Tag: FCPA

Categories
Everything Compliance

Everything Compliance – Episode 128, The Frozen Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quartet of Jonathan Armstrong, Matt Kelly, Karen Woody, and Jay Rosen, all hosted by Tom Fox, joining us on this episode to discuss some of the topics they are watching during this extended cold spell across the US.

1. Matt Kelly looks at the tale of two companies, eBay and SAP, and the disparity in whether monitorships were mandated. He shouts out to Saul Dreier and the Holocaust Survivors Band, who recently played a gig at the White House.

2. Tom Fox shouts out to Sir Elton John for winning an Emmy, thus becoming only the 18th person to hold the prestigious EGOT designation.

3. Jonathan Armstrong looks at the new SFO director and his new focus for the beleaguered agency.  He shouts out to Nick Rossi (or whatever name he is using) and his 16 aliases.

4. Jay Rosen takes a deep dive into the SAP Foreign Corrupt Practices Act enforcement action. He shouts out to the Cara Cara naval oranges.

5. Karen Woody looks at the Segway shareholder case and its duty of oversight analysis for an officer. She shouts out to all the folks in Indiana who work and fix things during a deep freeze and those manning homeless shelters.

The members of the Everything Compliance are:

  • Jay Rosen is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Karen Woody is one of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
  • Matt Kelly is the Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com
  • Jonathan Marks can be reached at jtmarks@gmail.com.

The host, producer, ranter (and sometimes panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Blog

Operationalizing Compliance Through Payroll

One of the areas articulated in the 2023 ECCP was around payments and payroll. The compliance professional and the corporate payroll function have a significant role to play in operationalizing a corporate compliance program. The 2023 ECCP was replete with references to payment and its critical nature to any best practices compliance program. This includes references to foreign officials, payments to third parties, and hiding bribes in distributor payments.

The 2023 ECCP begins with a warning to stop wasting time on low-hanging fruit when there are much higher risks in your business operations. It states:

Risk-Tailored Resource Allocation—Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than to more modest and routine hospitality and entertainment?

It then drills down into the payment and payroll systems, stating:

Appropriate Controls—How does the company ensure a proper business rationale for using third parties? If third parties were involved in the underlying misconduct, what was the business rationale for using those third parties? What mechanisms exist to ensure that the contract terms specifically describe the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?

Payment Systems—How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?

These questions may not seem new, innovative, or even different from what payroll currently does for an organization. However, the 2023 ECCP demonstrates the role of payroll in compliance. The 2023 ECCP requires that payroll not only form a part of any best practices compliance program, but when it comes to the specific subject matter expertise, payroll is on the front lines of any attempts to prevent, detect, and remediate anti-corruption compliance violations.

The FCPA prohibits “anything of value” from being provided to foreign government officials or employees of state-owned enterprises to obtain or retain business. This “anything of value” is almost always money, and that money must come from somewhere inside the company. While the Watergate intonation to “follow the money” remains valid in any compliance issue, the 2023 ECCP speaks much more depth about payroll’s responsibility in a corporate compliance program. There must be verifiable controls that not only detect fraudulent payments but also work to prevent any such payments.

Yet when the inquiries are read together, they paint a broader picture than simply tasking payroll with the responsibility to prevent fraudulent leakage of money that could be used to fund bribes. The questions around the approval and certification process should be a standard part of any payroll system. This has the effect of operationalizing the responsibility up and down the management chain, from the individual employee up through their manager(s) and eventually to the highest level of management involved in the process. This level of operationalization is designed not only to put a set of brakes in place but also to work to put a second set of eyes on the entire payroll process.

Finally, payment systems have a role in the remediation phase of any best practices compliance program. If a payroll control failure led to or even allowed a compliance violation, what was done to fix the control issue? Here, payroll should work to perform a root cause analysis of what led to the control failure and then enhance or upgrade the control to provide a solution going forward. Of course, there should be a fully documented audit trail for this work to provide to the government should they ever come knocking, or even to your corporate auditors.

