Tag: FCPA

Categories
Blog

2022-The Year in FCPA

2022 saw a relatively slow year in Foreign Corrupt Practices Act (FCPA) enforcement actions. Yet, as usual, the cases themselves were packed with much for the compliance professional to digest. Moreover, 2022 was a very significant year for every compliance practitioner and compliance program. My latest book, 2022 – The Year in FCPA – FCPA Enforcement Actions, DOJ Commentary and Key Lessons for Compliance from 2022 reviews the corporate FCPA enforcement actions from the past year and mine them for lessons which can be garnered by the compliance practitioner.

The cases themselves ranged in fine and penalty values from $1.1 billion (Glencore International A.G.) down to $6.3 million (KT Corporation). The Department of Justice (DOJ) FCPA prosecutions involved the following entities: Stericycle Inc. (Stericycle), with an overall fine of $84 million; Glencore, with an overall fine of $1.1 Billion; GOL Linhas Aéreas Inteligentes S.A. (GOL), with an overall fine of $41 million; ABB Ltd. (ABB) with an overall fine of $315 million and, concluding the year, Honeywell UOP, with an overall fine of $160 million. From the Securities and Exchange Commission (SEC) we saw enforcement actions involving the following entities: KT Corp, with a penalty of $6.3 million; Tenaris S.A., with a penalty of $78 million; Oracle Corporation (Oracle), with a penalty of $23 million, and Stericycle, GOL, ABB and Honeywell, with the fine amounts noted above. Finally, Glencore was also fined by the Commodity Futures Trading Commission (CFTC).

The total fines and penalties were $1.396 billion. Under the new monitorship policy, announced in October 2021 and put into practice through the Monaco Memo, there were two cases which  included appointments of Corporate Monitors (Glencore and Stericycle). From the DOJ there were two Declinations. The first involved the French entity Safran S.A. and included a $17 million disgorgement. The second involved the UK entity Jardine Lloyd Thompson Group Holdings Ltd. (JLT) and included a $29 million disgorgement. 2022 saw one individual FCPA trial involving former Goldman Sachs Group Inc. Managing Director Roger Ng, who was convicted for criminally circumventing the firm’s internal controls. The Swedish telecom company Telefonaktiebolaget LM Ericsson (Ericsson) had its monitorship extended for 1 year amidst ongoing investigation they breached the Deferred Prosecution Agreement (DPA) and, finally, the Russian entity Mobile TeleSystems PJSC (MTS) also had its monitorship extended for 1 year.

In the realm of individuals prosecuted there were 24 individual criminal prosecutions and it appeared that individual criminal prosecutions continued at aggressive pace. With the formalization of the Monaco Memo, the DOJ will be targeting more individuals for prosecutions in 2023 so the pace of individual prosecutions will continue and probably increase. In 2022, the majority of the individual prosecution stemmed from prior FCPA actions involving a small number of companies; most notably Petróleos de Venezuela S.A. (PDVSA), Vitol Inc., Odebrecht S.A. and Sargeant Marine Inc. It is significant that the DOJ has continued its use of anti-money laundering (AML) charges, which have a 20-year maximum sentence together with FCPA charges, which have a five-year maximum sentence.

However, 2022 was a very significant year for every compliance practitioner and compliance program. While there was a paucity of corporate FCPA enforcement actions, three actions were significant, with multiple lessons for the compliance professional. In ABB, we learned about the costs of a corrupt culture and recidivism. In Glencore, we saw what happens to a company that engages in worldwide systemic bribery and corruption. Finally, in Stericycle, the company had a culture of corruption burned into the DNA of the LATAM business unit, which was so thorough that it was documented via bribery spreadsheets and analysis of revenue based on payments of bribes in LATAM. Yet even with this corrupt culture, the Stericycle enforcement action demonstrated how a company could take advantage of the discounts available under the FCPA Corporate Enforcement Policy by extensive cooperation and remediation during the pendency of the FCPA investigation, as the company obtained a 25% reduction off the bottom of the applicable US Sentencing Guidelines fine range.

