Tag: DOJ

Categories
Blog

Data-Driven Compliance – From Cutting Edge to Table Stakes

Compliance programs play a crucial role in ensuring that companies adhere to legal and ethical standards. In today’s digital age, where data is abundant and easily accessible, the importance of data-driven compliance programs cannot be overstated. This message was driven home very forcefully in a speech in November by Nicole Argentieri, acting assistant attorney general for the Criminal Division. She stated “I’d like to now turn to our use of data. In the Criminal Division, we too are going above and beyond in our effort to combat white collar crime. We are not just waiting for companies to self-report, or witnesses to come forward, or for anomalies to reveal themselves on a one-off basis. Let me be the first to tell you that we have proactively used data to generate FCPA cases, and we’ve only just gotten started.”

Anselmo Guevara, Director, Compliance Monitoring and Analytics at VMware, has emphasized the need for companies to have a compliance program that provides visibility into their data at their fingertips. It is no longer sufficient to simply collect data and have someone review and reconcile it. Compliance professionals must actively analyze the data for trends, anomalies, and potential compliance risks. This proactive approach allows companies to identify and address compliance issues before they escalate.

But as with all new initiatives in compliance, one must emphasize the importance of starting a compliance journey with a formal risk assessment. Guevara suggested collaborating with various departments within the organization, such as accounts payable, receivables, internal audit, and business operations, to understand the risks associated with different processes. This collaborative effort helps identify compliance controls that need to be in place and ensures that the data required for analysis is available.

While low hanging fruit may seem like an attractive starting point, Guevara cautioned against solely focusing on easy wins. He advised against presenting a weak business case to secure budget approval for compliance projects. Instead, he recommended conducting a comprehensive compliance risk assessment to prioritize areas that require immediate attention. This approach ensures that compliance efforts are aligned with your organization’s overall risk management strategy.

Data analytics plays a crucial role in enhancing compliance efforts. By leveraging data analytics tools and techniques, compliance professionals can identify patterns, detect anomalies, and uncover potential compliance risks. However, Guevara highlighted the importance of validating suspicious transactions before raising concerns. It is essential to conduct due diligence and thoroughly investigate any potential issues to maintain financial integrity and credibility.

Data-driven compliance programs have moved from cutting edge and are now seen as best practices. Soon they will simply be table stakes for companies to effectively manage compliance risks. By actively monitoring and analyzing data, companies can identify potential compliance issues, mitigate risks, and maintain their reputation and integrity. Collaboration between different departments and a formal risk assessment are key factors in establishing a robust compliance program. As technology continues to advance, the role of data analytics and AI in compliance monitoring is expected to become even more significant. It is crucial for compliance professionals to stay informed, continuously learn, and adapt to the evolving landscape of data-driven compliance.

Categories
Blog

The Compliance Function in an Organization

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2020 FCPA Resource Guide, 2nd edition, under the Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

This Hallmark was significantly expanded in both the original FCPA Corporate Enforcement Policy and 2023 ECCP. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company.

Clearly the DOJ is articulating that in an operationalized compliance program, it expects true compliance professionals, who understand the way compliance interacts with and supports the business. Companies must compensate and promote compliance professionals within their organization.

Funding and resources. You will now have to justify your corporate compliance spend. This means at a minimum you will have to meet some general industry standard. If a corporation tries to low-ball both the pay to compliance professionals, as well as the dollar and head count made available to a compliance function, it will not be viewed positively. Also noted in the Evaluation, a company must be prepared to defend any request for compliance resources which are turned down. Budget requests and allocations are always difficult times in any corporation. There is never enough money to go around and most senior management thinks it is their job to slash all budget requests as a simple matter of course. Now such blanket management will be penalized.

If a compliance function is so hampered by resource restrictions it cannot carry out the basic functions needed for a compliance program to operate, it will not find favor under either the Evaluation or the FCPA Corporate Enforcement Policy. If there are compliance projects needed to address basic compliance risks which are not funded because management failed to heed a CCOs or compliance functions budget request, this could be evidence of conscious indifference by senior management.

Role of compliance and empowerment. More than simply throwing money at the compliance function (as if that would ever happen) the DOJ is now inquiring into how the compliance function and its recommendations are treated. If there is business unit over-ride of compliance decisions, there must be an auditable decision trail. This, of course, is anathema to corporate executives who do not want to put themselves at risk.