This means that not only can payroll be one of the compliance function’s strongest corporate allies, but that the role of payroll, by its nature, works to operationalize compliance. This is because to implement the appropriate internal controls around compliance, payroll must know the specific requirements of the FCPA and know what kinds of issues are likely to come up that might create a risk of bribery and corruption, all leading to an understanding of the appropriate compliance internal controls to implement around payroll and payments.

This is particularly true around offshore payments, generally defined as payments made to a location other than the home domicile of the payee or the area where the services were delivered. If a Tunisian agent who performs services in Dubai asks for payment in a location other than Dubai or Tunisia, that would qualify as an offshore payment. If you train people on the payroll on this issue, they may well pick up the phone and notify compliance when they see a request for payment in a geographic location separate from one of the two standard payment venues. Those are the types of communications, when properly documented, that demonstrate your compliance program is operationalized into the fabric of the organization.

Another way to view it is if there is a payroll control for such a scenario that notes the exception and requires the clearance of a red flag through additional investigation, elevation for approval, and documentation of the entire process; it operates as both a financial control and a compliance control as well. It strengthens the company’s internal controls to both prevent and detect compliance risks going forward.

There are several specific internal payroll controls that will facilitate a company operationalizing its compliance program, as required under the 2023 ECCP. These controls help keep an eye on the money trail, as the money to pay a bribe is usually hidden in some company expenditures. The four general areas of payroll control should include: 1) segregation of duties; 2) accountability, authorization, and approval; 3) security of assets; and 4) review and reconciliation.

To meet these four general goals, consider using a selection of the following controls for payroll systems, irrespective of how timekeeping information is accumulated or how employees are paid:

Audit. Have either internal or external auditors conducted an annual audit of payroll accuracy?

Change authorizations. Only allow a change to an employee’s marital status, withholding allowances, or deductions if the employee has submitted a written and signed request for the company to do so. Any change request should be reviewed and approved by a senior manager.

• Change the tracking log. If you are processing payroll in-house with a computerized payroll module, have secure change tracking to provide an audit trail.

Expense trend lines. This is your data, and it is within your company somewhere. Look for changes in payroll-related expenses in the financial statements and then investigate if warranted.

Issue payment reports to supervisors. Request supervisors review payroll summaries for correct payment amounts and unfamiliar names.

Restrict access to records. Prevent unauthorized access to payroll records.

Segregation of duties. You should never allow one person to prepare the payroll, authorize it, and create payments.

The role of payroll in compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes must come from somewhere. Unfortunately, one of those places is out of payroll. All CCOs need to sit down with their head of payroll, have them explain the role of payroll, and then review the internal controls in place to see how they facilitate compliance goals. From that review, you can then determine how to use payroll to help operationalize your compliance program.

The DOJ has now provided its clearest statement on how it expects a company to actually comply going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from compliance violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process that should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well-suited corporate discipline to provide this first level of oversight and control.

Categories
Daily Compliance News

Daily Compliance News: January 31, 2024 – The $70,000 Watch Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

• Germany to seize $2 billion worth of bitcoin. (NYT)

• Musk’s $55 billion pay package is voided.  (FT)

• An Ecuadorian official got a $70,000 watch as a bribe.  (Bloomberg)

• More lawyer trouble for fake ChatGPT citations.  (Reuters)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
All Things Investigations

All Things Investigations – Mike DeBernardis on The SAP Enforcement Action

Welcome to the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group’s podcast, All Things Investigation. In this podcast, I was joined by HughesHubbardReed partner Mike DeBernardis to discuss the recently announced FCPA enforcement action involving SAP.

Mike DeBernardis is a seasoned expert in the field of FCPA enforcement, with a specific focus on SAP enforcement action and the critical role of compliance programs. Drawing from his extensive knowledge of corruption schemes in various countries and the role of third-party intermediaries in these activities, DeBernardis views the SAP enforcement action as a pivotal case study that underscores the importance of robust compliance programs and proactive remedial actions. He commends SAP for their significant investment in their compliance program and their willingness to alter their business practices, such as severing certain third-party relationships and high-risk conduct. DeBernardis believes these actions reflect a commitment to business integrity and serve as a valuable lesson for companies navigating complex investigations. Join Tom Fox and Mike DeBernardis as they delve deeper into this topic on this episode of All Things Investigations.

