Tag: FCPA

Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 4, Start with a Root Cause Analysis

Post author By admin
Post date March 4, 2024
No Comments on Ten Top Lessons from Recent FCPA Settlements – Lesson No. 4, Start with a Root Cause Analysis

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 4, Root Cause, Risk Assessment, and Gap Analysis. Your remediation should begin with a root cause analysis. From there, move on to a risk assessment and gap analysis, and then you are ready to start your complete remediation.

SAP

The SAP Deferred Prosecution Agreement (DPA) laid out the best example of how this works in practice. The DPA reported extensive remediation by SAP, and the information provided in the DPA is instructive for every compliance professional. SAP engaged in a wide range of remedial actions. It all started with a root cause analysis. Root Cause analysis was enshrined in the FCPA Resource Guide, 2nd edition, as one of the Hallmarks of an Effective Compliance Program. It stated, “The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigation’s structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.”

This means a company should respond to the specific incident of misconduct that led to the FCPA violation. This means your organization “should also integrate lessons learned from misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.” The SAP DPA noted that SAP engaged in the following steps based on these factors:

1. Conducted a root cause analysis of the underlying conduct, then remediated those root causes through enhancement of its compliance program;
2. Conducted a gap analysis of internal controls, remediating those found lacking;
3. Undertook a “comprehensive risk assessment focusing on high-risk areas and controls around payment processes and enhancing its regular compliance risk assessment process”;
4. SAP documented using “comprehensive operational and compliance data” in its risk assessments.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct and remediate those causes promptly and appropriately to prevent future compliance breaches. This SAP did it during its remediation phase.

Albemarle

Albemarle also received credit “because it engaged in extensive and timely remedial measures.” This remedial action began based on the company’s root cause analysis of its FCPA violations.
This root cause analysis led to a risk assessment, which led to remediation. All of these steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out an effective compliance program and had tested it.

ABB

ABB also did an excellent job in its remedial efforts. According to the ABB Plea, ABB “engaged in extensive remedial measures, including hiring experienced compliance personnel and following a root-cause analysis of the conduct,” which led to the FCPA enforcement action. More on the ABB remediation later.

Each entity worked diligently to rebuild its compliance programs from the ground up. Whatever the faults of their prior compliance programs, each company was quite diligent in revamping their compliance regimes. While each company builds out a program based on its own risk, there is quite a bit of guidance you can draw from if your company finds itself in this position.

Here, the DOJ communicates that your remedial measures should start with a root cause analysis of the FCPA violation. From there, move to a risk assessment and internal control gap analysis to create a clear risk management strategy.

Tags ABB, Albemarle, DOJ, FCPA, remediation, root cause analysis, SAP

Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 3, Extensive Remediation

Post author By admin
Post date March 1, 2024
No Comments on Ten Top Lessons from Recent FCPA Settlements – Lesson No. 3, Extensive Remediation

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 3, Extensive Remediation. The DOJ expects extensive remediation, well documented with data analytics to support everything you have done. Each of the companies engaged in extensive remediation.

ABB

The plea agreement said that ABB “took a lot of corrective action,” such as hiring experienced compliance staff and, after figuring out what caused the behavior described in the Statement of Facts, putting a lot more money into testing and monitoring compliance across the whole company; putting in place targeted training programs and extra case-study sessions on-site; and continuing to test and monitor to see how things are going. This final point was expanded on in the SEC Order, which reported that all employees involved in the misconduct were terminated.

At this point, there are not many specific components of the ABB remediation available, but we do know that ABB was given credit for hiring “experienced compliance personnel,” starting with the hiring of Natalia Shehadeh, SVP and Chief Integrity Officer, and then allowing Shehadeh to hire a dream team of compliance professionals to work with her.

Albemarle

The NPA cited several remedial actions by the company that helped Albemarle obtain a superior result regarding the discounted fine and penalty. These steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out an effective compliance program and had tested it. The NPA provided that Albemarle engage in the following remedial efforts:

Strengthening its anti-corruption compliance program by investing in compliance resources, expanding its compliance function with experienced and qualified personnel, and taking steps to embed compliance and ethical values at all levels of its business organization;
Transformed its business model and risk management process to reduce corruption risk in its operation and to embed compliance in the business, including implementing a go-to-market strategy that resulted in eliminating the use of sales agents throughout the Company, terminating hundreds of other third-party sales representatives, such as distributors and resellers, and shifting to a direct sales business model;
Provided extensive training to its sales team, restructuring compensation and incentives so that compensation is no longer tied to sales amounts;
Used data analytics to monitor and measure the compliance program’s effectiveness and
We are engaged in continuous testing, monitoring, and improving all aspects of its compliance program, beginning immediately after identifying misconduct.