September saw the announcement of a significant refinement of DOJ enforcement policies on the FCPA enforcement and corporate compliance programs. It was encapsulated in the Monaco Memo and a speech by Deputy Attorney General Lisa Monaco announcing the Monaco Doctrine. There was additional commentary by Principal Associate Deputy Attorney General Marshall Miller in a speech and by Assistant Attorney General Kenneth A. Polite. Every compliance professional should know them in detail as they significantly turn the heat up on corporate compliance programs. The Monaco Memo is further clarification and guidance for line prosecutors when considering whether to put a monitor in place. While we have seen these factors in a disparate manner, in disparate places, here they are in writing. Perhaps the greatest significance is that the Memo sets down all these matters in writing, which leads to a blueprint for DOJ thinking and a roadmap for anyone who finds themselves in an FCPA investigation or enforcement action. Finally, the Monaco Memo cemented the new DOJ requirement for CCO certification of compliance programs at the end of a resolution.

The final key event for compliance in 2022 was very much under the radar. The DOJ hired Matt Galvan to help develop data analytics expertise and capability for the FCPA Unit and the Fraud Section. Galvan was most recently the CCO at AB InBev and perhaps the top compliance professional in data analytics for a corporate compliance program. It will be most interesting to see where Galvan and the DOJ take this initiative, but it does portend the increasing use of data analytics in FCPA enforcement and compliance.

What did the year 2022 in FCPA mean for you. Check out 2022-The Year in FCPA now available on Amazon.com.

Categories
FCPA Compliance Report

Ryan Patrick on the Role of a US Attorney Under the Monaco Memo, CEP & ECCP

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. Looking for a podcast that will give you insights into the Department of Justice’s corporate enforcement policy and the implications for corporations facing investigations? Look no further than FCPA Compliance Report! In this episode, Tom Fox sits down with Ryan Patrick, a former US district attorney for the southern district of Texas. They discuss the importance of staying up-to-date with DOJ memos and speeches, the difficulty for corporations in deciding whether or not to self-disclose, and the implications of outside counsel being deputized. Ryan emphasizes the importance for companies to work with lawyers who know judges and have pre-existing relationships with local prosecutors, including US attorneys and line prosecutors. They discuss the Southern District of Texas and its role in border-related issues, as well as the Patrick’s time as a US Attorney for the Southern District of Texas. This podcast is a must-listen for anyone looking to gain a better understanding of corporate enforcement and compliance policies. Don’t miss out on the conversation between Tom Fox and Ryan Patrick!

 Key Highlights

·      Discussing U.S District Attorney’s work challenges

·      Evolution of Corporate Enforcement Policy by DOJ

·      Challenges in Communication with Corporations for Attorneys

·      Challenges of Self-Disclosure for Businesses

·      Navigating Legal Issues with Local Counsel

·      Challenges to Attorney-Client Privilege in Corporate Cases

·      Border Security and Cryptography Cases in Texas

·      US Attorney General Advisory Committee in Presidential Administration

·      Role of Southern District of Texas in law enforcement and corporate enforcement

·      Inside a Federal Prosecutor’s Role

 Notable Quotes

·      “It seems to me that this broaden beyond simply anti-corruption in FCPA and whether it be fraud, whether it be antitrust, whether it be environmental, whether it be a wide variety of other types of issues that an AUSA and a local district attorney US district attorney’s office would prosecute.”

·      “Asking the US attorney’s offices now to step into this space where really thinking from the idea of self-disclosure and from monitoring or audio auditing, so to speak, someone’s compliance program.”

·      “One of the not perhaps most difficult, but hardest conversations a corporation has is whether or not to self-disclose under the FCPA.”

·      “Bring it to me. I will consider it because it’s not 1 size fits all.

Resources

Ryan Patrick on LinkedIn

Ryan Patrick on Haynes and Boone

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for Business Ventures – Distributor Liability Under the FCPA

Three enforcement actions made clear that there were no distinctions between agents and distributors. They were the Smith & Nephew, Inc., Oracle (2012 and 2022), and Eli Lilly and Company. Each of these enforcement actions had different FCPA violations, and they each revealed separate steps a company should take to prevent and detect FCPA violations in their company.

These three separate bribery schemes call for three different but overlapping responses. The Lilly enforcement action also makes clear the need for internal audits to follow up with ongoing monitoring and auditing. Internal audit can help determine the reasonableness of a commission rate outside the accepted corporate norm. The 2012 and 2022 Oracle enforcement actions demonstrated that Oracle needed to institute the proper controls to prevent its employees at Oracle India from creating and misusing the parked funds in the distributor’s account. The Company needed to audit and compare the distributor’s margin against the end user price to ensure excess margins were not being built into the pricing structure. Smith & Nephew did not perform sufficient due diligence on these distributors, nor did they document any.