Key Highlights:

  • SAP’s Corrupt Third-Party Intermediaries and Enforcement Action
  • The Power of Cooperation and Remediation
  • DOJ’s Emphasis on Cooperation and Technology

Resources:

Hughes Hubbard & Reed website

Mike DeBernardis on LinkedIn

Categories
Blog

The Compliance Function in an Organization

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2020 FCPA Resource Guide, 2nd edition, under the Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

This Hallmark was significantly expanded in both the original FCPA Corporate Enforcement Policy and 2023 ECCP. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company.

Clearly the DOJ is articulating that in an operationalized compliance program, it expects true compliance professionals, who understand the way compliance interacts with and supports the business. Companies must compensate and promote compliance professionals within their organization.

Funding and resources. You will now have to justify your corporate compliance spend. This means at a minimum you will have to meet some general industry standard. If a corporation tries to low-ball both the pay to compliance professionals, as well as the dollar and head count made available to a compliance function, it will not be viewed positively. Also noted in the Evaluation, a company must be prepared to defend any request for compliance resources which are turned down. Budget requests and allocations are always difficult times in any corporation. There is never enough money to go around and most senior management thinks it is their job to slash all budget requests as a simple matter of course. Now such blanket management will be penalized.

If a compliance function is so hampered by resource restrictions it cannot carry out the basic functions needed for a compliance program to operate, it will not find favor under either the Evaluation or the FCPA Corporate Enforcement Policy. If there are compliance projects needed to address basic compliance risks which are not funded because management failed to heed a CCOs or compliance functions budget request, this could be evidence of conscious indifference by senior management.

Role of compliance and empowerment. More than simply throwing money at the compliance function (as if that would ever happen) the DOJ is now inquiring into how the compliance function and its recommendations are treated. If there is business unit over-ride of compliance decisions, there must be an auditable decision trail. This, of course, is anathema to corporate executives who do not want to put themselves at risk.

But more than simply preventing management over-ride, a corporate compliance function has to be empowered by the Board and CEO to intervene in business decisions that implicate the company’s ethics and compliance issues, compliance with business code of ethics, agent/distributor and supplier codes of conduct, training, communication and internal investigations. If a company considers a business decision or practice that implicates the company’s ethical principles, the compliance function must have the internal authority to weigh in and ensure that ethical principles and compliance issues are factored into the business decision.

In the 2023 ECCP, under Section III, Does Your Compliance Program Work in Practice, is the following new language “Independence and Empowerment – Is compensation for employees who are responsible for investigating and adjudicating misconduct structured in a way that ensures the compliance team is empowered to enforce the policies and ethical values of the company? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel or others within the organization that have a role in the disciplinary process generally?”

This is a significant new addition to the ECCP. It forces a company to adequately compensation those employees who investigate and pass judgment on misconduct. But it is more than simply adequate compensation as it also requires a company not to retaliate via low salaries or limited raises or other compensation for doing their jobs as compliance officers. In other words, if the CEO is being investigated by compliance; that same CEO should not be setting or reviewing the salary of the CCO or those doing the investigation. This mandates that the DOJ will review the entire corporate organization on these issues.

Outsourcing of compliance. This area of compliance practice has arisen largely since the articulation of the Hallmarks in the 2020 FCPA Resource Guide, 2nd edition. While this might make sense from a cost perspective, it can be largely problematic if it is not managed properly. Rarely do outsiders have the same access as corporate employees, particularly in a function as important as compliance. Additionally, there will never be the trust level with outsiders there is with someone who wears the same color shirt as the employees. Here a company must not only have a rationale in place, which will largely be cost savings; a company must also have a mechanism in place to assess, on an ongoing basis, any outsourced compliance function. This will be beyond the reach of probably 99% of the companies engaged in such outsourcing.