But more than simply preventing management over-ride, a corporate compliance function has to be empowered by the Board and CEO to intervene in business decisions that implicate the company’s ethics and compliance issues, compliance with business code of ethics, agent/distributor and supplier codes of conduct, training, communication and internal investigations. If a company considers a business decision or practice that implicates the company’s ethical principles, the compliance function must have the internal authority to weigh in and ensure that ethical principles and compliance issues are factored into the business decision.

In the 2023 ECCP, under Section III, Does Your Compliance Program Work in Practice, is the following new language “Independence and Empowerment – Is compensation for employees who are responsible for investigating and adjudicating misconduct structured in a way that ensures the compliance team is empowered to enforce the policies and ethical values of the company? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel or others within the organization that have a role in the disciplinary process generally?”

This is a significant new addition to the ECCP. It forces a company to adequately compensation those employees who investigate and pass judgment on misconduct. But it is more than simply adequate compensation as it also requires a company not to retaliate via low salaries or limited raises or other compensation for doing their jobs as compliance officers. In other words, if the CEO is being investigated by compliance; that same CEO should not be setting or reviewing the salary of the CCO or those doing the investigation. This mandates that the DOJ will review the entire corporate organization on these issues.

Outsourcing of compliance. This area of compliance practice has arisen largely since the articulation of the Hallmarks in the 2020 FCPA Resource Guide, 2nd edition. While this might make sense from a cost perspective, it can be largely problematic if it is not managed properly. Rarely do outsiders have the same access as corporate employees, particularly in a function as important as compliance. Additionally, there will never be the trust level with outsiders there is with someone who wears the same color shirt as the employees. Here a company must not only have a rationale in place, which will largely be cost savings; a company must also have a mechanism in place to assess, on an ongoing basis, any outsourced compliance function. This will be beyond the reach of probably 99% of the companies engaged in such outsourcing.

The 2023 ECCP had further detailed questions to pose:

Structure—Where within the company is the compliance function housed (e.g., within the legal department, under a business function, or as an independent function reporting to the CEO and/or board)? To whom does the compliance function report? Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company? Are compliance personnel dedicated to compliance responsibilities, or do they have other, non-compliance responsibilities within the company? Why has the company chosen the compliance structure it has in place? What are the reasons for the structural choices the company has made?

Seniority and Stature—How does the compliance function compare with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions? How has the company responded to specific instances where compliance raised concerns? Have there been transactions or deals that were stopped, modified, or further scrutinized as a result of compliance concerns?

Experience and Qualifications—Do compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities? Has the level of experience and qualifications in these roles changed over time? How does the company invest in further training and development of the compliance and other control personnel? Who reviews the performance of the compliance function and what is the review process?

Funding and Resources—Has there been sufficient staffing for compliance personnel to effectively audit, document, analyze, and act on the results of the compliance efforts? Has the company allocated sufficient funds for the same? Have there been times when requests for resources by compliance and control functions have been denied, and if so, on what grounds?

Data Resources and Access—Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?

Autonomy—Do the compliance and relevant control functions have direct reporting lines to anyone on the board of directors and/or audit committee? How often do they meet with directors? Are members of the senior management present for these meetings? How does the company ensure the independence of the compliance and control personnel?

The 2023 ECCP and 2023 Update to the FCPA Corporate Enforcement Policy both demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.

Categories
Blog

CCO Authority and Independence

The role of the CCO has steadily grown in stature and prestige over the years. In the 2020 FCPA Resource Guide, 2nd edition, under the Hallmarks of an Effective Compliance Program, it focused on whether the CCO held senior management status and had a direct reporting line to the Board, stating:

In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively. Adequate autonomy generally includes direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors.

This Hallmark was significantly expanded in both the 2023 ECCP and the FCPA Corporate Enforcement Policy. And in so doing, the DOJ has increased the prestige, authority and role of both the CCO and corporate compliance function. The 2023 ECCP has five general areas of inquiry around the CCO and corporate compliance function. (1) How does the CCO salary and stature within the organization compare to other senior executives within the company. (2) What are the experience and stature of the CCO with an organization? Does the CCO have appropriate training for the role? (3) How much autonomy does the CCO have to report to the Board of Directors? How often do the CCO meet with directors? Are members of the senior management present for these meetings with the Board of Directors or of the Audit Committee? (4) What is your structure? Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company? (5) Is data in your organization so siloed that the CCO does not have access to it? If so, what are you doing about it?