SAP

SAP also did an excellent job in its remedial efforts, whether SAP realized that, as a recidivist in dire straits, it was after the publicity in South Africa around corruption or some other reason that the company made major steps to create an effective, operationalized compliance program that met the requirements of the Hallmarks of an Effective Compliance Program as laid out in the 2020 FCPA Resource Guide, 2^nd edition.

The remedial actions by SAP can be grouped as follows:

Root Cause, Risk Assessment, and Gap Analysis. After doing a gap analysis of internal controls and fixing any problems found, the company did a root cause analysis of the behavior in question and fixed the issues it found. It then did a full risk assessment, focusing on high-risk areas and controls around payment processes, and used the results to improve its compliance risk assessment process.
Enhancement of Compliance. Here, the company significantly increased the budget, resources, and expertise devoted to compliance; restructured its Offices of Ethics and Compliance to ensure adequate stature, independence, autonomy, and access to executive leadership; enhanced its code of conduct and policies and procedures regarding gifts, hospitality, and the use of third parties; enhanced its reporting, investigations and consequence management processes;
Change in sales models. On the external sales side, SAP eliminated its third-party sales commission model globally, prohibited all sales commissions for public sector contracts in high-risk markets, and enhanced compliance monitoring and audit programs, including creating a well-resourced team devoted to audits of third-party partners and suppliers. On the internal side, SAP adjusted internal compensation incentives to align with compliance objectives and reduce corruption risk.
Data Analytics. Here, SAP expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally, and comprehensively used data analytics in its risk assessments.

Each of these entities worked quite diligently to rebuild their compliance programs from the ground up. Whatever the faults of their prior compliance programs, each company was quite diligent in revamping their compliance regimes. While each company builds out a program based on its own risk, there is quite a bit of guidance you can draw from if your company finds itself in this position.

Tags 2023 ECCP, ABB, Albemarle, Corporate Enforcement Policy, DOJ, extensive remediation, FCPA, Kennedy Polite, SAP

Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 2, The Need for Speed

Post author By admin
Post date February 29, 2024
No Comments on Ten Top Lessons from Recent FCPA Settlements – Lesson No. 2, The Need for Speed

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point to a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 2, the Need for Speed. The DOJ expects a company to share information with regulators as quickly as it finds those facts without necessarily knowing how such admissions might affect its overall case and settlement chances.

In a 2023 speech, Assistant Attorney General Kenneth Polite announced the change I called ‘The Need for Speed.’ Polite characterized the change as going from ‘full’ cooperation to ‘extraordinary’ cooperation. He noted the DOJ has differences between corporations and individuals in both investigations and enforcement, but “concerning how we consider cooperation, the lens and framework through which we analyze the level and degree of cooperation aren’t so different.”

Polite named three concepts, “immediacy, consistency, degree, and impact—that apply to cooperation by both individuals and corporations, which will help to inform our approach to assessing what is “extraordinary.”He went on to note that “In assessing the quality of a cooperator’s assistance, we value: when an individual begins to cooperate immediately, and consistently tells the truth; individuals who allow us to obtain evidence we otherwise couldn’t get, like quickly obtaining and imaging their electronic devices or having recorded conversations; cooperation that produces results, like testifying at a trial or providing information that leads to additional convictions.” He emphasized that there are “examples in the individual context.”

Then came the puzzling part. Polite stated, “We know “extraordinary cooperation” when we see it, and the differences between “full” and “extraordinary” cooperation are perhaps more in degree than kind. To receive credit for extraordinary cooperation, companies must go above and beyond the criteria for full cooperation set in our policies—not just run of the mill, or even gold-standard cooperation, but truly extraordinary.” He stated, “At the same time, the government will not affirmatively direct a company’s internal investigation if it chooses to do one, and companies are often well positioned to know the steps they can take to best cooperate in a particular given case.” He concluded, “And, of course, the facts and circumstances of each case will be unique.”

