Tag: FCPA

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 1, Self-Disclosure

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring, and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions. Today, we begin with Number 1, self-disclosure. The first and most important thing is that a company should self-disclose a potential FCPA violation to the DOJ.

The DOJ expects and will reward self-disclosure above all else. The ABB enforcement action all began with ABB’s putative attempt to self-disclose. ABB set up a meeting where they intended to self-disclose but only set up the meeting without telling the DOJ the reason for the meeting. Unfortunately for ABB, this attempt was unsuccessful, as the South African press broke the story of ABB’s bribery and corruption between the time ABB called to set up a meeting and sat down with the DOJ. Yet the DOJ spent significant time discussing the underlying facts, and it was clear it positively impacted the DOJ.

Kenneth Polite, then Assistant Attorney General, said of ABB’s conduct around this attempt, “Before the meeting, however, a media report drew public attention to the wrongdoing.  But because the company could demonstrate intent and efforts to self-disclose before, and without any knowledge of, the media report, the Department weighed both the early detection of the misconduct and the intent to disclose it significantly in ABB’s favor.”

In the Albemarle enforcement action, there was a significant discussion in the NPA around Albemarle’s voluntary self-disclosure to the DOJ. “The disclosure was not “reasonably prompt,” as it was made approximately 16 months ago to the DOJ after initial discovery by the company. This meant the self-disclosure “was not within a reasonably prompt time after becoming aware of the misconduct in Vietnam,” and it means that Albemarle did not meet the standard for voluntary self-disclosure. While the DOJ “gave significant weight” to the company’s voluntary, even if untimely, disclosure of the misconduct, it is certainly cautionary.

Equally interesting was the SAP enforcement action. Although this factor was not present in the SAP enforcement action, the DOJ’s message regarding the DOJ’s expectation of self-disclosure and the obvious and palpable benefits could not be any clearer. Under the Corporate Enforcement Policy, SAP’s failure to self-disclose cost it an opportunity of at least 50% and up to a 75% reduction off the low end of the U.S. Sentencing Guidelines fine range. Its actions as a criminal recidivist resulted in it not receiving a reduction of at least 50% and up to 75% from the low end of the U.S.S.G. fine range but rather at 40% from above the low end. SAP’s failure to self-disclose cost it an estimated $20 million under the Sentencing Guidelines. SAP’s failure to self-disclose and recidivism cost it a potential $94.5 million in discounts under the Corporate Enforcement Policy. The DOJ’s message could not be any clearer.

In addition to these enforcement actions, Kenneth Polite, in a speech announcing changes in the Corporate Enforcement Policy, made clear the importance of self-disclosure in the eyes of the DOJ. “Our existing policy provides that if a company voluntarily self-discloses, fully cooperates, and timely and appropriately remediates, there is a presumption that we will decline to prosecute absent certain aggravating circumstances involving the offense’s seriousness or the offender’s nature. These aggravating circumstances include, but are not limited to, involvement by executive management of the company in the misconduct; a significant profit to the company from the wrongdoing; egregiousness or pervasiveness of the misconduct within the company; or criminal recidivism.” If a company self-discloses, but a criminal resolution is warranted, our existing policy offers 50% off of the low end of the applicable Sentencing Guidelines penalty range.

He re-emphasized this position: “When a company has uncovered criminal misconduct in its operations, the clearest path to avoiding a guilty plea or an indictment is voluntary self-disclosure.  It is also the clearest path to the greatest incentives that we offer, such as a declination with disgorgement of profits.” While noting the difficulty of a company deciding to self-disclose, “we are underscoring that a corporation that falls short of our expectations does so at its own risk. Make no mistake – failing to self-report, cooperate, and remediate fully can lead to dire consequences.” [emphasis supplied]

The DOJ could not be clearer. The No. 1 lesson is that you need to self-disclose if you want any of the benefits available.

Categories
Blog

Self-Disclosure is Now the Key

The Department of Justice (DOJ) has been making significant strides in emphasizing the importance of voluntary self-disclosure in corporate enforcement cases, particularly in the Foreign Corrupt Practices Act (FCPA) realm. This shift in approach is evident in recent policy announcements and enforcement actions, beginning with the 2022 ABB Foreign Corrupt Practices Act (FCPA) settlement to the 2023 Albemarle FCPA resolution and continuing to the 2024 SAP Foreign Corrupt Practices Action settlement. Through these three resolutions,  the DOJ clarified that its most important criteria for evaluating a company for a fine under the FCPA is whether or not it self-discloses.