In the 2023 Update to the FCPA Corporate Enforcement Policy, the DOJ these factors out as follows: 1) The quality and experience of the CCO, such that they can understand and identify the transactions and activities that pose a potential risk; 2) The authority and independence of the CCO; 3) The compensation and promotion of the CCO, in view of their role, responsibilities, performance, and other appropriate factors; and 4) The reporting structure of any CCO employed or contracted by the company.

All of these factors are enhanced by the CCO Certification requirement, as announced by Kenneth Polite back in 2022. A CCO must certify the effectiveness of a compliance program after a DPA or NPA has been concluded. This requirement will only become more important moving into 2023 and beyond. In addition to CCO  Certification, the Delaware Court of Chancery’s  decision in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst in the case In re McDonald’s Corporation Stockholder Derivative Litigation, where for the first time, a Delaware court formally recognized the oversight duties of officers of Delaware corporations.

The court noted that the CCO has a broad scope within an organization. The court stated, “Although the CEO and Chief Compliance Officer likely will have company-wide oversight portfolios, other officers generally have a more constrained area of authority.” The responsibilities of the CCO are wide and sometimes varied. Here the court stated, ““[s]pecific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program.” But the Delaware court also provided CCOs with some additional ammunition in their quest for true influence in a corporation by stating that “to carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.”

Clearly the DOJ is articulating that it expects true compliance professionals, who understand the way compliance interacts with and supports the business to be in the CCO chair. The days of a law school trained CCO who cannot read a spreadsheet are consigned to the dustbin of non-compliant history. But more than simply compliance professionalism, companies must compensate and promote compliance professionals within their organization. Simply burying someone in the compliance function of a law department because they cannot cut it will no longer suffice.

The DOJ has not taken a formal position on whether a General Counsel (GC) can also be the CCO. However, the language of the FCPA Corporate Enforcement Policy and 2023 ECCP seem to signal the death knell for the dual GC/CCO role. They also signal the larger issue that the CCO should have a separate reporting line to the Board, apart from through the GC. While the DOJ’s stated position that it does not concern itself with whether the CCO reports to the GC or reports independently, it is more concerned about whether the CCO has the voice to go to the CEO or Board of Directors directly not via the GC. Even if the answer were yes, the DOJ would want to know if the CCO has ever exercised that right. Yet the 2023 ECCP comes as close to any time previously in articulating a DOJ policy that the CCO be independent of the GC’s office. Therefore, if your CCO still reports up through the GC, you must have demonstrable evidence of both CCO independence and actual line of sight authority to the Board.

Here are some questions you should consider in evaluating this prong. First and foremost, is the CCO a part of the senior management or the C-Suite? Is the CCO part of regular meetings of this group? Who can terminate the CCO—is it the CEO, the Board Compliance Committee or does CCO termination require approval of the entire Board? Most importantly, could a person under investigation or even scrutiny by the CCO fire the CCO? If the answer is yes, the CCO clearly does not have requisite independence.

Additional questions to consider: Who can over-rule a decision by a CCO within the organization? And who is making the decisions around salary and compensation for the CCO? Is it the CEO, the GC, the Board Compliance Committee or some other person or group? Finally, what happens if a CCO initiates an investigation against someone he reports to or sets his salary?

Once again for the compliance professional, the FCPA Corporate Enforcement Policy and 2023 ECCP make the importance of a best practices compliance program even more critical. The DOJ is focusing more on the role, expertise and how the compliance function is treated within an organization. Pay your CCO considerably less than your GC? You may now better be able to justify that discrepancy. If you have a legal department budget of $3 million and a compliance department budget of $500,000; you are starting behind the eight-ball.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 25 – Responding to Investigative Findings

There is nothing like an internal whistleblower report about a compliance violation, the finding of such an issue, or (even worse) a subpoena from the DOJ or notice letter from the SEC to trigger the attention of the Board of Directors and senior management to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage, followed immediately by the proclamation, “We are an ethical company.” However, it may well be the time for a very serious reality check.