Perhaps Polite is simply channeling his inner Potter Stewart with his line, ‘We know it…when we see it’. Of course, if two or more people look at the same set of facts, there is always the chance for two or more interpretations. The question then becomes how to define extraordinary cooperation.

It also ties directly into what Deputy Attorney General Lisa Monaco said in announcing the Monaco Doctrine when she stated, “Department prosecutors must gain access to all relevant, non-privileged facts about individual misconduct swiftly and without delay.” [emphasis supplied] This meant, “to receive full cooperation credit, corporations must produce on a timely basis all relevant, non-privileged facts and evidence about individual misconduct such that prosecutors have the opportunity to effectively investigate and seek criminal charges against culpable individuals.” If a company fails to meet this burden, it will “place in jeopardy their eligibility for cooperation credit.” The DOJ goes the next step by placing the burden on companies to demonstrate timeliness, stating they “bear the burden of ensuring that documents are produced promptly to prosecutors.”

In the ABB enforcement action, ABB received credit for extraordinary cooperation based on the following: “(i) promptly providing information obtained through its internal investigation, which allowed the Offices to preserve and obtain evidence as part of their independent investigation; (ii) making regular and detailed factual presentations to the Offices; (iii) voluntarily making foreign-based employees available for interviews in the United States; (iv) producing relevant documents located outside the United States to the Offices in ways that did not implicate foreign data privacy laws; and (v) collecting, analyzing, and organizing voluminous evidence and information that it provided to the Offices, including the translation of certain foreign language documents.”

Some additional insight is found in the SEC Order, which states, “ABB’s cooperation included real-time sharing of facts learned during its internal investigation.” This meant “ABB was sharing information with regulators as quickly as it found those facts, without necessarily knowing how such admissions might affect its overall case and settlement chances.” [emphasis supplied]

Since the SAP enforcement action, extraordinary cooperation has become more difficult to ascertain. While there was no mention of the super duper, extra-credit giving extensive remediation that Kenneth Polite discussed, when SAP began to cooperate, it moved to collaborate extensively. The DPA noted SAP “immediately began to cooperate after South African investigative reports made public allegations of South Africa-related misconduct in 2017 and providing regular, prompt, and detailed updates to the Fraud Section and the Office regarding factual information obtained through its internal investigation, which allowed the government to preserve and obtain evidence as part of its independent investigation…” Most interestingly, the DPA reported that SAP imaged “the phones of relevant custodians at the beginning of the company’s internal investigation, thus preserving relevant and highly probative business communications sent on mobile messaging applications.” This is explicit instruction around messaging apps in FCPA enforcement actions.

Albemarle was credited with significant cooperation by the DOJ during the pendency of its investigation. The NPA noted that the company also received credit for its substantial cooperation and extensive and timely remediation. However, there was only a standard list of items relating to this cooperation and nothing on extraordinary collaboration.

We are back where we started; there is a need for speed. However, the only functional definition we have for it comes from the SEC and not the DOJ. As laid out in the SEC Order for ABB, it is a real-time sharing of facts.

Tags DOJ, extraordinary cooperation, FCPA, Kenneth Polite, need for speed, SEC

Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 1, Self-Disclosure

Post author By admin
Post date February 28, 2024
No Comments on Ten Top Lessons from Recent FCPA Settlements – Lesson No. 1, Self-Disclosure

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring, and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions. Today, we begin with Number 1, self-disclosure. The first and most important thing is that a company should self-disclose a potential FCPA violation to the DOJ.

The DOJ expects and will reward self-disclosure above all else. The ABB enforcement action all began with ABB’s putative attempt to self-disclose. ABB set up a meeting where they intended to self-disclose but only set up the meeting without telling the DOJ the reason for the meeting. Unfortunately for ABB, this attempt was unsuccessful, as the South African press broke the story of ABB’s bribery and corruption between the time ABB called to set up a meeting and sat down with the DOJ. Yet the DOJ spent significant time discussing the underlying facts, and it was clear it positively impacted the DOJ.

Kenneth Polite, then Assistant Attorney General, said of ABB’s conduct around this attempt, “Before the meeting, however, a media report drew public attention to the wrongdoing. But because the company could demonstrate intent and efforts to self-disclose before, and without any knowledge of, the media report, the Department weighed both the early detection of the misconduct and the intent to disclose it significantly in ABB’s favor.”