The 2023 ECCP had further detailed questions to pose:

Structure—Where within the company is the compliance function housed (e.g., within the legal department, under a business function, or as an independent function reporting to the CEO and/or board)? To whom does the compliance function report? Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company? Are compliance personnel dedicated to compliance responsibilities, or do they have other, non-compliance responsibilities within the company? Why has the company chosen the compliance structure it has in place? What are the reasons for the structural choices the company has made?

Seniority and Stature—How does the compliance function compare with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions? How has the company responded to specific instances where compliance raised concerns? Have there been transactions or deals that were stopped, modified, or further scrutinized as a result of compliance concerns?

Experience and Qualifications—Do compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities? Has the level of experience and qualifications in these roles changed over time? How does the company invest in further training and development of the compliance and other control personnel? Who reviews the performance of the compliance function and what is the review process?

Funding and Resources—Has there been sufficient staffing for compliance personnel to effectively audit, document, analyze, and act on the results of the compliance efforts? Has the company allocated sufficient funds for the same? Have there been times when requests for resources by compliance and control functions have been denied, and if so, on what grounds?

Data Resources and Access—Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?

Autonomy—Do the compliance and relevant control functions have direct reporting lines to anyone on the board of directors and/or audit committee? How often do they meet with directors? Are members of the senior management present for these meetings? How does the company ensure the independence of the compliance and control personnel?

The 2023 ECCP and 2023 Update to the FCPA Corporate Enforcement Policy both demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 21 — Big Trouble in China Edition

What happens when two top compliance commentators get together? They talk about compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode! In this episode, Tom and Kristy take on a wide variety of topics, including the self-improvement of the Florida Man gone astray.

In the ever-evolving world of regulatory compliance and risk management, challenges are constant, and strategies must be dynamic. Tom highlights corruption in China, data privacy, the duty of oversight for officers and export control sanctions. Kristy highlights the ESG & DEI, Supply Chains and China, SAP, frequent flyer mile fraud and checks in on Florida Man. Join Tom Fox and Kristy Grant-Hart as they delve deeper into these issues in this episode of the 2 Gurus Talk Compliance podcast.

Highlights Include:

  1. First Shots Fired in 2024 Proxy Battle Over ESG, DEI: (Law.com)
  2. Enforcement of China’s Forced Import Ban Needs to Be Much Tougher, Say U.S. Lawmakers (WSJ)
  3. Lessons Learned from the SAP Enforcement Action: DOJ Changes Tack on FCPA Enforcement While SEC Digs into Third-Party Controls (Part III of III) (Corruption, Crime & Compliance)
  4. Frequent flyer miles helped authorities crack down on a $127 million money laundering scheme (The Street): HERE
  5. Analysis of failure to exercise duty of oversight by a corporate officer. (FCPA Compliance & Ethics Blog)
  6. McDonald’s Duty of Officer oversight. (Compliance and Enforcement)
  7. China and its fight against corruption.  (Reuters)
  8. Big penalties are coming for export control and sanctions enforcement. (WSJ)
  9. A federal data privacy law in 2024? (CCI)
  10. Florida man uses phone he found in Walmart bathroom to call in fake bomb threat, cites TikTok trend: deputies (FOX Orlando)

Resources:

Kristy Grant-Hart on LinkedIn

Spark Consulting

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

CCO Authority and Independence

The role of the CCO has steadily grown in stature and prestige over the years. In the 2020 FCPA Resource Guide, 2nd edition, under the Hallmarks of an Effective Compliance Program, it focused on whether the CCO held senior management status and had a direct reporting line to the Board, stating:

In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively. Adequate autonomy generally includes direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors.