You may find yourself in a position where you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.

Finally, there should be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed. Such an approach can also be a recipe for disaster. First and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the FCPA Corporate Enforcement Policy. Moreover, the executive attention will have dissipated and you will have lost your momentum to clean things up through a thorough remediation.

Three key takeaways:

1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.

2. Be aware of how your investigation can impact and even inform your remediation efforts.

3. Be prepared to deal with the dreaded “where else” question.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Responding to Investigative Findings

There is nothing like an internal whistleblower report about a compliance violation, the finding of such an issue, or (even worse) a subpoena from the DOJ or notice letter from the SEC to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However, it may well be the time for a very serious reality check.

You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.

One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on.  Russ Berland, Senior Counsel Data Protection Law at Johnson & Johnson Consumer Health has noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “a tricky place, because you get your fifteen minutes to really get everyone’s full attention, and from then on, you’re fighting with everybody else for their attention, like the normal things in business life.”

You need to explain the costs to the Board and senior management. As Berland said, you need to be upfront and candid in firmly stating, “To get to this place, this is what it’s going to cost.” Moreover, you need to be able to show how some companies paid very large amounts, not just in the eventual fine and penalty but also in other costs; such as shareholder lawsuits, claims and other post-resolution costs. Berland went on to say, “We want to show you how people have lost money by having to write big checks, because they didn’t take these allegations seriously. They actually saved money, because they didn’t have to write as big a check, because they took these allegations very seriously.” The bottom line is that your ROI here is going to be very high if you put the resources into remediation and do it well. This is easier with the information that was provided by the DOJ in the FCPA Corporate Enforcement Policy as it demonstrated how much discount a company can receive below the minimum range of the U.S. Sentencing Guidelines for remediation.

One of the most difficult parts is that the investigation is often done in a way in which the investigators want to maintain as tight a control over the information and privilege as they possibly can. The remediation requires output from the investigation to understand where the risk points and gaps are, both in the compliance program and the internal controls. There is a tension there and it needs to be structured in a way that information can be shared with those who are designing the remediation without fear of compromising the investigation.

Dan Chapman, former CCO at Parker Drilling and Cameron International and Founder of Presyse Consulting, also believes that costs must be adequately discussed to set proper expectations. These include both direct and, even more importantly, indirect costs to the company. Chapman noted, “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “everything stops to focus on the investigation.” This indirect cost comes largely through the time commitment of senior management because “if senior management has to commit 20% of their time, that is 20% of their time that is not going towards revenue generating, shareholder value-protecting activities.”

Yet, how can you communicate this point to somebody who has not gone through a full-blown internal investigation then coupled with a federal investigation with the DOJ and Federal Bureau of Investigation involved? Understanding that the all-encompassing nature of such an event is difficult to articulate, Chapman goes through some of his past experiences as touch points. “One example would be, during my first week on the job at previous employer, the company had a worldwide conference for all of the senior managers from around the world,” he said. “At that meeting, I asked all the senior, C-level executives, ‘Over the last few years, have you spent 5% of your time on the matter?’ They raised their hands. Then, I kept escalating it: 10%, 15%, and the hands didn’t go down until about 20%. Then I explained to them, and to the audience, ‘If you got 5%, 10% or 15% more from your senior management, where would this company be? What would it be worth? What bonuses would you have gotten?’ I think this point resonated with all of them, but there was still no great way for them or for anyone to quantify these costs. How do you quantify the absence of non-compliance? How do you quantify what could have been? How do you quantify the opportunity costs of management’s time?”

You can explain the upside of compliance and do that in a manner that juxtaposes the cost. Chapman said you could mention things such as, “If you have clear policies and people know what to do, think how much easier your life would be. Instead of having to make calls and figure it out on your own every single time, you had a clear plan of action dictated by a policy.” The same types of arguments come into play in areas generally considered the purview of HR, i.e., recruiting and retention.

About recruiting Chapman posed the following for consideration, “Where do your new hires, especially recent college graduates, get their information about your company? They get it from the internet. If your company has been in trouble for bribery, what is one of the first things they see when they Google your company’s name? At the very top of their search results will be a news article about the wrongdoings or penalties. Now, how likely is a recent graduate to take his first job with a company that pays bribes, and, if he or she is willing, is that really the type of person you want to hire?” He also points out the negative impact of non-compliance on the retention of current employees by asking, “Ask yourself, is a good employee more or less likely to consider other job opportunities before or after she learns that her company pays bribes or may ask her to pay bribes?”