In the Albemarle enforcement action, there was a significant discussion in the NPA around Albemarle’s voluntary self-disclosure to the DOJ. “The disclosure was not “reasonably prompt,” as it was made approximately 16 months ago to the DOJ after initial discovery by the company. This meant the self-disclosure “was not within a reasonably prompt time after becoming aware of the misconduct in Vietnam,” and it means that Albemarle did not meet the standard for voluntary self-disclosure. While the DOJ “gave significant weight” to the company’s voluntary, even if untimely, disclosure of the misconduct, it is certainly cautionary.

Equally interesting was the SAP enforcement action. Although this factor was not present in the SAP enforcement action, the DOJ’s message regarding the DOJ’s expectation of self-disclosure and the obvious and palpable benefits could not be any clearer. Under the Corporate Enforcement Policy, SAP’s failure to self-disclose cost it an opportunity of at least 50% and up to a 75% reduction off the low end of the U.S. Sentencing Guidelines fine range. Its actions as a criminal recidivist resulted in it not receiving a reduction of at least 50% and up to 75% from the low end of the U.S.S.G. fine range but rather at 40% from above the low end. SAP’s failure to self-disclose cost it an estimated $20 million under the Sentencing Guidelines. SAP’s failure to self-disclose and recidivism cost it a potential $94.5 million in discounts under the Corporate Enforcement Policy. The DOJ’s message could not be any clearer.

In addition to these enforcement actions, Kenneth Polite, in a speech announcing changes in the Corporate Enforcement Policy, made clear the importance of self-disclosure in the eyes of the DOJ. “Our existing policy provides that if a company voluntarily self-discloses, fully cooperates, and timely and appropriately remediates, there is a presumption that we will decline to prosecute absent certain aggravating circumstances involving the offense’s seriousness or the offender’s nature. These aggravating circumstances include, but are not limited to, involvement by executive management of the company in the misconduct; a significant profit to the company from the wrongdoing; egregiousness or pervasiveness of the misconduct within the company; or criminal recidivism.” If a company self-discloses, but a criminal resolution is warranted, our existing policy offers 50% off of the low end of the applicable Sentencing Guidelines penalty range.

He re-emphasized this position: “When a company has uncovered criminal misconduct in its operations, the clearest path to avoiding a guilty plea or an indictment is voluntary self-disclosure. It is also the clearest path to the greatest incentives that we offer, such as a declination with disgorgement of profits.” While noting the difficulty of a company deciding to self-disclose, “we are underscoring that a corporation that falls short of our expectations does so at its own risk. Make no mistake – failing to self-report, cooperate, and remediate fully can lead to dire consequences.” [emphasis supplied]

The DOJ could not be clearer. The No. 1 lesson is that you need to self-disclose if you want any of the benefits available.

Tags ABB, Albemarle, DOJ, FCPA, Kenneth Polite, SAP, self disclosure

Blog

Self-Disclosure is Now the Key

Post author By admin
Post date February 27, 2024
No Comments on Self-Disclosure is Now the Key

The Department of Justice (DOJ) has been making significant strides in emphasizing the importance of voluntary self-disclosure in corporate enforcement cases, particularly in the Foreign Corrupt Practices Act (FCPA) realm. This shift in approach is evident in recent policy announcements and enforcement actions, beginning with the 2022 ABB Foreign Corrupt Practices Act (FCPA) settlement to the 2023 Albemarle FCPA resolution and continuing to the 2024 SAP Foreign Corrupt Practices Action settlement. Through these three resolutions, the DOJ clarified that its most important criteria for evaluating a company for a fine under the FCPA is whether or not it self-discloses.

Representatives of the DOJ Kenneth Polite and Lisa Monaco further discussed this incentive in speeches in 2023. In announcing a revision to the 2017 FCPA Corporate Enforcement Policy, which became the 2023 Corporate Enforcement Policy, Kenneth Polite emphasized the ‘need for speed’ both in self-disclosure and during the pendency of any FCPA or compliance real compliance-related involving the DOJ.

The DOJ’s focus on incentivizing self-disclosure is a strategic move to encourage companies to come forward with violations and cooperate with authorities. The new Corporate Enforcement Policy offered up to a 75% reduction in penalties for voluntary disclosure. This discount is available even if there were ‘aggravating factors’ in the matter, such as C-Suite involvement in bribery and corruption. The DOJ could not send a more precise signal and be more transparent about what they want and will incent. This approach reflects a broader trend toward rewarding companies that proactively address compliance issues and work collaboratively with law enforcement agencies.