This Hallmark was significantly expanded in both the 2023 ECCP and the FCPA Corporate Enforcement Policy. And in so doing, the DOJ has increased the prestige, authority and role of both the CCO and corporate compliance function. The 2023 ECCP has five general areas of inquiry around the CCO and corporate compliance function. (1) How does the CCO salary and stature within the organization compare to other senior executives within the company. (2) What are the experience and stature of the CCO with an organization? Does the CCO have appropriate training for the role? (3) How much autonomy does the CCO have to report to the Board of Directors? How often do the CCO meet with directors? Are members of the senior management present for these meetings with the Board of Directors or of the Audit Committee? (4) What is your structure? Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company? (5) Is data in your organization so siloed that the CCO does not have access to it? If so, what are you doing about it?

In the 2023 Update to the FCPA Corporate Enforcement Policy, the DOJ these factors out as follows: 1) The quality and experience of the CCO, such that they can understand and identify the transactions and activities that pose a potential risk; 2) The authority and independence of the CCO; 3) The compensation and promotion of the CCO, in view of their role, responsibilities, performance, and other appropriate factors; and 4) The reporting structure of any CCO employed or contracted by the company.

All of these factors are enhanced by the CCO Certification requirement, as announced by Kenneth Polite back in 2022. A CCO must certify the effectiveness of a compliance program after a DPA or NPA has been concluded. This requirement will only become more important moving into 2023 and beyond. In addition to CCO  Certification, the Delaware Court of Chancery’s  decision in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst in the case In re McDonald’s Corporation Stockholder Derivative Litigation, where for the first time, a Delaware court formally recognized the oversight duties of officers of Delaware corporations.

The court noted that the CCO has a broad scope within an organization. The court stated, “Although the CEO and Chief Compliance Officer likely will have company-wide oversight portfolios, other officers generally have a more constrained area of authority.” The responsibilities of the CCO are wide and sometimes varied. Here the court stated, ““[s]pecific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program.” But the Delaware court also provided CCOs with some additional ammunition in their quest for true influence in a corporation by stating that “to carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.”

Clearly the DOJ is articulating that it expects true compliance professionals, who understand the way compliance interacts with and supports the business to be in the CCO chair. The days of a law school trained CCO who cannot read a spreadsheet are consigned to the dustbin of non-compliant history. But more than simply compliance professionalism, companies must compensate and promote compliance professionals within their organization. Simply burying someone in the compliance function of a law department because they cannot cut it will no longer suffice.

The DOJ has not taken a formal position on whether a General Counsel (GC) can also be the CCO. However, the language of the FCPA Corporate Enforcement Policy and 2023 ECCP seem to signal the death knell for the dual GC/CCO role. They also signal the larger issue that the CCO should have a separate reporting line to the Board, apart from through the GC. While the DOJ’s stated position that it does not concern itself with whether the CCO reports to the GC or reports independently, it is more concerned about whether the CCO has the voice to go to the CEO or Board of Directors directly not via the GC. Even if the answer were yes, the DOJ would want to know if the CCO has ever exercised that right. Yet the 2023 ECCP comes as close to any time previously in articulating a DOJ policy that the CCO be independent of the GC’s office. Therefore, if your CCO still reports up through the GC, you must have demonstrable evidence of both CCO independence and actual line of sight authority to the Board.

Here are some questions you should consider in evaluating this prong. First and foremost, is the CCO a part of the senior management or the C-Suite? Is the CCO part of regular meetings of this group? Who can terminate the CCO—is it the CEO, the Board Compliance Committee or does CCO termination require approval of the entire Board? Most importantly, could a person under investigation or even scrutiny by the CCO fire the CCO? If the answer is yes, the CCO clearly does not have requisite independence.

Additional questions to consider: Who can over-rule a decision by a CCO within the organization? And who is making the decisions around salary and compensation for the CCO? Is it the CEO, the GC, the Board Compliance Committee or some other person or group? Finally, what happens if a CCO initiates an investigation against someone he reports to or sets his salary?