Representatives of the DOJ Kenneth Polite and Lisa Monaco further discussed this incentive in speeches in 2023. In announcing a revision to the 2017 FCPA Corporate Enforcement Policy, which became the 2023 Corporate Enforcement Policy, Kenneth Polite emphasized the ‘need for speed’ both in self-disclosure and during the pendency of any FCPA or compliance real compliance-related involving the DOJ.

The DOJ’s focus on incentivizing self-disclosure is a strategic move to encourage companies to come forward with violations and cooperate with authorities. The new Corporate Enforcement Policy offered up to a 75% reduction in penalties for voluntary disclosure. This discount is available even if there were ‘aggravating factors’ in the matter, such as C-Suite involvement in bribery and corruption. The DOJ could not send a more precise signal and be more transparent about what they want and will incent. This approach reflects a broader trend toward rewarding companies that proactively address compliance issues and work collaboratively with law enforcement agencies.

One of the key factors influencing the DOJ’s enforcement actions is the impact of recidivism. In October 2021, the DOJ, through a speech by Lisa Monaco and memorialized in the 2023 Evaluation of Corporate Compliance Programs (2023 ECCP), made it clear that it will not tolerate repeat offenders and is prepared to impose harsh penalties on companies that fail to self-disclose violations. However, even recidivist companies are encouraged to come forward and address compliance issues head-on, with the potential for significant penalty reductions if they demonstrate genuine cooperation and remediation efforts. The ABB resolution, in which the company was the first three-time FCPA recidivist yet received a superior outcome, once more demonstrated the DOJ’s current focus. The attempted self-disclosure fell short by only a day or two, as ABB had scheduled a meeting with the DOJ to self-disclose but had not formally done so. In the interim, a news story broke in South Africa about ABB’s systemic bribery and corruption in that country.

Although this factor was absent from the SAP enforcement action, the DOJ’s message regarding the benefits of self-disclosure and the DOJ’s expectation of self-disclosure could not have been clearer. Under the Corporate Enforcement Policy, SAP’s failure to self-disclose costs it an opportunity of at least 50% and up to a 75% reduction off the low end of the acceptable range of the US Sentencing Guidelines. Its actions as a criminal recidivist resulted in it not receiving a reduction of at least 50% and up to 75% from the low end of the USSG acceptable range but rather at 40% from above the low back. SAP’s failure to self-disclose cost it an estimated $20 million under the Sentencing Guidelines. Its inability to self-disclose and recidivism cost it a potential $94.5 million in discounts under the Corporate Enforcement Policy. The DOJ’s message could not be any clearer.

There was a significant discussion in the NPA around Albemarle’s voluntary self-disclosure to the DOJ. However, NPA noted that “the disclosure was not “reasonably prompt” as defined in the Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy and the US Sentencing Guidelines.” The NPA reported that Albemarle learned of allegations regarding possible misconduct in Vietnam approximately 16 months before disclosing them to the DOJ. Interestingly, the SEC Order only stated, “Albemarle made an initial self-disclosure to the Commission of potential FCPA violations in Vietnam after completing an internal investigation of such conduct and, simultaneously, self-reported potential violations it was investigating in India, Indonesia, and China. Albemarle later self-disclosed potential violations in other jurisdictions to the Commission as part of an expanded internal investigation.”

This meant the self-disclosure “was not within a reasonably prompt time after becoming aware of the misconduct in Vietnam,” which means that Albemarle did not meet the standard for voluntary self-disclosure under the Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy. While the DOJ “gave significant weight” to the Company’s voluntary disclosure, even if untimely, disclosure of the misconduct is undoubtedly cautionary.

The tradeoffs involved in balancing different factors, such as self-disclosure, cooperation, and remediation, can present challenges for companies navigating the complex landscape of FCPA enforcement. While the DOJ’s emphasis on self-disclosure offers potential benefits regarding penalty reductions and monitoring requirements, companies must carefully weigh the risks and rewards of voluntary disclosure against the possible consequences of non-disclosure.