One of the key factors influencing the DOJ’s enforcement actions is the impact of recidivism. In October 2021, the DOJ, through a speech by Lisa Monaco and memorialized in the 2023 Evaluation of Corporate Compliance Programs (2023 ECCP), made it clear that it will not tolerate repeat offenders and is prepared to impose harsh penalties on companies that fail to self-disclose violations. However, even recidivist companies are encouraged to come forward and address compliance issues head-on, with the potential for significant penalty reductions if they demonstrate genuine cooperation and remediation efforts. The ABB resolution, in which the company was the first three-time FCPA recidivist yet received a superior outcome, once more demonstrated the DOJ’s current focus. The attempted self-disclosure fell short by only a day or two, as ABB had scheduled a meeting with the DOJ to self-disclose but had not formally done so. In the interim, a news story broke in South Africa about ABB’s systemic bribery and corruption in that country.

Although this factor was absent from the SAP enforcement action, the DOJ’s message regarding the benefits of self-disclosure and the DOJ’s expectation of self-disclosure could not have been clearer. Under the Corporate Enforcement Policy, SAP’s failure to self-disclose costs it an opportunity of at least 50% and up to a 75% reduction off the low end of the acceptable range of the US Sentencing Guidelines. Its actions as a criminal recidivist resulted in it not receiving a reduction of at least 50% and up to 75% from the low end of the USSG acceptable range but rather at 40% from above the low back. SAP’s failure to self-disclose cost it an estimated $20 million under the Sentencing Guidelines. Its inability to self-disclose and recidivism cost it a potential $94.5 million in discounts under the Corporate Enforcement Policy. The DOJ’s message could not be any clearer.

There was a significant discussion in the NPA around Albemarle’s voluntary self-disclosure to the DOJ. However, NPA noted that “the disclosure was not “reasonably prompt” as defined in the Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy and the US Sentencing Guidelines.” The NPA reported that Albemarle learned of allegations regarding possible misconduct in Vietnam approximately 16 months before disclosing them to the DOJ. Interestingly, the SEC Order only stated, “Albemarle made an initial self-disclosure to the Commission of potential FCPA violations in Vietnam after completing an internal investigation of such conduct and, simultaneously, self-reported potential violations it was investigating in India, Indonesia, and China. Albemarle later self-disclosed potential violations in other jurisdictions to the Commission as part of an expanded internal investigation.”

This meant the self-disclosure “was not within a reasonably prompt time after becoming aware of the misconduct in Vietnam,” which means that Albemarle did not meet the standard for voluntary self-disclosure under the Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy. While the DOJ “gave significant weight” to the Company’s voluntary disclosure, even if untimely, disclosure of the misconduct is undoubtedly cautionary.

The tradeoffs involved in balancing different factors, such as self-disclosure, cooperation, and remediation, can present challenges for companies navigating the complex landscape of FCPA enforcement. While the DOJ’s emphasis on self-disclosure offers potential benefits regarding penalty reductions and monitoring requirements, companies must carefully weigh the risks and rewards of voluntary disclosure against the possible consequences of non-disclosure.

The importance of considering the impact of decisions about the DOJ’s FCPA enforcement actions cannot be overstated. Companies that prioritize a culture of compliance, proactive monitoring, and data-driven analytics are better positioned to detect and address potential violations before they escalate into costly enforcement actions. By aligning their compliance programs with the DOJ’s expectations and demonstrating a commitment to ethical business practices, companies can mitigate the risks associated with FCPA violations and build a strong foundation for long-term success.

What the DOJ wants is self-disclosure as soon as possible. One only needs to recall the case of Cognizant Technologies, where the company received a complete declination, and there were allegations of C-Suite involvement in the bribery schemes. This Declination was provided mainly because the company self-disclosed only two weeks after the information was filtered to the Board of Directors. While Cognizant Technologies may be the gold standard, a company’s timely self-disclosures can be considered for a full Declination.

