program based on its own risk, there is quite a bit of guidance you can draw from if your company finds itself in this position.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 2, The Need for Speed

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point to a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 2, the Need for Speed. The DOJ expects a company to share information with regulators as quickly as it finds those facts without necessarily knowing how such admissions might affect its overall case and settlement chances.

In a 2023 speech, Assistant Attorney General Kenneth Polite announced the change I called ‘The Need for Speed.’ Polite characterized the change as going from ‘full’ cooperation to ‘extraordinary’ cooperation. He noted the DOJ has differences between corporations and individuals in both investigations and enforcement, but “concerning how we consider cooperation, the lens and framework through which we analyze the level and degree of cooperation aren’t so different.”

Polite named three concepts, “immediacy, consistency, degree, and impact—that apply to cooperation by both individuals and corporations, which will help to inform our approach to assessing what is “extraordinary.”He went on to note that “In assessing the quality of a cooperator’s assistance, we value: when an individual begins to cooperate immediately, and consistently tells the truth; individuals who allow us to obtain evidence we otherwise couldn’t get, like quickly obtaining and imaging their electronic devices or having recorded conversations; cooperation that produces results, like testifying at a trial or providing information that leads to additional convictions.” He emphasized that there are “examples in the individual context.”

Then came the puzzling part. Polite stated, “We know “extraordinary cooperation” when we see it, and the differences between “full” and “extraordinary” cooperation are perhaps more in degree than kind.  To receive credit for extraordinary cooperation, companies must go above and beyond the criteria for full cooperation set in our policies—not just run of the mill, or even gold-standard cooperation, but truly extraordinary.” He stated, “At the same time, the government will not affirmatively direct a company’s internal investigation if it chooses to do one, and companies are often well positioned to know the steps they can take to best cooperate in a particular given case.” He concluded, “And, of course, the facts and circumstances of each case will be unique.”

Perhaps Polite is simply channeling his inner Potter Stewart with his line, ‘We know it…when we see it’. Of course, if two or more people look at the same set of facts, there is always the chance for two or more interpretations. The question then becomes how to define extraordinary cooperation.

It also ties directly into what Deputy Attorney General Lisa Monaco said in announcing the Monaco Doctrine when she stated, “Department prosecutors must gain access to all relevant, non-privileged facts about individual misconduct swiftly and without delay.” [emphasis supplied] This meant, “to receive full cooperation credit, corporations must produce on a timely basis all relevant, non-privileged facts and evidence about individual misconduct such that prosecutors have the opportunity to effectively investigate and seek criminal charges against culpable individuals.” If a company fails to meet this burden, it will “place in jeopardy their eligibility for cooperation credit.” The DOJ goes the next step by placing the burden on companies to demonstrate timeliness, stating they “bear the burden of ensuring that documents are produced promptly to prosecutors.”

In the ABB enforcement action, ABB received credit for extraordinary cooperation based on the following: “(i) promptly providing information obtained through its internal investigation, which allowed the Offices to preserve and obtain evidence as part of their independent investigation; (ii) making regular and detailed factual presentations to the Offices; (iii) voluntarily making foreign-based employees available for interviews in the United States; (iv) producing relevant documents located outside the United States to the Offices in ways that did not implicate foreign data privacy laws; and (v) collecting, analyzing, and organizing voluminous evidence and information that it provided to the Offices, including the translation of certain foreign language documents.”

Some additional insight is found in the SEC Order, which states, “ABB’s cooperation included real-time sharing of facts learned during its internal investigation.”  This meant “ABB was sharing information with regulators as quickly as it found those facts, without necessarily knowing how such admissions might affect its overall case and settlement chances.” [emphasis supplied]

Since the SAP enforcement action, extraordinary cooperation has become more difficult to ascertain. While there was no mention of the super duper, extra-credit giving extensive remediation that Kenneth Polite discussed, when SAP began to cooperate, it moved to collaborate extensively. The DPA noted SAP “immediately began to cooperate after South African investigative reports made public allegations of South Africa-related misconduct in 2017 and providing regular, prompt, and detailed updates to the Fraud Section and the Office regarding factual information obtained through its internal investigation, which allowed the government to preserve and obtain evidence as part of its independent investigation…” Most interestingly, the DPA reported that SAP imaged “the phones of relevant custodians at the beginning of the company’s internal investigation, thus preserving relevant and highly probative business communications sent on mobile messaging applications.” This is explicit instruction around messaging apps in FCPA enforcement actions.

Albemarle was credited with significant cooperation by the DOJ during the pendency of its investigation. The NPA noted that the company also received credit for its substantial cooperation and extensive and timely remediation. However, there was only a standard list of items relating to this cooperation and nothing on extraordinary collaboration.

We are back where we started; there is a need for speed. However, the only functional definition we have for it comes from the SEC and not the DOJ. As laid out in the SEC Order for ABB, it is a real-time sharing of facts.