The importance of considering the impact of decisions about the DOJ’s FCPA enforcement actions cannot be overstated. Companies that prioritize a culture of compliance, proactive monitoring, and data-driven analytics are better positioned to detect and address potential violations before they escalate into costly enforcement actions. By aligning their compliance programs with the DOJ’s expectations and demonstrating a commitment to ethical business practices, companies can mitigate the risks associated with FCPA violations and build a strong foundation for long-term success.

What the DOJ wants is self-disclosure as soon as possible. One only needs to recall the case of Cognizant Technologies, where the company received a complete declination, and there were allegations of C-Suite involvement in the bribery schemes. This Declination was provided mainly because the company self-disclosed only two weeks after the information was filtered to the Board of Directors. While Cognizant Technologies may be the gold standard, a company’s timely self-disclosures can be considered for a full Declination.

Categories
FCPA Compliance Report

FCPA Compliance Report – Tom Fox and Michael Volkov Look at Incentives for Self-Disclosure

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes back Michael Volkov as they take a deep dive into the ABB, Albemarle, and SAP FCPA enforcement actions to try and unpack the DOJ’s pivot away from heavy penalties for recidivists to prioritizing self-disclosure above all else.

Volkov’s perspective on the Department of Justice’s (DOJ) FCPA enforcement actions is both critical and analytical, shaped by his extensive experience. He underscores the necessity of transparency and explanation in the factors considered by the DOJ, highlighting its significance to practitioners in the field. Volkov also recognizes the shift in DOJ policy towards data-driven compliance, requiring companies to provide data to substantiate their conclusions and demonstrate their compliance efforts. He further notes the evolving landscape of voluntary disclosure and remediation, suggesting these areas are now pivotal in the DOJ’s enforcement approach. Volkov’s insights reflect a nuanced understanding of the changing dynamics in FCPA enforcement and the imperative for companies to adapt to these shifts.

Key Highlights:

  • Importance of Cooperation in Corporate Enforcement Cases
  • Incentivizing Self-Disclosure in DOJ’s FCPA Enforcement
  • Increased Penalty Reduction for Voluntary Self-Disclosure
  • DOJ’s Evolving Approach to Corporate Penalties
  • Benefits of Voluntary Self-Disclosure in Enforcement

Resources:

Volkov Law Group

Corruption, Crime and Compliance

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

 

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Joshua Drew and a Career in FCPA Enforcement and Compliance

I recently had the opportunity to visit with Joshua Drew, formerly a lawyer at the Department of Justice (DOJ) at Main Justice in Washington and also an Assistant US Attorney at the US Attorney’s Office for the District of New Jersey. We visited for an episode of the FCPA Compliance Report podcast.

Drew has recently joined the litigation group at Miller & Chevalier. With his extensive background in the fraud section of the DOJ and in-house roles at companies dealing with False Claims Act cases and FCPA resolutions, Joshua brings a wealth of knowledge and experience to his new position. His expertise will contribute to Miller & Chevalier’s strategic growth.

Drew moved from governmental service to HP, where he was Vice President and Associate General Counsel, Ethics & Anti-Corruption. At the time, HP was in the middle of a major FCPA investigation in the early 2010s. One of Joshua’s notable achievements was his role at HP, managing responses to DOJ and SEC investigations related to potential FCPA violations. During his time at HP, he played a crucial role in improving the internal investigation process, which resulted in a more efficient and practical approach. This experience highlights Joshua’s ability to navigate complex compliance issues and find practical solutions.

From HP, he moved to the company formerly known as VimpelCom, now VEON. He began as Associate General Counsel-Investigations and became the Group’s Chief Ethics & Compliance Officer. VimpelCom was going through an FCPA enforcement action and resolution at the time. He helped guide the company through a rigorous Deferred Prosecution Agreement (DPA) and monitorship. VEON was one of several high-profile FCPA enforcement actions involving telecom companies in Uzbekistan who paid huge bribes, totaling over several billion, to the daughter of the then President of the country, a woman named Gulnara Karimova.