Tags ABB, Albemarle, DOJ, FCPA, SAP, self disclosure

FCPA Compliance Report

FCPA Compliance Report – Tom Fox and Michael Volkov Look at Incentives for Self-Disclosure

Post author By admin
Post date February 26, 2024
No Comments on FCPA Compliance Report – Tom Fox and Michael Volkov Look at Incentives for Self-Disclosure

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes back Michael Volkov as they take a deep dive into the ABB, Albemarle, and SAP FCPA enforcement actions to try and unpack the DOJ’s pivot away from heavy penalties for recidivists to prioritizing self-disclosure above all else.

Volkov’s perspective on the Department of Justice’s (DOJ) FCPA enforcement actions is both critical and analytical, shaped by his extensive experience. He underscores the necessity of transparency and explanation in the factors considered by the DOJ, highlighting its significance to practitioners in the field. Volkov also recognizes the shift in DOJ policy towards data-driven compliance, requiring companies to provide data to substantiate their conclusions and demonstrate their compliance efforts. He further notes the evolving landscape of voluntary disclosure and remediation, suggesting these areas are now pivotal in the DOJ’s enforcement approach. Volkov’s insights reflect a nuanced understanding of the changing dynamics in FCPA enforcement and the imperative for companies to adapt to these shifts.

Key Highlights:

Importance of Cooperation in Corporate Enforcement Cases
Incentivizing Self-Disclosure in DOJ’s FCPA Enforcement
Increased Penalty Reduction for Voluntary Self-Disclosure
DOJ’s Evolving Approach to Corporate Penalties
Benefits of Voluntary Self-Disclosure in Enforcement

Resources:

Volkov Law Group

Corruption, Crime and Compliance

Tom Fox

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Tags ABB, Albemarle, DOJ, FCPA, Michael Volkov, recidivists, SAP, self disclosure

Blog

Joshua Drew and a Career in FCPA Enforcement and Compliance

Post author By admin
Post date February 15, 2024
No Comments on Joshua Drew and a Career in FCPA Enforcement and Compliance

I recently had the opportunity to visit with Joshua Drew, formerly a lawyer at the Department of Justice (DOJ) at Main Justice in Washington and also an Assistant US Attorney at the US Attorney’s Office for the District of New Jersey. We visited for an episode of the FCPA Compliance Report podcast.

Drew has recently joined the litigation group at Miller & Chevalier. With his extensive background in the fraud section of the DOJ and in-house roles at companies dealing with False Claims Act cases and FCPA resolutions, Joshua brings a wealth of knowledge and experience to his new position. His expertise will contribute to Miller & Chevalier’s strategic growth.

Drew moved from governmental service to HP, where he was Vice President and Associate General Counsel, Ethics & Anti-Corruption. At the time, HP was in the middle of a major FCPA investigation in the early 2010s. One of Joshua’s notable achievements was his role at HP, managing responses to DOJ and SEC investigations related to potential FCPA violations. During his time at HP, he played a crucial role in improving the internal investigation process, which resulted in a more efficient and practical approach. This experience highlights Joshua’s ability to navigate complex compliance issues and find practical solutions.

From HP, he moved to the company formerly known as VimpelCom, now VEON. He began as Associate General Counsel-Investigations and became the Group’s Chief Ethics & Compliance Officer. VimpelCom was going through an FCPA enforcement action and resolution at the time. He helped guide the company through a rigorous Deferred Prosecution Agreement (DPA) and monitorship. VEON was one of several high-profile FCPA enforcement actions involving telecom companies in Uzbekistan who paid huge bribes, totaling over several billion, to the daughter of the then President of the country, a woman named Gulnara Karimova.

Several factors influenced Joshua’s decision to join Miller & Chevalier. Firstly, he was impressed by the firm’s strong team of lawyers, many of whom he had interacted with during his time in-house at VimpelCom. The firm’s reputation for excellence and expertise in practice areas such as FCPA work, false claims act cases, general litigation, and white-collar defense also aligned well with Joshua’s experience. Additionally, Miller & Chevalier’s strategic focus and subject matter expertise in the issues that arise in a DC practice were appealing to Joshua.

Drew also discussed the new Safe Harbor Policy for Mergers and Acquisitions under the FCPA, which was announced in 2023. This policy encourages companies to disclose potential misconduct and cooperate with DOJ investigations, providing strong incentives for companies to get to the bottom of possible misconduct. Drew emphasized the importance of companies conducting thorough investigations, understanding the facts, and making decisions based on all available information in the company’s best interest. He acknowledged that these decisions can be challenging and require careful judgment.