Once again for the compliance professional, the FCPA Corporate Enforcement Policy and 2023 ECCP make the importance of a best practices compliance program even more critical. The DOJ is focusing more on the role, expertise and how the compliance function is treated within an organization. Pay your CCO considerably less than your GC? You may now better be able to justify that discrepancy. If you have a legal department budget of $3 million and a compliance department budget of $500,000; you are starting behind the eight-ball.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 25 – Responding to Investigative Findings

There is nothing like an internal whistleblower report about a compliance violation, the finding of such an issue, or (even worse) a subpoena from the DOJ or notice letter from the SEC to trigger the attention of the Board of Directors and senior management to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage, followed immediately by the proclamation, “We are an ethical company.” However, it may well be the time for a very serious reality check.

You may find yourself in a position where you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.

Finally, there should be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed. Such an approach can also be a recipe for disaster. First and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the FCPA Corporate Enforcement Policy. Moreover, the executive attention will have dissipated and you will have lost your momentum to clean things up through a thorough remediation.

Three key takeaways:

1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.

2. Be aware of how your investigation can impact and even inform your remediation efforts.

3. Be prepared to deal with the dreaded “where else” question.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Responding to Investigative Findings

There is nothing like an internal whistleblower report about a compliance violation, the finding of such an issue, or (even worse) a subpoena from the DOJ or notice letter from the SEC to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However, it may well be the time for a very serious reality check.

You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.

One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on.  Russ Berland, Senior Counsel Data Protection Law at Johnson & Johnson Consumer Health has noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “a tricky place, because you get your fifteen minutes to really get everyone’s full attention, and from then on, you’re fighting with everybody else for their attention, like the normal things in business life.”

You need to explain the costs to the Board and senior management. As Berland said, you need to be upfront and candid in firmly stating, “To get to this place, this is what it’s going to cost.” Moreover, you need to be able to show how some companies paid very large amounts, not just in the eventual fine and penalty but also in other costs; such as shareholder lawsuits, claims and other post-resolution costs. Berland went on to say, “We want to show you how people have lost money by having to write big checks, because they didn’t take these allegations seriously. They actually saved money, because they didn’t have to write as big a check, because they took these allegations very seriously.” The bottom line is that your ROI here is going to be very high if you put the resources into remediation and do it well. This is easier with the information that was provided by the DOJ in the FCPA Corporate Enforcement Policy as it demonstrated how much discount a company can receive below the minimum range of the U.S. Sentencing Guidelines for remediation.

One of the most difficult parts is that the investigation is often done in a way in which the investigators want to maintain as tight a control over the information and privilege as they possibly can. The remediation requires output from the investigation to understand where the risk points and gaps are, both in the compliance program and the internal controls. There is a tension there and it needs to be structured in a way that information can be shared with those who are designing the remediation without fear of compromising the investigation.

Dan Chapman, former CCO at Parker Drilling and Cameron International and Founder of Presyse Consulting, also believes that costs must be adequately discussed to set proper expectations. These include both direct and, even more importantly, indirect costs to the company. Chapman noted, “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “everything stops to focus on the investigation.” This indirect cost comes largely through the time commitment of senior management because “if senior management has to commit 20% of their time, that is 20% of their time that is not going towards revenue generating, shareholder value-protecting activities.”

Yet, how can you communicate this point to somebody who has not gone through a full-blown internal investigation then coupled with a federal investigation with the DOJ and Federal Bureau of Investigation involved? Understanding that the all-encompassing nature of such an event is difficult to articulate, Chapman goes through some of his past experiences as touch points. “One example would be, during my first week on the job at previous employer, the company had a worldwide conference for all of the senior managers from around the world,” he said. “At that meeting, I asked all the senior, C-level executives, ‘Over the last few years, have you spent 5% of your time on the matter?’ They raised their hands. Then, I kept escalating it: 10%, 15%, and the hands didn’t go down until about 20%. Then I explained to them, and to the audience, ‘If you got 5%, 10% or 15% more from your senior management, where would this company be? What would it be worth? What bonuses would you have gotten?’ I think this point resonated with all of them, but there was still no great way for them or for anyone to quantify these costs. How do you quantify the absence of non-compliance? How do you quantify what could have been? How do you quantify the opportunity costs of management’s time?”

