Tag: GTE

Categories
Compliance Into the Weeds

Compliance into the Weeds: 3M FCPA Enforcement Action

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt consider the recent FCPA enforcement action involving the Chinese business unit of 3M.

The importance of post-event documentation and monitoring in preventing fraud and corruption cannot be overstated, as highlighted by the recent FCPA incident involving 3M China. Tom believes that while training and control environment adjustments are crucial, they may not be enough to prevent misconduct if individuals are determined to commit such acts. He emphasizes the need for hard evidence, such as post-event documentation, and recommends looking to the heavily regulated pharmaceutical sector for guidance.

Matt stresses the importance of rigorous post-event documentation to ensure the legitimacy of business activities. Both Fox and Kelly gained these insights from their extensive experience in the field of compliance and their analysis of various fraud cases. To learn more about their unique perspectives on post-event documentation and monitoring, join them on this episode of the Compliance into the Weeds podcast. 

Key Highlights

·      Background facts

·      GTE in FCPA enforcement actions

·      What happens when conduct is done secretly

·      Concerns over the use of messaging apps

·      Lessons Learned

 Resources

Matt in LinkedIn

Tom –blog post on the FCPA Compliance and Ethics Blog

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

3M in China-Where Secret Travel = FCPA Violations

You know that when the Securities Exchange Commission (SEC) uses the word ‘secretly’ when discussing a corporate program, it is a seriously not good look. That is certainly the case in the recently announced Foreign Corrupt Practices Act (FCPA) enforcement action involving 3M’s Chinese business unit. In an Order, outlining the facts and FCPA violations it stated, “During the Relevant Period, a former 3M-China marketing manager (the “Marketing Manager”) colluded with two China-based travel agencies (the “China Travel Agencies”) to secretly provide Tourism Activities for Chinese Government Officials during Educational Events. The Marketing Manager was aided in the scheme by several employees in 3M-China’s sales, marketing and professional services departments.” [emphasis supplied] For its ‘secret’ scheme without admitting or denying the SEC’s findings, 3M agreed to pay $4.5 million in prejudgment interest and disgorgement and a civil penalty of $2 million or a total of $6.5 million.

Background

The Order recited that certain 3M-China Employees targeted influential officials of Chinese state-owned enterprises and Chinese Government Officials for attendance at overseas Educational Events and, in collusion with the China Travel Agencies. To facilitate this scheme, 3M-China Employees would create a travel itinerary that included various legitimate business, training and marketing activities for submission to 3M-China’s compliance personnel for approval. However there were “alternate itineraries (the “Alternate Itineraries”)” planned which consisted of various Tourism Activities at or near the location of the Educational Events. There were free travel and lodging provided which “were designed to improperly induce the Officials to purchase 3M products, and violated company policy.”

Interestingly, the 3M-China Employees circulated the Alternate Itineraries through hand delivery or personal WeChat accounts or ephemeral messaging. The 3M-China Employees asked the participants to keep the agenda hidden, and falsified internal compliance documents so that the Tourism Activities were not shown to be planned as part of the overseas trip.

There were several indicia which demonstrated the travel was not for business purposes but for recreational purposes. From the Order it stated

(a) Tourism Activities were scheduled at the same time as the Educational Event activities;

(b) the ostensibly Educational Events were in English, and the trips included Chinese Government Officials who neither understood English nor had adequate translation services;

(c) at times Chinese Government Officials missed whole days of the Educational Event or simply never attended at all; and

(d) Certain Chinese Government Officials also requested Tourism Activities as part of the overseas trip.