Several factors influenced Joshua’s decision to join Miller & Chevalier. Firstly, he was impressed by the firm’s strong team of lawyers, many of whom he had interacted with during his time in-house at VimpelCom. The firm’s reputation for excellence and expertise in practice areas such as FCPA work, false claims act cases, general litigation, and white-collar defense also aligned well with Joshua’s experience. Additionally, Miller & Chevalier’s strategic focus and subject matter expertise in the issues that arise in a DC practice were appealing to Joshua.

Drew also discussed the new Safe Harbor Policy for Mergers and Acquisitions under the FCPA, which was announced in 2023. This policy encourages companies to disclose potential misconduct and cooperate with DOJ investigations, providing strong incentives for companies to get to the bottom of possible misconduct. Drew emphasized the importance of companies conducting thorough investigations, understanding the facts, and making decisions based on all available information in the company’s best interest. He acknowledged that these decisions can be challenging and require careful judgment.

The move to Miller & Chevalier allows Joshua to leverage his skills and experience to contribute to the firm’s strategic growth. His background in dealing with DOJ enforcement actions and his expertise with monitorships will be valuable assets in building on the firm’s existing work in these areas. Joshua’s role at Miller & Chevalier is focused on litigation, and he aims to bring strength to strength by complementing the skills and experience of the firm’s lawyers.

Joshua’s joining Miller & Chevalier brings the firm a unique blend of DOJ and in-house experience. His expertise in FCPA compliance and internal investigations will be instrumental in helping clients navigate complex compliance issues and mitigate risks. With his strategic approach and commitment to excellence, Joshua is well-positioned to make a significant impact at Miller & Chevalier.

Categories
Everything Compliance

Everything Compliance – Episode 128, The Frozen Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quartet of Jonathan Armstrong, Matt Kelly, Karen Woody, and Jay Rosen, all hosted by Tom Fox, joining us on this episode to discuss some of the topics they are watching during this extended cold spell across the US.

1. Matt Kelly looks at the tale of two companies, eBay and SAP, and the disparity in whether monitorships were mandated. He shouts out to Saul Dreier and the Holocaust Survivors Band, who recently played a gig at the White House.

2. Tom Fox shouts out to Sir Elton John for winning an Emmy, thus becoming only the 18th person to hold the prestigious EGOT designation.

3. Jonathan Armstrong looks at the new SFO director and his new focus for the beleaguered agency.  He shouts out to Nick Rossi (or whatever name he is using) and his 16 aliases.

4. Jay Rosen takes a deep dive into the SAP Foreign Corrupt Practices Act enforcement action. He shouts out to the Cara Cara naval oranges.

5. Karen Woody looks at the Segway shareholder case and its duty of oversight analysis for an officer. She shouts out to all the folks in Indiana who work and fix things during a deep freeze and those manning homeless shelters.

The members of the Everything Compliance are:

  • Jay Rosen is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Karen Woody is one of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
  • Matt Kelly is the Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com
  • Jonathan Marks can be reached at jtmarks@gmail.com.

The host, producer, ranter (and sometimes panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Blog

Operationalizing Compliance Through Payroll

One of the areas articulated in the 2023 ECCP was around payments and payroll. The compliance professional and the corporate payroll function have a significant role to play in operationalizing a corporate compliance program. The 2023 ECCP was replete with references to payment and its critical nature to any best practices compliance program. This includes references to foreign officials, payments to third parties, and hiding bribes in distributor payments.

The 2023 ECCP begins with a warning to stop wasting time on low-hanging fruit when there are much higher risks in your business operations. It states:

Risk-Tailored Resource Allocation—Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than to more modest and routine hospitality and entertainment?

It then drills down into the payment and payroll systems, stating:

Appropriate Controls—How does the company ensure a proper business rationale for using third parties? If third parties were involved in the underlying misconduct, what was the business rationale for using those third parties? What mechanisms exist to ensure that the contract terms specifically describe the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?

Payment Systems—How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?

These questions may not seem new, innovative, or even different from what payroll currently does for an organization. However, the 2023 ECCP demonstrates the role of payroll in compliance. The 2023 ECCP requires that payroll not only form a part of any best practices compliance program, but when it comes to the specific subject matter expertise, payroll is on the front lines of any attempts to prevent, detect, and remediate anti-corruption compliance violations.