Further, the distributor was domiciled in a location separate and apart, the UK, from the sole location it was designed to deliver products or services into, Greece. This clearly demonstrated that the entities were used for a purpose the company wished to hide from Greek authorities. While it is true that a distributor might sell products in a country different than its domicile, if the products are going into a single country, this should have raised several Red Flags.

Three Key Takeaways:

  1. Use auditing and monitoring.
  2. Distributors will be treated the same as other business ventures.
  3. Robust due diligence must be performed.
Categories
Daily Compliance News

March 29, 2023 – The SBF/FCPA Charges Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition of Daily Compliance News:

  • SBF charged with FCPA violations. (WSJ)
  • Fox Producer seeks to recant testimony. (Reuters)
  • The US makes a transparency commitment. (AP)
  • France raids big banks over tax fraud. (NYT)
Categories
31 Days to More Effective Compliance Programs

Following the Money Through Distributors

Polycom came to FCPA grief in China, as have many other US companies. The bribery scheme was long running, occurring from 2006-2014. They included the creation of an off-the books accounting and recordation system for corrupt payments made by or on behalf of Polycom China. The money to fund these bribes came through variations of the basic bribery scheme. There would be a discount between the price reported to Polycom and that paid by the buyer. These discounts were not passed on to the end customer, but instead were intended to cover the cost of the payments the distributors made to the Chinese government officials.

In other words, this discount would form the basis of the pot of money to pay the bribe.
The Chinese business unit was equally creative with the reasons for the discounts, which were listed in the CRM. Polycom China usually cited competition with one or more vendors was required to give discounts on pricing. They also claimed that some end-using customers refused to pay full price. However these were all false excuses entered into the CRM to hide the truth from auditors and others charged with reviewing and approving the discounts.
Three Key Takeaways

  1. Channel your inner Woodward and Bernstein and follow the money.
  2. Simply because some type of compliance oversight is difficult or requires extra effort, it is no excuse not to monitor.
  3. Channel you inner Ronnie Reagan as well and ‘trust but verify.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for Business Ventures-Franchisor Liability


There remains a question about franchisor liability under the FCPA. Franchising has been a successful model in the U.S. and now many corporations are looking at overseas expansion opportunities. Franchise law has become well developed across the U.S., with many states developing laws to protect the rights and obligations of both parties in a franchise agreement.
There are no reported FCPA enforcement actions regarding franchisors. However, the factors in a franchise relationship would appear to lead to clear FCPA responsibility of the franchisor for its overseas franchisee’s actions. Additionally, court interpretation of the FCPA has held that it is applicable where conduct is used “to obtain or retain business or secure an improper business advantage” which can cover almost any kind of advantage, including indirect monetary advantage even as nebulous as reputational advantage. As everyone knows, the FCPA prohibits payments to foreign officials to obtain or retain business or secure an improper business advantage. Nevertheless, many U.S. companies view franchisees as different from other types of more direct sales representatives, such as company sales representatives, agents, resellers or even JV partners, for the purposes of FCPA liability.

The Master Franchise model is typically the most used model in international franchise expansion. It generally revolves around a Master Franchise agreement between the U.S. based franchisor and a franchisee in a specific geographic territory. This franchisee then contracts with third-party sub-franchisees within the specified territory. Typically, the U.S.-based franchisor will have no contractual relationship with the international sub-franchisees. The master franchisee acts as the franchisor in the local market and recruits, trains, and provides other support in the local area on behalf of the U.S. franchisor. Here the FCPA exposure is both direct and indirect.
While some believe that a franchisor may not have direct involvement in conduct prohibited by the FCPA, as there may not be the requisite corrupt intent required under the statute. However, unless a franchisor has an adequate compliance program in place, a franchisor may well find itself in the shoes of Frederic Bourke and sustain a finding of conscious indifference.
Three key takeaways: 

  1. Consider the different types of international franchise agreements to help assess your compliance risk.
  2. There are no reported FCPA enforcement actions involving international franchisors, yet.
  3. Franchisors must conduct thorough research in both the foreign market they hope to enter and on their potential franchisees.
Categories
Innovation in Compliance

Third-Party Management: A Risk-Based Approach – Part 5: Alexander Cotoia on Use Cases

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Advisory and Consulting Services; Stephanie Font, Director of the Optimizations Group; Kairi Isse, Managed Services Group Manager; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, Associate at the Volkov Law Group. In this Part 5, I visit with Alexander Cotoia, a Regulatory and Compliance Manager at the Volkov Law Group, to consider how recent FCPA enforcement actions point toward the use cases for a robust third-party risk management system.