Yet even more than these types of points about employees in the organization, Chapman believes it is important to make it personal at the highest level of the organization; to make it as personal to your audience as possible. He suggests asking the Board and senior management “How would you feel about being involved in bribery? Rather than being something that’s only involving the company, your name and your reputation will be associated with it. How do you feel about being there?”

Obviously, the investigation will be critical for you to help understand what remediation your compliance program will need going forward. As Berland said, “Somebody found a way to get around your system. Maybe they colluded to overcome the internal controls. Maybe there was a group that simply wasn’t well trained, didn’t understand, or there was a group that was extremely well trained, and decided to do it anyway. But somehow, there are issues in the overall system of the executive tone, the governance, the compliance program, the internal controls, all at a meta level, which failed.”

You cannot find gaps in your compliance system until you stress test it. Viewed in this light, your compliance failures can be viewed as the ultimate stress test. Berland noted, “Well, guess what, you just got handed a stress test, and this is where the system broke down. Now you know there’s a gap. Well, absent the investigation, as painful and difficult as that is, that gap would have just been sitting there.” The investigation will raise information to you about the failures of your compliance program that you may not have known existed previously.

While there will be a desire by some folks to not give out any information about the investigation until it is completed and there is a final report, you must resist this at all costs. If the results of the investigation are not made available to you as the CCO or the compliance professional charged with remediating the compliance program, any such remediation will be extremely difficult, because “you’re just going off suppositions and guesses.”

He advocates there be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed. Such an approach can also be a recipe for disaster. First, and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the FCPA Corporate Enforcement Policy. Moreover, the executive attention will have dissipated and you will have lost your momentum to clean things up through a thorough remediation.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 21 – Managing Your Third Parties

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation, and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area that the DOJ specifically articulated in the 2023 ECCP that companies need to consider.

Managing your third parties is where the rubber meets the road in your overall third-party risk management program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are the easy steps. Managing the relationship is where the real work begins.

Three key takeaways:

1. Have a strategic approach to third-party risk management.

2. Rank third parties based upon a variety of factors, including compliance and business performance, length of relationship, benchmarking metrics, and KPIs for ongoing monitoring and auditing.

3. Managing the relationship is where the real work begins.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Managing Third Parties

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area the DOJ specifically articulated in the 2023 ECCP that companies need to consider.

The 2023 ECCP posed the following questions:

Risk-Based and Integrated Processes—How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?

Appropriate Controls—How does the company ensure there is an appropriate business rationale for the use of third parties? If third parties were involved in the underlying misconduct, what was the business rationale for using those third parties? What mechanisms exist to ensure that the contract terms specifically describe the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?

Management of Relationships—How has the company considered and analyzed the compensation and incentive structures for third parties against compliance risks? How does the company monitor its third parties? Does the company have audit rights to analyze the books and accounts of third parties, and has the company exercised those rights in the past? How does the company train its third-party relationship managers about compliance risks and how to manage them? How does the company incentivize compliance and ethical behavior by third parties? Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?

Real Actions and Consequences—Does the company track red flags that are identified from due diligence of third parties and how those red flags are addressed? Does the company keep track of third parties that do not pass the company’s due diligence or that are terminated, and does the company take steps to ensure that those third parties are not hired or re-hired at a later date? If third parties were involved in the misconduct at issue in the investigation, were red flags identified from the due diligence or after hiring the third party, and how were they resolved? Has a similar third party been suspended, terminated, or audited as a result of compliance issues?

The key is to have a strategic approach to how you structure and manage your third-party relationships. This may mean more closely partnering with your third parties to help manage the anti-corruption compliance risk. It would certainly lead towards enabling your company to control risk while optimizing the performance of your third parties.

Amalgamate third parties but have fallbacks. It is incumbent to consolidate your third-party relationships to a smaller number to more fully operationalize your compliance program. This will make the entire third-party lifecycle easier to manage. However, a company must not “over-consolidate” by going down to a single source. You should build a diversified base, with through “dual-sourcing.” From the compliance perspective, you may want to have a primary and secondary third-party that you work with in a service line or geographic area to retain this redundancy.