To fund these illegal activities, 3M-China Employees would at times work with the collusive China Travel Agencies to inflate their billing invoices for ostensibly legitimate expenses such as  travel costs. In other instances, the 3M-China Employees submitted unpermitted invoices directly to the China Travel Agencies for reimbursement rather than to 3M China. Finally, the China Travel Agencies, with the support of the 3M-China Employees, at times directed that 3M-China’s distributors pay for portions of the non-reimbursable expenses. Rather stupidly from a legal and compliance perspective, 3M China employees measured the impact that this corruption had on sales. They tracked the effect of providing overseas travel on 3M-China’s sales to SOE Customers. One 3M-China Employee tracked post-trip sales “to ensure they were consistent with 3M-China’s sales goals. Most amazingly “3M-China management asked for the “return on investment” from an Educational Event (i.e. the effect of providing health care officials with overseas travel on sales to the SOE Customer) by comparing sales figures before and after an Educational Event.”

Finally, “from at least 2014 through 2017, 3M-China paid nearly $1 million to fund at least 24 trips for Chinese Government Officials that included Tourism Activities. The costs of these trips were improperly recorded in 3M’s books and records as legitimate business expenses, without any indication that they included Tourism Activities. As a result of the above conduct, 3M improperly benefited by at least $3.5 million from increased sales.”

Discussion

There are several key lessons to be garnered from this FCPA enforcement action. One key lesson from this case is that if your organization is paying for attendance at educational events, the value of rigorous post-event documentation, such as sign-in sheets and attendance verification is critical. By ensuring that officials were present at the events they are paid for, transparency is enhanced, and corruption can be prevented as your employee base will know that compliance is providing oversight and monitoring. This approach draws from the pharmaceutical sector, which has implemented stringent event monitoring practices.

The importance of post-event documentation and monitoring extends beyond coruption prevention. It also plays a crucial role in compliance efforts. By thoroughly documenting events and activities, companies can demonstrate their commitment to ethical business practices and compliance with regulations. This documentation serves as evidence of due diligence and can be invaluable in audits and investigations.

However, compliance professionals must strike a balance between the level of control and the resources required for documentation. While it is essential to have robust controls in place, excessive bureaucracy can hinder efficiency and productivity. Finding the right balance is crucial to ensure compliance without impeding business operations.

Another challenge lies in the use of ephemeral messaging, as seen in the Three M China case. Ephemeral messaging platforms, which automatically delete messages after a certain period, can raise concerns about transparency and compliance. While these platforms may have legitimate uses in private communications, their use in a corporate setting can be seen as a less than transparent attempt to conduct business ethically. Compliance professionals should carefully consider the implications of using such platforms and evaluate whether they align with their organization’s compliance objectives.

Data analytics also play a significant role in post-event documentation and monitoring. By leveraging advanced analytics tools, companies can detect patterns and anomalies that may indicate fraudulent activities. For example, multiple payments to the same vendor by different entities within the extended enterprise can be a red flag worth investigating. Implementing robust data analytics capabilities can enhance the effectiveness of post-event monitoring and help identify potential compliance risks.

In conclusion, the 3M China FCPA enforcement action underscores the importance of post-event documentation and monitoring in fraud prevention and compliance efforts. Rigorous documentation practices, inspired by the pharmaceutical sector’s approach, can enhance transparency and prevent corruption. However, finding the right balance between control and efficiency, addressing challenges associated with ephemeral messaging, and leveraging data analytics are crucial for effective post-event documentation and monitoring. By prioritizing these factors, companies can strengthen their compliance programs and mitigate the risks associated with fraudulent activities.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Internal Controls for Gifts, Travel and Entertainment

While many compliance practitioners believe that employee expense reports are a sufficient internal control of gifts because there are other ways in which a gift can be presented, other controls must be considered. Once your company policy on gifts has been finalized, the internal controls over expense reports fall into three primary areas:

  1. The expense report format, including what information it requires.
  2. Controls over the submitting employee and the preparation of the expense report.
  3. Controls to ensure the approvers do their review process properly.

Internal controls around gifts can be used in various ways in your best practices compliance program. They can certainly be used to detect an issue and perhaps even prevent an issue from becoming a full-blown FCPA violation; however, by using some of the techniques that Howell has suggested, you can move your compliance program to a proscriptive phase where you not only stop an issue from becoming a violation but through identification, you can move towards remediation as a part of your ongoing compliance efforts. The bottom line is that good internal controls make for good business processes; if you can move your compliance program’s internal controls forward, you can help make them a part of your financial controls and, thereby, have a better-run company. 