In 2022, the overwhelming majority of FCPA-related enforcement actions involved third parties and required organizations to reprioritize third-party risk management. In this episode, we consider case studies involving ABB Limited, GOL Airlines, and Oracle, which all demonstrated the importance of understanding bribery and corruption schemes, making voluntary disclosures, and reassessing third-party risk management.

Key Highlights

·      How can organizations reprioritize third-party risk management as a core compliance function?

·      What strategies can organizations use to avoid FCPA violations and maximize cooperation credit?

·      How can organizations effectively assess the risks posed by potential business partners?

 Notable Quotes 

1.     “Don’t put yourself in a position of being uncooperative with either the SEC or DOJ. Reassess your framework for third-party risk management holistically and hone in on the nature and quality of the information that’s being collected to objectively evaluate the totality of risks posed by a potential business partner to the organization.”

2.     “You really can’t afford to be complacent, especially as we have a new emerging consideration suspecting sanctions and export controls that have become core enforcement priorities of the federal government.”

3.     “The critical question asked from a functional perspective is, is it adequate to objectively evaluate the totality of risks posed by a potential business partner to the organization?”

4.     “You have to understand that third-party risk, especially as it pertains to anti-bribery and corruption concerns, is a universal constant.”

 Resources

Alexander Cotoia on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program – Key 2022 FCPA Enforcement Actions

From the Foreign Corruption Practices Act (FCPA) enforcement actions in 2022, one clear theme emerges; that is, organizations must reprioritize their third-party risk management programs. Many companies are becoming complacent in this arena, not realizing the potential consequences of not properly assessing their third-party risk management practices. I recently had the opportunity to visit with Alexander Cotoia of the Volkov Law Group to discuss importance of reprioritizing third-party risk management and how organizations can assess the effectiveness of their current practices. We review three 2022 FCPA enforcement actions to explore the importance of proper third-party risk management and how to avoid the potential consequences of not properly assessing these risks. Join us as we explore the details and implications of these enforcement actions and how organizations can reprioritize their compliance programs for the ever-changing dynamics of third-party risk management.

Here are the steps you need to follow to reprioritize your third-party risk management program.:

  1. Understand that third-party risk, especially as it pertains to anti bribery and corruption concerns, is a universal constant and still the highest risk.
  2. Reassess the framework by which third parties are evaluated and objectively evaluate the totality of risks posed by a potential business partner to the organization.
  3. Implement a risk-based approach to third party risk management.
  1. Understanding third-party risk

Understanding that third party risk, especially as it pertains to anti-bribery and corruption, is a universal constant is an important step in the risk management process. As evidenced by three key enforcement actions, ABB Limited, Oracle and GOL Airlines, organizations must evaluate the risks posed by potential business partners and ensure that the information collected is adequate to objectively assess the totality of the risks. Organizations should be aware that the DOJ requires companies to adopt a risk-based approach to third party risk management. To ensure that the organization is compliant with these regulations, they should review their existing practices and be prepared to supplement them if necessary. Additionally, organizations should be aware that they may be given credit for voluntary disclosure and cooperation efforts when faced with potential violations. This may be beneficial when determining penalties and is an important factor to consider when dealing with third party risk.

  1. Reassess your third-party framework

Reassessing the framework by which third parties are evaluated and objectively evaluating the totality of risks posed by a potential business partner to the organization is a critical step in reprioritizing your third-party risk management strategy. This should be approached holistically, focusing on the information being collected and its adequacy in objectively evaluating risks. Organizations should adopt a risk-based approach, as recommended by the DOJ, and not simply have a one size fits all approach. This approach should include due diligence, assessing the potential partner’s reputation and business practices, verifying their legitimacy and background, and understanding their country of origin and its laws. Additionally, organizations should consider the potential partner’s relationship with government officials and whether it could violate any anti-bribery or corruption laws. If any of these issues are identified, organizations should look into it further to ensure that their partner is compliant. By doing this, organizations can ensure that they are not engaging in any activities that could be deemed illegal or unethical. 