Monitor any subcontracted work. This is one area that requires an appropriate level of compliance management. If your direct contracting party has the right or will need to subcontract some work out, you need to have visibility into this from the compliance perspective. You will need to require and monitor that your direct third-party relationship has your approved compliance terms and conditions in their contracts with their subcontractors. You will also need to test that proposition. In other words, you must require, trust and then verify.

Legal Protections. This is where your compliance terms and conditions will come into play. Consider a full indemnity if your third-party violates the FCPA and your company is dragged into an investigation because of the third-party’s actions. Such an indemnity may not be worth too much but if you do not have one, there will be no chance to recoup any of your legal or investigative costs. Another important clause is that any FCPA violation is a material breach of contract. This means that you can legally, under the terms of the contract, terminate it immediately, with no requirement for notice and cure. Once again you may be somewhat constrained by local laws but if you do not have the clause, you will have to give written notice and an opportunity to cure. This notice and cure process may be too long to satisfy the DOJ or SEC during the pendency of an investigation. Finally, you need a clause that requires your third-party to cooperate in any compliance investigation. This means cooperation with you and your designated investigation team, but it may also mean cooperation with U.S. governmental authorities as well.

Keep track of your third parties’ financial stability. This is one area that is not usually discussed in the compliance arena around third parties, but it seems almost self-evident. You can certainly imagine the disruption that could occur if your prime third-party supplier in a country or region went bankrupt; but in the compliance realm there is another untoward red flag that is raised in such circumstances. Those third parties under financial pressure may be more easily persuaded to engage in bribery and corruption than third parties that stand on a more solid financial footing. You can do this by a simple requirement that your third-party provide annual audited financial statements. For a worldwide logistics company, this should be something easily accomplished.

Formalize incentives for third-party performance. One of the key elements for any third-party contract is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes. It is mandatory that your company link any commission or payment to the performance of the third-party. If you have a long-term stable relationship with a third-party, you can tie compensation into long-term performance, specifically including long-term compliance performance. This requires the third-party to put skin into the compliance game so that they have a vested, financial interest in getting things done in compliance.

By linking compensation to performance, there should be an increase in third-party performance. This is especially valuable when agreed upon key performance indicator (KPI) metrics can be accurately tracked. This would seem to be low hanging fruit for the compliance practitioner. If you cannot come up with some type of metric from the compliance perspective, you can work with your business relationship team to develop such compliance KPIs.

You should rank third parties based upon a variety of factors including performance, length of relationship, benchmarking metrics and compliance KPIs. This is a way for the compliance practitioner to have an ongoing risk ranking for third parties that can work as a preventative and even proscription prong of a compliance program and allow the delivery of compliance resources to those third parties that might need or even warrant them.

Auditing third parties. Critical to any best practices compliance program and an important tool in operationalizing your compliance program, this is a key way a company can manage the third-party relationship after the contract is signed and one which the government will expect you to engage in going forward.

Document review and selection is important for this process, you should ask for as much electronic information as possible well in advance of your audit. Request the following categories of documents; trial balance, chart of accounts, journal entry line items, financial and compliance policies, prior audited financial statements, bank records and statements, a complete list of agents or intermediaries and revenue by country and customer.

Regarding potential interviewees, focus on those who interact with government entities, foreign government officials or third parties, including those personnel involved with:

• Business leadership;

• Sales/marketing/business development;

• Operations;

• Logistics;

• Corporate functions such as human resources, finance, health, safety and environmental, real estate and legal

For the interview topics, there are several lines of inquiry. Remember this is an audit interview, not an investigative interview. Avail yourself of the opportunity to engage in training while you are interviewing people. The topics to interview on include:

• General policies and procedures;

• Books and records pertaining to compliance risks;

• Test knowledge of FCPA or other anti-corruption laws and their understanding of your company’s prohibitions;

• Regulatory challenges they may face;

• Any payments of taxes, fees or fines;

• Government interactions they have on your behalf; and

• Other compliance areas you may be concerned about or that would impact your company, including trade, anti-boycott, anti-money laundering (AML), anti-trust.