You can explain the upside of compliance and do that in a manner that juxtaposes the cost. Chapman said you could mention things such as, “If you have clear policies and people know what to do, think how much easier your life would be. Instead of having to make calls and figure it out on your own every single time, you had a clear plan of action dictated by a policy.” The same types of arguments come into play in areas generally considered the purview of HR, i.e., recruiting and retention.

About recruiting Chapman posed the following for consideration, “Where do your new hires, especially recent college graduates, get their information about your company? They get it from the internet. If your company has been in trouble for bribery, what is one of the first things they see when they Google your company’s name? At the very top of their search results will be a news article about the wrongdoings or penalties. Now, how likely is a recent graduate to take his first job with a company that pays bribes, and, if he or she is willing, is that really the type of person you want to hire?” He also points out the negative impact of non-compliance on the retention of current employees by asking, “Ask yourself, is a good employee more or less likely to consider other job opportunities before or after she learns that her company pays bribes or may ask her to pay bribes?”

Yet even more than these types of points about employees in the organization, Chapman believes it is important to make it personal at the highest level of the organization; to make it as personal to your audience as possible. He suggests asking the Board and senior management “How would you feel about being involved in bribery? Rather than being something that’s only involving the company, your name and your reputation will be associated with it. How do you feel about being there?”

Obviously, the investigation will be critical for you to help understand what remediation your compliance program will need going forward. As Berland said, “Somebody found a way to get around your system. Maybe they colluded to overcome the internal controls. Maybe there was a group that simply wasn’t well trained, didn’t understand, or there was a group that was extremely well trained, and decided to do it anyway. But somehow, there are issues in the overall system of the executive tone, the governance, the compliance program, the internal controls, all at a meta level, which failed.”

You cannot find gaps in your compliance system until you stress test it. Viewed in this light, your compliance failures can be viewed as the ultimate stress test. Berland noted, “Well, guess what, you just got handed a stress test, and this is where the system broke down. Now you know there’s a gap. Well, absent the investigation, as painful and difficult as that is, that gap would have just been sitting there.” The investigation will raise information to you about the failures of your compliance program that you may not have known existed previously.

While there will be a desire by some folks to not give out any information about the investigation until it is completed and there is a final report, you must resist this at all costs. If the results of the investigation are not made available to you as the CCO or the compliance professional charged with remediating the compliance program, any such remediation will be extremely difficult, because “you’re just going off suppositions and guesses.”

He advocates there be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed. Such an approach can also be a recipe for disaster. First, and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the FCPA Corporate Enforcement Policy. Moreover, the executive attention will have dissipated and you will have lost your momentum to clean things up through a thorough remediation.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 24 – Internal Reporting and Triaging of Claims

The call, email, or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into an FCPA issue for your company. As the CCO, it will be up to you to begin the process, which will determine, in many instances, how the company will respond going forward. This system has become even more important after the 2022 announcement of the Monaco Memo. Further, as the 2022 ABB FCPA resolution made clear, self-disclosing to the DOJ is the vital first step for all discounts under the Corporate Enforcement Policy to begin.

This scenario was driven home by the WPP Foreign Corrupt Practices enforcement action in 2021. Here, a whistleblower reported internally on allegations of bribery and corruption in the company’s India subsidiary. WPP turned over the investigation to an inexperienced accounting firm in India and then allowed the investigation to be controlled by the business unit management that was engaging in the bribery and corruption. The result, unsurprisingly, was no adverse findings. However, the whistleblower did not stop there and reported six more times (seven total) with an increasing amount of documentary support. Finally, the company took the allegations seriously and commissioned an internal investigation.

Three key takeaways:

1. The DOJ and SEC put special emphasis on internal reporting lines.

2. Test your hotline on a regular basis to make sure it is working.

3. Every claim should be triaged before starting an investigation.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.