Three Key Takeaways:

  1. GTE compliance internal controls are low-hanging fruit. Pick them.
  2. Compliance with internal controls can be both detected and prevented controls.
  3. Good compliance with internal controls is good for business.

For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Discipline and Rigor In Your Internal Controls

New York Times columnist David Brooks’ thoughts on building and maintaining order inform the discussion on rigor in your internal controls. In internal controls, I believe it is incumbent to consider not only the most obvious risk areas for your internal controls but also the universe of potential transactions within a company’s operations. There is a clear need for rigor in your internal controls protocols. Adherence to that rigor can increase operationalization around the internal controls a company should consider, including gifts, travel, and entertainment expenses. Brooks said, “Building and maintaining order … requires toughness of mind and rigid discipline to serve your own work properly.” By having the rigor to institute and enforce the types of internal controls identified, you can go a long way toward detecting and, more importantly, preventing an FCPA violation from occurring.

Some of the key areas of Internal Control focus should be:

·       The Delegation of Authority (DOA)

Petty cash disbursements

·       Travel

·       P-Cards

·       Employee Expense Reports

·       Corporate checks and wire transfers, such as check requests, purchase orders, or vendor invoices.

·       Gifts and business entertainment

Three key takeaways:

1. You must maintain rigor around your internal controls.

2. Controls against fraud can also help to prevent corruption.

3. Building and maintaining good internal controls requires rigor.

Categories
Corruption, Crime and Compliance

A Deep Dive into the Oracle FCPA SEC Settlement

Oracle Corporation settled its second FCPA case in ten years. It agreed to pay the SEC $23 million to resolve allegations that its subsidiaries in Turkey, India and the United Arab Emirates maintained slush funds to bribe foreign officials. Ten years ago in 2012, Oracle paid the SEC $2 million for creating millions of dollars in off-the-books accounts at its India subsidiary. Join Michael Volkov as he takes a deep dive in the Oracle case and provides valuable lessons for managing third-party corruption risks.

  • In the SEC’s mind, Oracle is a recidivist, having its second enforcement action case in 10 years.
  • The settlement for $23 million underscored the power of the FCPA provisions, which mandate effective internal controls and accurate books and records, and can be applied to a wide range of conduct beyond foreign bribery, Michael remarks. 
  • The controls that Oracle put in place to prevent improper use of discounts and marketing reimbursements were not effective because there was a lack of compliance culture within the business.
  • The Oracle case is one that should be studied by compliance professionals, Michael believes. It reminds you to look at your own controls that surround discounting and ensure that the necessary documentation is carried out. “No matter what controls you have in place, they still have to be adhered to with a true culture of compliance underneath it as a foundation,” he adds.

 

Resources

SEC Oracle Case

Email Michael: mvolkov@volkovlaw.com

Categories
Blog

Oracle: FCPA Recidivist Part 5 – What Does It All Mean?

In this post, we conclude our exploration of the Foreign Corrupt Practices Act (FCPA) enforcement action involving the now recidivist Oracle Corporation. This enforcement action was concluded with the Securities and Exchange Commission (SEC) resulting in an Order. After having examined the background facts and bribery schemes in some details, we turn to what does it all mean for FCPA enforcement going forward and what lessons can the compliance profession draw from Oracle’s missteps.

Paper Programs Fail

One of the most prominent lessons to be garnered from this matter is that paper compliance programs Do Not Work. That may sound like perhaps the most basic truism in all of compliance but here we are in 2022, looking at a major multinational organization which had a ‘check-the-box’ compliance program around distributors and it eventually bit them in the backside.