Managing your third parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are the easy steps. Managing the relationship is where the real work begins.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 20 – The Third Party Risk Management Process

The DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management that will fulfill the DOJ requirements as laid out in the 2023 FCPA Resource Guide, 2nd edition, and in the Hallmarks of an Effective Compliance Program. The five steps in the lifecycle of third-party management are:

1. Business Justification by the Business Sponsor.

2. Questionnaire to Third-party.

3. Due Diligence on the Third Party.

4. Compliance Terms and Conditions, including payment terms.

5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

1. Use the full 5-step process for third-party management.

2. Make sure you have business development involvement and buy-in.

3. Operationalize all steps going forward by including business unit representatives.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

The Third Party Risk Management Process

As every compliance practitioner is well aware, even in 2023, third parties still present the highest risk under the FCPA. The 2023 ECCP devotes an entire prong to third-party management. It begins with the following:

Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region. Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.

This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2020 FCPA Resource Guide, 2nd edition, and in the Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:

1. Business Justification by Business Sponsor;

2. Questionnaire to Third-party;

3. Due Diligence on Third-party;

4. Compliance Terms and Conditions, including payment terms; and

5. Management and Oversight of Third Parties After Contract Signing.

Business Justification. The first step breaks down into two parts: business sponsor and business justification. The purpose of the business justification is to document the satisfactoriness of the business case to retain a third-party. The business justification should be included in the compliance review file assembled on every third-party at the time of initial certification and again if the third-party relationship is renewed. It is mandatory this document be filled out and completed by the business sponsor, who will be the primary contract with the third-party for the life of the business relationship.

Questionnaire. The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Resource Guide. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. This requirement is not only a key step but also a mandatory step for any third-party that desires to do work with your company. If a third-party does not want to fill out the questionnaire or will not fill it out completely; run, don’t walk, away from doing business with such a party.

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, most proposed agents that have done business with U.S. or U.K. companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to U.S. businesses.

Due diligence. Most compliance practitioners understand the need for a robust due diligence program to investigate third parties but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner.

The purpose is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from engaging in bribery and corruption on their behalf. Due diligence acts as both a procedure for anti-bribery risk assessment and a risk mitigation technique. Further, both operate as compliance internal controls.

With this due diligence, you should then perform a triage. Triage is how you determine where each third party falls in the ranking of priorities. Asha Palmer, EVP at Convercent by One Trust, has noted that: “Appropriate due diligence may vary based upon company size, transaction, and type of third party. These categories and several others may determine how you choose to design your triage process.” Some of the common factors that determine how high-risk a third-party relationship may be:

• Type of third party (bank, consultancy, reseller, etc.)

• Contract value

• Country

• Government interaction

• Industry

After you have completed Steps 1–3 you are ready to move onto to Step 4, the contract. According to the 2012 FCPA Resource Guide, additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third-party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

The contract. You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are red flags, which have appeared, these red flags must be cleared, or you must demonstrate how you will manage the risks identified. In other words, you must document that you have read, synthesized and evaluated the information garnered in the business justification, questionnaire and due diligence steps beforehand. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a “check the box” exercise.

Management of the relationship. While the work done in the four steps above are absolutely critical, if you do not manage the relationship, it can all go downhill very quickly, and you might find yourself with a potential FCPA violation. There are several different ways that you should manage your post-contract relationship. The Evaluation clearly is focused on several key components that you need to evaluate and then re-evaluate during the pendency of the relationship. Incentivizing through compensation issues, training and ongoing monitoring through oversight and auditing are all key tools that the DOJ expects you to use going forward after the contract is signed.

Categories
Blog

The SAP FCPA Enforcement Action-Part 5: Lessons Learned

We conclude our series on the initial Foreign Corrupt Practices Act (FCPA) enforcement action. It involved the German software giant SAP. While the conduct which led to the enforcement action occurred for a lengthy period of time and was literally worldwide in scope, the response by SAP is to be both noted and commended. The hard and impressive work that SAP did during the pendency of the investigation and enforcement action led to a very favorable result for the company in the reduced amount of its assessed fine and penalty as well as the fact that no monitor was mandated by the Department of Justice (DOJ) or Securities and Exchange Commission (SEC). Today, in our final post, we review key lessons learned from the SAP enforcement action.