The FCPA prohibits “anything of value” from being provided to foreign government officials or employees of state-owned enterprises to obtain or retain business. This “anything of value” is almost always money, and that money must come from somewhere inside the company. While the Watergate intonation to “follow the money” remains valid in any compliance issue, the 2023 ECCP speaks much more depth about payroll’s responsibility in a corporate compliance program. There must be verifiable controls that not only detect fraudulent payments but also work to prevent any such payments.

Yet when the inquiries are read together, they paint a broader picture than simply tasking payroll with the responsibility to prevent fraudulent leakage of money that could be used to fund bribes. The questions around the approval and certification process should be a standard part of any payroll system. This has the effect of operationalizing the responsibility up and down the management chain, from the individual employee up through their manager(s) and eventually to the highest level of management involved in the process. This level of operationalization is designed not only to put a set of brakes in place but also to work to put a second set of eyes on the entire payroll process.

Finally, payment systems have a role in the remediation phase of any best practices compliance program. If a payroll control failure led to or even allowed a compliance violation, what was done to fix the control issue? Here, payroll should work to perform a root cause analysis of what led to the control failure and then enhance or upgrade the control to provide a solution going forward. Of course, there should be a fully documented audit trail for this work to provide to the government should they ever come knocking, or even to your corporate auditors.

This means that not only can payroll be one of the compliance function’s strongest corporate allies, but that the role of payroll, by its nature, works to operationalize compliance. This is because to implement the appropriate internal controls around compliance, payroll must know the specific requirements of the FCPA and know what kinds of issues are likely to come up that might create a risk of bribery and corruption, all leading to an understanding of the appropriate compliance internal controls to implement around payroll and payments.

This is particularly true around offshore payments, generally defined as payments made to a location other than the home domicile of the payee or the area where the services were delivered. If a Tunisian agent who performs services in Dubai asks for payment in a location other than Dubai or Tunisia, that would qualify as an offshore payment. If you train people on the payroll on this issue, they may well pick up the phone and notify compliance when they see a request for payment in a geographic location separate from one of the two standard payment venues. Those are the types of communications, when properly documented, that demonstrate your compliance program is operationalized into the fabric of the organization.

Another way to view it is if there is a payroll control for such a scenario that notes the exception and requires the clearance of a red flag through additional investigation, elevation for approval, and documentation of the entire process; it operates as both a financial control and a compliance control as well. It strengthens the company’s internal controls to both prevent and detect compliance risks going forward.

There are several specific internal payroll controls that will facilitate a company operationalizing its compliance program, as required under the 2023 ECCP. These controls help keep an eye on the money trail, as the money to pay a bribe is usually hidden in some company expenditures. The four general areas of payroll control should include: 1) segregation of duties; 2) accountability, authorization, and approval; 3) security of assets; and 4) review and reconciliation.

To meet these four general goals, consider using a selection of the following controls for payroll systems, irrespective of how timekeeping information is accumulated or how employees are paid:

Audit. Have either internal or external auditors conducted an annual audit of payroll accuracy?

Change authorizations. Only allow a change to an employee’s marital status, withholding allowances, or deductions if the employee has submitted a written and signed request for the company to do so. Any change request should be reviewed and approved by a senior manager.

• Change the tracking log. If you are processing payroll in-house with a computerized payroll module, have secure change tracking to provide an audit trail.

Expense trend lines. This is your data, and it is within your company somewhere. Look for changes in payroll-related expenses in the financial statements and then investigate if warranted.

Issue payment reports to supervisors. Request supervisors review payroll summaries for correct payment amounts and unfamiliar names.

Restrict access to records. Prevent unauthorized access to payroll records.

Segregation of duties. You should never allow one person to prepare the payroll, authorize it, and create payments.

The role of payroll in compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes must come from somewhere. Unfortunately, one of those places is out of payroll. All CCOs need to sit down with their head of payroll, have them explain the role of payroll, and then review the internal controls in place to see how they facilitate compliance goals. From that review, you can then determine how to use payroll to help operationalize your compliance program.

The DOJ has now provided its clearest statement on how it expects a company to actually comply going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from compliance violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process that should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well-suited corporate discipline to provide this first level of oversight and control.