  1. Implement a risk-based approach

Implementing a risk-based approach to third party risk management is essential to any organization’s compliance program. This involves assessing the external parties on which an organization relies operationally, and identifying any risks associated with those external parties. This assessment should include evaluating their qualifications and experience to ensure they are able to meet the organization’s expectations. Additionally, organizations should consider conducting background checks on potential external parties, and assessing any potential conflicts of interest that may arise. Once potential external parties have been identified, organizations should consider conducting due diligence to ensure that the external party has not been involved in any fraud, bribery, or other criminal activities. Organizations should also consider developing contracts and compliance policies for external parties and monitoring their activities to ensure compliance. Finally, organizations should consider developing a training program for their external parties to ensure they understand the organization’s expectations and policies. By implementing a risk-based approach to third party risk management, organizations can reduce the risk of an FCPA violation and ensure their organization remains compliant.

Third-party risk management one of the most critical components of any organization’s compliance program. Organizations should take the initiative to reprioritize third-party risk management and assess the effectiveness of their current practices. Through the exploration of three enforcement actions and the introduction of the joint compliance note, this article has highlighted the importance of properly assessing third-party risk and how to best prepare for the ever-changing dynamics of third-party risk management. By implementing a risk-based approach to third party risk management, organizations can protect themselves from potential violations of the FCPA and ensure their organization remains compliant. With the right tools, processes, and dedication you can achieve the same results and protect your organization from costly fines and penalties.

For more information, on Diligent’s Third-party Risk Management solution, click here.

Listen to Alexander Cotoia on the podcast series, sponsored by Diligent here.

Check out the Volkov Law Group here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for Business Ventures – Know Your Customer

Do FCPA considerations come into play for customers? How should you think about your obligations under the FCPA for a group not traditionally associated with FCPA liability or even FCPA risk? These questions and perhaps others are raised by the FCPA investigation into certain transactions in Venezuela by Derwick Associates (Derwick) and a U.S. company ProEnergy Services (ProEnergy). ProEnergy supplied turbines that Derwick resold to the Venezuelan government and then installed in that country. This investigation demonstrates why businesses need to be more concerned with not only who they do business with but how their customers might be doing business. In banking and financial services parlance, you now need to ramp up your organization’s Know Your Customer (KYC) information to continue throughout a seller-purchaser relationship, in the context of the FCPA.

There does not have to be a direct bribe or other corrupt payment made by a U.S. company to have liability under the FCPA. FCPA enforcement is littered with companies that have paid bribes through third-parties. However, as the Fifth Circuit said in US v. Kay, “[W]e hold that Congress intended for the FCPA to apply broadly to payments intended to assist the payor, either directly or indirectly,” [emphasis mine]. While at first blush, ProEnergy may appear to be at the edge of potential FCPA liability; if it knew, had reason to know, or should have taken steps to know about some nefarious conduct by its customer, it does not take too many steps to get to some FCPA exposure. The FinCEN rules on customer due diligence for financial institutions are a good starting point for other commercial entities to base their compliance program for customers around.

Three key takeaways:

  1. Non-banking and non-financial service entities need to consider their KYC obligations in the context of FCPA risk.
  2. FinCEN rules on customer due diligence are a good starting point for the non-financial institution.
  3. Ongoing monitoring should be used and the information incorporated into your customer risk profile going forward.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for Business Ventures – Tying it all Together for Joint Ventures

I want to emphasize again the risks JVs pose under the FCPA. Mike Volkov has stated, “A joint venture requires the integration of disparate company cultures. It can be successful and is usually one of the significant reason for the joint venture itself.” Both parties should assess each other and decide that the JV is a good fit, meaning that each side will benefit. Too much time is spent on looking at the JV partner’s compliance toolbox (i.e., policies, procedures, and controls), and not enough time is spent on identifying compliance strengths and weaknesses. You must bring it all together with one format.

Indeed the 2020 Update to the Evaluation of Corporate Compliance Programs posed the following questions under the category, “Process Connecting Due Diligence to Implementation” What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures, and conducting post- acquisition audits, at newly acquired entities? Remember a “newly acquired entity” can be a joint venture.
Three key takeaways: 

  1. It all starts with a Relationship Manager.
  2. Have company oversight of all JVs. Couple this with a COC for a second set of eyes.
  3. Audit, monitor, and remediate (as appropriate) your JVs on an ongoing basis.