Remediation

SAP did an excellent job in its remedial efforts. Whether SAP realized as a recidivist of the dire straits it was in after the publicity in South Africa around is corruption or some other reason, the company made major steps to create an effective, operationalized compliance program which met the requirement of the Hallmarks of an Effective Compliance Program as laid out in the 2020 FCPA Resource Guide, 2nd edition.

The remedial actions by SAP can be grouped as follows.

  1. Root Cause, Risk Assessment and Gap Analysis. Here the company conducted a root cause analysis of the underlying conduct then remediating those root causes, conducted a gap analysis of internal controls, remediating those found lacking; and then performed a comprehensive risk assessment focusing on high-risk areas and controls around payment processes, using the information obtained to enhance its compliance risk assessment process;
  2. Enhancement of Compliance. Here the company significantly increasing the budget, resources, and expertise devoted to compliance; restructuring its Offices of Ethics and Compliance to ensure adequate stature, independence, autonomy, and access to executive leadership; enhanced its code of conduct and policies and procedures regarding gifts, hospitality, and the use of third parties; enhanced its reporting, investigations and consequence management processes;
  3. Change in sales models. On the external sales side, SAP eliminated its third-party sales commission model globally, and prohibiting all sales commissions for public sector contracts in high-risk markets and enhanced compliance monitoring and audit programs, including the creation of a well-resourced team devoted to audits of third-party partners and suppliers. On the internal side, SAP adjusted internal compensation incentives to align with compliance objectives and reduce corruption risk;
  4. Data Analytics. Here SAP expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally; and comprehensively used data analytics in its risk assessments.

Data Analytics

The references to data analytics and data driven compliance warrant additional consideration. SAP not only did incorporate data analytics into its third-party program but also expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally. The SEC Order also noted that SAP had implemented data analytics to identify and review high- risk transactions and third-party controls. The SAP DPA follows the Albemarle FCPA settlement by noting that data analytics is now used by SAP to measure the compliance program’s effectiveness. This language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance functions access to all company data; this is the second time it has been called out in a FCPA settlement agreement in this manner. Additionally, it appears that by using data analytics, SAP was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation; thereby avoiding a monitor.

Holdbacks

Next was the holdback actions engaged in by SAP. The DPA noted, SAP withheld bonuses totaling $109,141 during the course of its internal investigation from employees who engaged in suspected wrongdoing in connection with the conduct under investigation, or who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct, and further engaged in substantial litigation to defend its withholding from those employees, which qualified SAP for an additional fine reduction in the amount of the withheld bonuses under the DOJ’s Compensation Incentives and Clawbacks Pilot Program.

Self-Disclosure

While this factor was not present in the SAP enforcement action, the message sent by the DOJ could not be clearer on not simply the expectation of the DOJ for self-disclosure but also the very clear and demonstrable benefits of self-disclosure. Under the Corporate Enforcement Policy, SAP’s failure to self-disclose cost it an opportunity of at least 50% and up to a 75% reduction off the low end of the U.S. Sentencing Guidelines fine range. Its actions as a criminal recidivist, resulted in it not receiving a reduction of at least 50% and up to 75% from the low end of the U.S.S.G. fine range but rather at 40% from above the low end. SAP’s failure to self-disclose cost it an estimated $20 million under the Sentencing Guidelines. It’s failure to self-disclose and recidivism cost it a potential $94.5 million in discounts under the Corporate Enforcement Policy. The DOJ’s message could not be any clearer.

Extensive Cooperation

There were also lessons to be garnered from SAP’s cooperation with the DOJ. While there was no mention of the super duper, extra-credit giving extensive remediation which Kenneth Polite discussed last year; when SAP began to cooperate, it moved to extensively cooperate. The DPA noted SAP “immediately beginning to cooperate after South African investigative reports made public allegations of the South Africa-related misconduct in 2017 and providing regular, prompt, and detailed updates to the Fraud Section and the Office regarding factual information obtained through its own internal investigation, which allowed the government to preserve and obtain evidence as part of its independent investigation…” Most interestingly, the DPA reported that SAP imaged “the phones of relevant custodians at the beginning of the Company’s internal investigation, thus preserving relevant and highly probative business communications sent on mobile messaging applications.” This is clear instruction around messaging apps in FCPA enforcement actions.

Resources

SEC Order

DOJ DPA