After having its first FCPA enforcement action in 2012 involving distributors in India, where deep and unwarranted discounts were used to create a pot of slush funds to pay bribes, Oracle instituted a requirement for a ‘second set of eyes’ outside the business unit for unusual or excessive discounts. According to its policies regarding distributors, a valid and legitimate business reason was required to provide a discount to a distributor. Oracle used a three-tier system for approving discount requests above designated amounts, depending on the product. In the first level, Oracle at times allowed subsidiary employees to obtain approval from an approver in a subsidiary other than that of the employee seeking the discount. At the next level and for higher level of discounts, Oracle required the subsidiary employee to obtain approval from another geographic region and the final level (and for the highest discounts) was from someone at the Oracle corporate headquarters. So far so good.

The problem was there was no requirement for evidence of a business justification to support the requested discount. The Order noted, “Oracle reviewers could request documentary support, Oracle policy did not require documentary support for the requested discounts – even at the highest level.” A statement of why you need a discount without any supporting documents as evidence is simply that – a statement. In other words, there was no way for a higher-level approver to determine if such a request was valid or fraudulent. Ronald Reagan was on to a basic compliance concept when he intoned “Trust, but verify.” Those words still ring true as a basic requirement in any compliance program.

Data Analytics

The Oracle enforcement action emphasized why data analytics is mandatory for any current compliance program. In addition to creating slush funds through discounts to distributors, slush funds were created through fraudulent reimbursement requests for expenses associated with marketing Oracle’s products. If the request were under $5,000, business unit level supervisors at the subsidiaries could approve them without any corroborating documentation indicating that the marketing activity actually took place. In one example from the Order, it noted that an Oracle Turkey sales employees obtained such fraudulent reimbursements totaling approximately $115,200 in 2018 that were “ostensibly for marketing purposes and were individually under this $5,000 threshold.” There was apparently no one looking to see who and how often these reimbursement requests were made by any single employee or approved by any supervisor.

This is as basic a fraud scheme as one can imagine. Think of employee gift, travel and entertainment (GTE) reimbursement where anything over $100 must be preapproved. One BD type or one business unit routinely submits requests after purchases of $99.99 so no preapproval is required. The supervisor approves it, and it is automatically paid to the employee. One reimbursement at $99.99 may not raise a red flag but multiple requests should. The same concept holds true in this situation. However, no one at Oracle was looking at this bigger picture. This is where a data analytics program would pick up such anomalies and flag it for closer inspection and investigation. Oracle appears to have realized this through part of its remediation which included the implementation of a compliance data analytics program moving to proactive auditing.

Internal Control Upgrades

Putting in compliance enhancements to remediate your control failures is a key part to any FCPA enforcement resolution. In this area, there were improvements in the following capacities: (a) in distributor discounting by improving aspects of the Oracle discount approval process and increasing transparency in the product discounting process through the implementation and expansion of transactional controls; (b) in the Oracle procurement process through the increased oversight of, and controls on, the purchase requisition approval process; (c) by the removal of perverse incentives by limiting financial motivations and business courtesies available to third parties; (d) in basic gifts, travel and entertainment policies (GTE) by improving its customer registration and payment checking processes in connection with Oracle technology conferences.

Basic GTE

I cannot believe that in 2022 we are talking about companies that still do not have the most basic GTE policies in force. Since at least 2007, the Department of Justice (DOJ) made clear what was appropriate in business travel, business courtesies and business entertainment. Oracle’s 112 Project decidedly was not as it was designed to appear as a business trip to Oracle’s home office (then in California) related to Oracle’s bid on a project. However, the trip was designed to be a sham to hide boondoggle travel for four government officials. The alleged business meeting at the corporate headquarters lasted only 15 minutes and for the rest of the week, the Oracle BD folks entertained the government officials in Los Angeles and Napa Valley and then took them to a “theme park” in the greater Los Angeles area. Any travel involving government officials or any other covered persons under the FCPA should be submitted to and approved by your compliance function, including costs and the itinerary.

There was much to consider from the SEC enforcement action under the FCPA involving Oracle. We still have not heard from the DOJ. There may be more to come….