The move to Miller & Chevalier allows Joshua to leverage his skills and experience to contribute to the firm’s strategic growth. His background in dealing with DOJ enforcement actions and his expertise with monitorships will be valuable assets in building on the firm’s existing work in these areas. Joshua’s role at Miller & Chevalier is focused on litigation, and he aims to bring strength to strength by complementing the skills and experience of the firm’s lawyers.

Joshua’s joining Miller & Chevalier brings the firm a unique blend of DOJ and in-house experience. His expertise in FCPA compliance and internal investigations will be instrumental in helping clients navigate complex compliance issues and mitigate risks. With his strategic approach and commitment to excellence, Joshua is well-positioned to make a significant impact at Miller & Chevalier.

Tags compliance, FCPA, Joshua Drew, Miller & Chevalier

Everything Compliance

Everything Compliance – Episode 128, The Frozen Edition

Post author By admin
Post date February 1, 2024
No Comments on Everything Compliance – Episode 128, The Frozen Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quartet of Jonathan Armstrong, Matt Kelly, Karen Woody, and Jay Rosen, all hosted by Tom Fox, joining us on this episode to discuss some of the topics they are watching during this extended cold spell across the US.

1. Matt Kelly looks at the tale of two companies, eBay and SAP, and the disparity in whether monitorships were mandated. He shouts out to Saul Dreier and the Holocaust Survivors Band, who recently played a gig at the White House.

2. Tom Fox shouts out to Sir Elton John for winning an Emmy, thus becoming only the 18th person to hold the prestigious EGOT designation.

3. Jonathan Armstrong looks at the new SFO director and his new focus for the beleaguered agency. He shouts out to Nick Rossi (or whatever name he is using) and his 16 aliases.

4. Jay Rosen takes a deep dive into the SAP Foreign Corrupt Practices Act enforcement action. He shouts out to the Cara Cara naval oranges.

5. Karen Woody looks at the Segway shareholder case and its duty of oversight analysis for an officer. She shouts out to all the folks in Indiana who work and fix things during a deep freeze and those manning homeless shelters.

The members of the Everything Compliance are:

Jay Rosen is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
Karen Woody is one of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
Matt Kelly is the Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
Jonathan Armstrong is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com
Jonathan Marks can be reached at jtmarks@gmail.com.

The host, producer, ranter (and sometimes panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Tags Caremark, DOJ, eBay, FCPA, monitorships, SAP, Segway, SFO

Blog

Operationalizing Compliance Through Payroll

Post author By admin
Post date February 1, 2024
No Comments on Operationalizing Compliance Through Payroll

One of the areas articulated in the 2023 ECCP was around payments and payroll. The compliance professional and the corporate payroll function have a significant role to play in operationalizing a corporate compliance program. The 2023 ECCP was replete with references to payment and its critical nature to any best practices compliance program. This includes references to foreign officials, payments to third parties, and hiding bribes in distributor payments.

The 2023 ECCP begins with a warning to stop wasting time on low-hanging fruit when there are much higher risks in your business operations. It states:

Risk-Tailored Resource Allocation—Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than to more modest and routine hospitality and entertainment?

It then drills down into the payment and payroll systems, stating:

Appropriate Controls—How does the company ensure a proper business rationale for using third parties? If third parties were involved in the underlying misconduct, what was the business rationale for using those third parties? What mechanisms exist to ensure that the contract terms specifically describe the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?

Payment Systems—How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?

These questions may not seem new, innovative, or even different from what payroll currently does for an organization. However, the 2023 ECCP demonstrates the role of payroll in compliance. The 2023 ECCP requires that payroll not only form a part of any best practices compliance program, but when it comes to the specific subject matter expertise, payroll is on the front lines of any attempts to prevent, detect, and remediate anti-corruption compliance violations.

The FCPA prohibits “anything of value” from being provided to foreign government officials or employees of state-owned enterprises to obtain or retain business. This “anything of value” is almost always money, and that money must come from somewhere inside the company. While the Watergate intonation to “follow the money” remains valid in any compliance issue, the 2023 ECCP speaks much more depth about payroll’s responsibility in a corporate compliance program. There must be verifiable controls that not only detect fraudulent payments but also work to prevent any such payments.