Categories
Daily Compliance News

Daily Compliance News: January 31, 2024 – The $70,000 Watch Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

• Germany to seize $2 billion worth of bitcoin. (NYT)

• Musk’s $55 billion pay package is voided.  (FT)

• An Ecuadorian official got a $70,000 watch as a bribe.  (Bloomberg)

• More lawyer trouble for fake ChatGPT citations.  (Reuters)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
All Things Investigations

All Things Investigations – Mike DeBernardis on The SAP Enforcement Action

Welcome to the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group’s podcast, All Things Investigation. In this podcast, I was joined by HughesHubbardReed partner Mike DeBernardis to discuss the recently announced FCPA enforcement action involving SAP.

Mike DeBernardis is a seasoned expert in the field of FCPA enforcement, with a specific focus on SAP enforcement action and the critical role of compliance programs. Drawing from his extensive knowledge of corruption schemes in various countries and the role of third-party intermediaries in these activities, DeBernardis views the SAP enforcement action as a pivotal case study that underscores the importance of robust compliance programs and proactive remedial actions. He commends SAP for their significant investment in their compliance program and their willingness to alter their business practices, such as severing certain third-party relationships and high-risk conduct. DeBernardis believes these actions reflect a commitment to business integrity and serve as a valuable lesson for companies navigating complex investigations. Join Tom Fox and Mike DeBernardis as they delve deeper into this topic on this episode of All Things Investigations.

Key Highlights:

  • SAP’s Corrupt Third-Party Intermediaries and Enforcement Action
  • The Power of Cooperation and Remediation
  • DOJ’s Emphasis on Cooperation and Technology

Resources:

Hughes Hubbard & Reed website

Mike DeBernardis on LinkedIn

Categories
Blog

The Compliance Function in an Organization

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2020 FCPA Resource Guide, 2nd edition, under the Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

This Hallmark was significantly expanded in both the original FCPA Corporate Enforcement Policy and 2023 ECCP. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company.

Clearly the DOJ is articulating that in an operationalized compliance program, it expects true compliance professionals, who understand the way compliance interacts with and supports the business. Companies must compensate and promote compliance professionals within their organization.

Funding and resources. You will now have to justify your corporate compliance spend. This means at a minimum you will have to meet some general industry standard. If a corporation tries to low-ball both the pay to compliance professionals, as well as the dollar and head count made available to a compliance function, it will not be viewed positively. Also noted in the Evaluation, a company must be prepared to defend any request for compliance resources which are turned down. Budget requests and allocations are always difficult times in any corporation. There is never enough money to go around and most senior management thinks it is their job to slash all budget requests as a simple matter of course. Now such blanket management will be penalized.

If a compliance function is so hampered by resource restrictions it cannot carry out the basic functions needed for a compliance program to operate, it will not find favor under either the Evaluation or the FCPA Corporate Enforcement Policy. If there are compliance projects needed to address basic compliance risks which are not funded because management failed to heed a CCOs or compliance functions budget request, this could be evidence of conscious indifference by senior management.

Role of compliance and empowerment. More than simply throwing money at the compliance function (as if that would ever happen) the DOJ is now inquiring into how the compliance function and its recommendations are treated. If there is business unit over-ride of compliance decisions, there must be an auditable decision trail. This, of course, is anathema to corporate executives who do not want to put themselves at risk.

But more than simply preventing management over-ride, a corporate compliance function has to be empowered by the Board and CEO to intervene in business decisions that implicate the company’s ethics and compliance issues, compliance with business code of ethics, agent/distributor and supplier codes of conduct, training, communication and internal investigations. If a company considers a business decision or practice that implicates the company’s ethical principles, the compliance function must have the internal authority to weigh in and ensure that ethical principles and compliance issues are factored into the business decision.

In the 2023 ECCP, under Section III, Does Your Compliance Program Work in Practice, is the following new language “Independence and Empowerment – Is compensation for employees who are responsible for investigating and adjudicating misconduct structured in a way that ensures the compliance team is empowered to enforce the policies and ethical values of the company? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel or others within the organization that have a role in the disciplinary process generally?”