Categories
Survive and Thrive

Survive and Thrive – Gifts, Travel, and Entertainment with Thomas Fox and Kortney Nordrum

The FCPA world is littered with enforcement actions against companies for the most basic compliance failures – those around gifts, travel, and entertainment (GTE). Many compliance professionals struggle with issues from GTE: Violations can arise out of anything, from discrepancies between outbound and inbound reporting to simply relying too heavily on the manual process of maintaining spreadsheets.
As your company is considering RTW sometime in fall 2021, you know you will need to remind everyone about why GTE is so critical to compliance. How do you add in an analysis of more efficient business travel, time use, and even whether you need to travel for meetings?

Key points discussed in the episode:
✔️The Gifts, Travel, and Entertainment (GTE) Policy is foundational to a company’s values. GTE touches so many other pieces in a compliance program – COI, anti-corruption, anti-fraud, government contracting, donations/corporate giving, marketing in the healthcare space, etc. Small numbers are essential, and telling the truth about GTE reimbursement is critical to an ethical culture.
✔️Each company has different GTE rules in place – first, you have to take stock of what rules apply to your company and your sales force.
✔️ Look at who you do business with? If your customers are all state governments, that makes it easy – no gifts or entertainment, ever—however, companies operating in several markets may have varying customers. Be aware of what your customers can and cannot accept re: GTE.
✔️ In your organization, build a policy that speaks to your specific obligations. Make it clear that every single gift or entertainment expense must be documented and submitted, and nothing is off-books.
✔️ Include as many examples as possible in your policy – call out specific things that are not allowed (aka DO NOT GIVE ANYONE A FERRARI OR A HOUSE IN THE HAMPTONS…OR A CONGRESSIONAL SEAT).
✔️ Make things much more concrete and give people an idea of what’s appropriate and not appropriate. It is essential to call out cash and cash equivalents to explain better why It is NEVER okay to give cash or equivalents as GTE.
✔️ Train the heck out of the policy – both the broad workforce and the finance team that will be reviewing the invoices and the sales team that will be incurring the expenses. Walk them through expectations and what to watch out for as red flags.
✔️ Use checklists – give the team reviewing invoices a list of what to look for (good and bad) and have them do it (formally or informally) for each invoice.
—————————————————————————-
Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.
Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.

Categories
31 Days to More Effective Compliance Programs

Internal controls for gifts, travel and entertainment


It is reasonable to expect that internal controls over gifts, travel and entertainment be designed to ensure that they satisfy the criteria as defined in company policies. These are narrow, including a definition of the dollar limit, which must not be exceeded for gifts to be permissible, coupled with some subjective criteria such as the legality of the gifts for the recipient and whether the practice is customary within the country where the gift is delivered. The question I focus on is how to enforce the policies so that employees are not free to disregard them at will?The key analysis is whether there are controls in place to enforce the policies and whether those controls are documented. There are four issues to evaluate:

  1. Is the correct level of person approving the payment/reimbursement for the gift?
  2. Are there specific controls, including signoffs, to demonstrate that the gift had a proper business purpose?
  3. Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls?
  4. If controls are not followed, is that failure detected by other internal controls or the compliance protocols?

Internal controls around gifts can be used in a variety of ways in your best practices compliance program. They can certainly be used to detect an issue and perhaps even prevent an issue from becoming a full-blown FCPA violation, however, by using some of the techniques suggested you can move your compliance program to a proscriptive phase where you not only stop an issue from becoming a violation but through identification, you can move towards remediation as a part of your ongoing compliance efforts. The bottom line is good internal controls make for good business processes; if you can move your compliance program’s internal controls forward, you can help make them a part of your financial controls and thereby have a better run company. 
Three key takeaways:

  1. Gifts, travel and entertainment compliance internal controls are low hanging fruit, pick them.
  2. Compliance internal controls can be both detect and prevent controls.
  3. Good compliance internal controls are good for business.