Yet when the inquiries are read together, they paint a broader picture than simply tasking payroll with the responsibility to prevent fraudulent leakage of money that could be used to fund bribes. The questions around the approval and certification process should be a standard part of any payroll system. This has the effect of operationalizing the responsibility up and down the management chain, from the individual employee up through their manager(s) and eventually to the highest level of management involved in the process. This level of operationalization is designed not only to put a set of brakes in place but also to work to put a second set of eyes on the entire payroll process.

Finally, payment systems have a role in the remediation phase of any best practices compliance program. If a payroll control failure led to or even allowed a compliance violation, what was done to fix the control issue? Here, payroll should work to perform a root cause analysis of what led to the control failure and then enhance or upgrade the control to provide a solution going forward. Of course, there should be a fully documented audit trail for this work to provide to the government should they ever come knocking, or even to your corporate auditors.

This means that not only can payroll be one of the compliance function’s strongest corporate allies, but that the role of payroll, by its nature, works to operationalize compliance. This is because to implement the appropriate internal controls around compliance, payroll must know the specific requirements of the FCPA and know what kinds of issues are likely to come up that might create a risk of bribery and corruption, all leading to an understanding of the appropriate compliance internal controls to implement around payroll and payments.

This is particularly true around offshore payments, generally defined as payments made to a location other than the home domicile of the payee or the area where the services were delivered. If a Tunisian agent who performs services in Dubai asks for payment in a location other than Dubai or Tunisia, that would qualify as an offshore payment. If you train people on the payroll on this issue, they may well pick up the phone and notify compliance when they see a request for payment in a geographic location separate from one of the two standard payment venues. Those are the types of communications, when properly documented, that demonstrate your compliance program is operationalized into the fabric of the organization.

Another way to view it is if there is a payroll control for such a scenario that notes the exception and requires the clearance of a red flag through additional investigation, elevation for approval, and documentation of the entire process; it operates as both a financial control and a compliance control as well. It strengthens the company’s internal controls to both prevent and detect compliance risks going forward.

There are several specific internal payroll controls that will facilitate a company operationalizing its compliance program, as required under the 2023 ECCP. These controls help keep an eye on the money trail, as the money to pay a bribe is usually hidden in some company expenditures. The four general areas of payroll control should include: 1) segregation of duties; 2) accountability, authorization, and approval; 3) security of assets; and 4) review and reconciliation.

To meet these four general goals, consider using a selection of the following controls for payroll systems, irrespective of how timekeeping information is accumulated or how employees are paid:

• Audit. Have either internal or external auditors conducted an annual audit of payroll accuracy?

• Change authorizations. Only allow a change to an employee’s marital status, withholding allowances, or deductions if the employee has submitted a written and signed request for the company to do so. Any change request should be reviewed and approved by a senior manager.

• Change the tracking log. If you are processing payroll in-house with a computerized payroll module, have secure change tracking to provide an audit trail.

• Expense trend lines. This is your data, and it is within your company somewhere. Look for changes in payroll-related expenses in the financial statements and then investigate if warranted.

• Issue payment reports to supervisors. Request supervisors review payroll summaries for correct payment amounts and unfamiliar names.

• Restrict access to records. Prevent unauthorized access to payroll records.

• Segregation of duties. You should never allow one person to prepare the payroll, authorize it, and create payments.

The role of payroll in compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes must come from somewhere. Unfortunately, one of those places is out of payroll. All CCOs need to sit down with their head of payroll, have them explain the role of payroll, and then review the internal controls in place to see how they facilitate compliance goals. From that review, you can then determine how to use payroll to help operationalize your compliance program.

The DOJ has now provided its clearest statement on how it expects a company to actually comply going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from compliance violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process that should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well-suited corporate discipline to provide this first level of oversight and control.

Tags compliance, DOJ, FCPA, operationalizing compliance, payroll

Daily Compliance News

Daily Compliance News: January 31, 2024 – The $70,000 Watch Edition

Post author By admin
Post date January 31, 2024
No Comments on Daily Compliance News: January 31, 2024 – The $70,000 Watch Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

• Germany to seize $2 billion worth of bitcoin. (NYT)

• Musk’s $55 billion pay package is voided. (FT)

• An Ecuadorian official got a $70,000 watch as a bribe. (Bloomberg)

• More lawyer trouble for fake ChatGPT citations. (Reuters)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Tags bitcoin, ChatGPT, corruption, Elon Musk, FCPA

Recent Posts

Recent Comments

Categories

What are you looking for?