This is a significant new addition to the ECCP. It forces a company to adequately compensation those employees who investigate and pass judgment on misconduct. But it is more than simply adequate compensation as it also requires a company not to retaliate via low salaries or limited raises or other compensation for doing their jobs as compliance officers. In other words, if the CEO is being investigated by compliance; that same CEO should not be setting or reviewing the salary of the CCO or those doing the investigation. This mandates that the DOJ will review the entire corporate organization on these issues.

Outsourcing of compliance. This area of compliance practice has arisen largely since the articulation of the Hallmarks in the 2020 FCPA Resource Guide, 2nd edition. While this might make sense from a cost perspective, it can be largely problematic if it is not managed properly. Rarely do outsiders have the same access as corporate employees, particularly in a function as important as compliance. Additionally, there will never be the trust level with outsiders there is with someone who wears the same color shirt as the employees. Here a company must not only have a rationale in place, which will largely be cost savings; a company must also have a mechanism in place to assess, on an ongoing basis, any outsourced compliance function. This will be beyond the reach of probably 99% of the companies engaged in such outsourcing.

The 2023 ECCP had further detailed questions to pose:

Structure—Where within the company is the compliance function housed (e.g., within the legal department, under a business function, or as an independent function reporting to the CEO and/or board)? To whom does the compliance function report? Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company? Are compliance personnel dedicated to compliance responsibilities, or do they have other, non-compliance responsibilities within the company? Why has the company chosen the compliance structure it has in place? What are the reasons for the structural choices the company has made?

Seniority and Stature—How does the compliance function compare with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions? How has the company responded to specific instances where compliance raised concerns? Have there been transactions or deals that were stopped, modified, or further scrutinized as a result of compliance concerns?

Experience and Qualifications—Do compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities? Has the level of experience and qualifications in these roles changed over time? How does the company invest in further training and development of the compliance and other control personnel? Who reviews the performance of the compliance function and what is the review process?

Funding and Resources—Has there been sufficient staffing for compliance personnel to effectively audit, document, analyze, and act on the results of the compliance efforts? Has the company allocated sufficient funds for the same? Have there been times when requests for resources by compliance and control functions have been denied, and if so, on what grounds?

Data Resources and Access—Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?

Autonomy—Do the compliance and relevant control functions have direct reporting lines to anyone on the board of directors and/or audit committee? How often do they meet with directors? Are members of the senior management present for these meetings? How does the company ensure the independence of the compliance and control personnel?

The 2023 ECCP and 2023 Update to the FCPA Corporate Enforcement Policy both demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 21 — Big Trouble in China Edition

What happens when two top compliance commentators get together? They talk about compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode! In this episode, Tom and Kristy take on a wide variety of topics, including the self-improvement of the Florida Man gone astray.

In the ever-evolving world of regulatory compliance and risk management, challenges are constant, and strategies must be dynamic. Tom highlights corruption in China, data privacy, the duty of oversight for officers and export control sanctions. Kristy highlights the ESG & DEI, Supply Chains and China, SAP, frequent flyer mile fraud and checks in on Florida Man. Join Tom Fox and Kristy Grant-Hart as they delve deeper into these issues in this episode of the 2 Gurus Talk Compliance podcast.

Highlights Include:

  1. First Shots Fired in 2024 Proxy Battle Over ESG, DEI: (Law.com)
  2. Enforcement of China’s Forced Import Ban Needs to Be Much Tougher, Say U.S. Lawmakers (WSJ)
  3. Lessons Learned from the SAP Enforcement Action: DOJ Changes Tack on FCPA Enforcement While SEC Digs into Third-Party Controls (Part III of III) (Corruption, Crime & Compliance)
  4. Frequent flyer miles helped authorities crack down on a $127 million money laundering scheme (The Street): HERE
  5. Analysis of failure to exercise duty of oversight by a corporate officer. (FCPA Compliance & Ethics Blog)
  6. McDonald’s Duty of Officer oversight. (Compliance and Enforcement)
  7. China and its fight against corruption.  (Reuters)
  8. Big penalties are coming for export control and sanctions enforcement. (WSJ)
  9. A federal data privacy law in 2024? (CCI)
  10. Florida man uses phone he found in Walmart bathroom to call in fake bomb threat, cites TikTok trend: deputies (FOX Orlando)

Resources:

Kristy Grant-Hart on LinkedIn

Spark Consulting

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn