Categories
Compliance Into the Weeds

Compliance Into The Weeds: Oscar Season and Internal Controls

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt take a deep dive into a payments and internal controls miasma involving actors Tom Holland and Tom Hollander.

The recent incident involving British actor Tom Hollander, who accidentally received a payment intended for Tom Holland due to a mix-up at their shared talent agency, has brought to light the critical importance of robust accounting controls for payments. Tom emphasizes the need for a second set of eyes to oversee payments and ensure they are going to the correct recipients. He suggests that smaller organizations can implement human review controls, while larger ones may need to rely on technology such as robotic process automation. Matt is highlighting the potential legal and regulatory consequences of sending payments to the wrong recipients. He stresses the need for organizations to demonstrate to regulators that errors are rare and accidental and that they have effective assurance processes in place. Join Tom Fox and Matt Kelly as they delve deeper into this topic in the latest episode of Compliance into the Weeds.

Key Highlights:

  • Payment Mix-up Highlights Importance of Internal Controls
  • Error Prevention and Correction in Payments
  • Mitigating Compliance Risks with Internal Controls

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

Compliance Into The Weeds: The SAP Foreign Corrupt Practices Act Enforcement Action

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt take a deep dive into the recent Foreign Corrupt Practices Act (FCPA) enforcement action involving the ERP software giant SAP.

The recent $220 million fine imposed on German software giant SAP for violations of the FCPA underscores the critical role of internal audits in maintaining corporate compliance. Despite having a comprehensive FCPA compliance program, SAP’s lack of control over its subsidiaries led to bribery activities, a situation that Tom and Matt believe could have been prevented with a robust internal audit function. Fox emphasized the need for strong internal audits to identify and address issues within different parts of an organization. Similarly, Kelly underscored the importance of internal audits in identifying and rectifying control lapses. To delve deeper into this topic and understand the implications of the SAP case, join Tom Fox and Matt Kelly on this episode of Compliance into the Weeds. 

Key Highlights:

  • The bribery schemes and geographic scope
  • What is culture?
  • Third parties and corruption risks
  • The fine and penalty
  • The comeback
  • Lessons learned for the compliance professional

Resources:

Matt on Radical Compliance

Tom 

Tom on the FCPA Compliance and Ethics Blog

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 15 – Monitoring and Improvement of Internal Controls

What happens when controls are continually overridden? Does that necessarily mean that companies are engaging in activities that violate the FCPA or some other law, such as Sarbanes-Oxley (SOX)? Cristina Revelo said she would start out with some basic questions, such as “How often would something be manually approved? How often are controls skipped? What are the levels of approvals that you have and what is your documentation? What are the reasons? And are you documenting how often a certain department is requiring those overrides?” While it could indicate that a company lacks a culture of compliance or that everything is an emergency, it might mean something else. It might mean that your internal controls need to be evaluated and then recalibrated. The Department of Justice calls this continuous monitoring leading to continuous improvement. Joe Oringel, co-founder of Visual Risk IQ, calls it continuous control monitoring.

However, many compliance professionals, and particularly lawyers, think once a control is in place, it’s set in stone, and it’s there forever. This derives from the unfortunate fact that, once again, many compliance professionals and most lawyers do not understand internal controls. Yet, internal controls, much like the rest of a compliance program, can and should be continually monitored and improved based on information about such things as the number of overrides. Such a review can be evidence of a management problem or a culture of non-compliance at the organization. However, it could be that perhaps the controls need to be adjusted.

Revelo emphasized that it is not simply identifying the issues but remedying them as well, “because that actually might look worse if you identify a lot of issues, but do not fix them. You are better off by remediating everything you are identifying.” From there, you can conduct a root cause analysis as to why there was failure in a control or violation of a compliance procedure. Revelo concluded, “You need to really do that in an in-depth manner and then remediate.”

Three key takeaways:

1. An internal control override is not necessarily a bad thing if proper procedure is followed.

2. Internal controls are not set in stone.

3. The key is to have a process for monitoring the controls and taking input, literally from each line of defense.

To obtain a free White Paper from our sponsor, Ethico, on key compliance issues from 2023, click here.

Categories
Blog

Monitoring and Improvement of Internal Controls

What happens when controls are continually overridden? Does that necessarily mean that companies are engaging in activities that violate the FCPA or some other law such as Sarbanes-Oxley (SOX). Cristina Revelo said she would start out with some basic questions, such as “How often would something be manually approved? How often are controls skipped, what are the level of approvals that you have and what is your documentation? What are the reasons, and are you documenting how often a certain department is requiring those overrides?” While it could indicate that a company lacks a culture of compliance or that everything is an emergency, it might mean something else. It might mean that your internal controls need to be evaluated and then recalibrated. The Department of Justice calls this continuous monitoring leading to continuous improvement. Joe Oringel, co-founder of Visual Risk IQ, calls it continuous controls monitoring.

However, many compliance professionals, and particularly lawyers, think once a control is in place, it’s set in stone, and it’s there forever. This derives from the unfortunate fact that once again many compliance professionals and most lawyers do not understand internal controls. Yet, internal controls, much like the rest of a compliance program can and should be continually monitored and continually improved based on the information about such things as the number of overrides. Such a review can be evidence of a management problem or a culture of non-compliance at the organization. However, it could be that perhaps the controls need to be adjusted.

How do you assess and then update your internal controls? Companies should also think about updating and reviewing their controls at least annually. In this manner, they can identify any violations of their internal controls. It also allows a deep dive into any specific areas of control failures. Another approach would be more robust controls through greater monitoring of your controls. For example, you could review your controls quarterly to allow you to spot any trends that are moving in the wrong direction. You can even start out by having your compliance function perform a self-review of its controls and test exemplar transactions. This is not a full-blown audit but simply desktop testing to make sure controls are being properly followed. Once again, simply because there is a control override or excessive use of a compensating control does not mean something is illegal. It may mean that the control is not working as it was designed.

Revelo said it could be an instance of “too short an approval time period and employees need a little bit longer because depending on their industry or how business works. This also helps to both identify frustrations from employees where there is a control, but every time it needs to be executed, it is impossible for me to do, or it’s impossible for me to comply with it a hundred percent.” These quarterly reviews can then be collated into an annual report for review and assessment and the report can form the basis of an annual report to the Compliance Committee of the Board of Directors or even the full Board.

The key is to have a process for monitoring the controls and taking input, literally from each line of defense. If a control is overridden too often, you need to change it. If a control is ineffective, you can use that information to craft a new internal control. Internal controls are not static, but dynamic and, with proper oversight, you can set up internal controls and literally improve them with appropriate documentation. (Hint-Document, Document, and Document.)

Revelo emphasized that it is not simply identifying the issues but remedying them as well “because that actually might look worse if you identify a lot of issues, but do not fix them. You are better off by remediating everything you are identifying.” From there you can conduct a root cause in that analysis as to why there was failure in a control or violation of a compliance procedure. Revelo concluded, “you need to really do that in an in-depth manner and then remediate.”

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 14 – Internal Controls

What are internal controls? The best definition I have come across is from Jonathan Marks, partner at BDO, who defined internal controls as:

An internal control is an action or process of interlocking activities designed to support the policies and procedures detailing the specific preventative, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes or objectives. This, along with continuous auditing, continuous monitoring, and training, reasonably assures:

• The achievement of the process objectives linked to the organization’s objectives;

• Operational effectiveness and efficiency;

• Reliable (complete and accurate) books and records (financial reporting);

• Compliance with laws, regulations and policies; and

• The reduction of risk fraud, waste, and abuse, which aids in the decline of process and policy variation, leading to more predictive outcomes.

The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. As an exercise, map your existing internal controls to the Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where gaps may exist. This will help you determine whether adequate internal compliance controls are present in your company. From there, you can move on to see if they are working in practice.

Three key takeaways:

1. Effective internal controls are required under the FCPA

2. Internal controls are a critical part of any best practices compliance program

3. There are four significant controls for the compliance practitioner to implement initially. (a) Delegation of authority (DOA); (b) Maintenance of the vendor master file; (c) Contracts with third parties; and (d) Movement of cash or currency

Categories
Blog

Internal Controls

What are internal controls? The best definition I have come across is from Jonathan Marks, partner at BDO, who defined internal controls as:

An internal control is an action or process of interlocking activities designed to support the policies and procedures detailing the specific preventative, detective, corrective, directive and corroborative actions required to achieve the desired process outcomes or the objectives(s). This, along with continuous auditing, continuous monitoring and training reasonably assures:

The achievement of the process objectives linked to the organization’s objectives;

Operational effectiveness and efficiency;

Reliable (complete and accurate) books and records (financial reporting);

Compliance with laws, regulations and policies; and

The reduction of risk-fraud, waste and abuse, which, aids in the decline of process and policy variation, leading to more predictive outcomes.

What specifically are internal controls in a compliance program? The starting point is the FCPA itself, which requires issuers to devise and maintain a system of internal controls that can reasonably assure:

1. Transactions are executed in accordance with management’s general or specific authorization;

2. Transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

3. Access to assets is permitted only in accordance with management’s general or specific authorization; and

4. The recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.

The DOJ and SEC, in the 2020 FCPA Resource Guide, 2nd edition, stated:

Internal controls over financial reporting are the processes used by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring. … The design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.

This was supplemented in the 2023 ECCP, with a pair of pointed questions: whether a company has made significant investigation into its internal controls and have they been tested, then remediated based upon the testing?

The whole concept of internal controls is that companies need to focus on where the risks—compliance or otherwise—are and then allocate their limited resources to putting controls in place that address those risks. In the compliance world, of course, your two biggest risks are 1) company assets or resources, marketing expenses, petty cash or other sources of funds being used to pay a bribe, and 2) diversion of company assets, such as unauthorized sales discounts or receivables and write offs used to pay a bribe.

There are four significant controls for the compliance practitioner to implement initially. They are:

1. Delegation of authority (DOA);

2. Maintenance of the vendor master file;

3. Contracts with third parties; and

4. Movement of cash/currency.

Your DOA should reflect the impact of compliance risk including both transactions and geographic location so that a higher level of approval for matters involving third parties, for fund transfers and invoice payments to countries outside the US would be required inside your company.

Next is the vendor master file, which can be a powerful preventative control tool largely because payments to fictitious vendors are one of the most common occupational frauds. The vendor master file should be structured so that each vendor can be identified not only by risk level but also by the date on which the vetting was completed and the vendor received final approval. There should be electronic controls in place to block payments to any vendor for which vetting has not been approved. Internal controls are needed over the submission, approval, and input of changes to the vendor master file.

Contracts with third parties can be a very effective internal control that works to prevent nefarious conduct rather than simply as a detect control. For contracts to provide effective internal controls, however, relevant terms of those contracts—including, for instance, the commission rate, reimbursement of business expenses, use of subagents, etc.,—should be made available to those who process and approve vendor invoices.

All situations involving the movement of cash or transfer of monies outside the US—including such methods as computer checks, manual checks, wire transfers, replenishment of petty cash, loans, and advances—should be reviewed from the compliance risk standpoint. This means identifying the ways in which a country manager or a sales manager could cause funds to be transferred to their control and to conceal the true nature of the use of the funds within the accounting system.

To prevent these types of activities, internal controls need to be in place. All wire transfers outside the US should have defined approvals in the DOA. The persons who execute the wire transfers should be required to evidence agreement of the approvals to the DOA, and wire transfer requests going out of the US should always require dual approvals. Lastly, wire transfer requests going outside the US should be required to include a description of proper business purpose.

The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. As an exercise, map your existing internal controls to the Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where gaps may exist. This will help you to determine whether adequate compliance internal controls are present in your company. From there you can move to see if they are working in practice.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 3 – 2023 Evaluation of Compliance Programs: Messaging Apps, Internal Controls and Adequate Compensation

Messaging Apps

There was a significant addition to the language around messaging apps. The ECCP opened this section by noting, “Messaging applications have become ubiquitous in many markets and offer important platforms for companies to achieve growth and facilitate communication.” For any company under investigation or in a FCPA enforcement action, the DOJ will evaluate its “policies and mechanisms for identifying, reporting, investigating, and remediating potential misconduct and violations of law governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications.”

Internal Compliance Controls

Under Section II, entitled Is the Corporation’s Compliance Program Adequately Resourced and Empowered to Function Effectively?  We find the new language, “In this regard, prosecutors should evaluate a corporation’s method for assessing and addressing applicable risks and designing appropriate controls to manage these risks.” This simple sentence packs quite a punch as it requires both appropriate internal compliance controls and then monitoring of those controls to see if they are managing the risks identified in the risk assessment.

Adequate Compensation and Salary/Bonus Review for Compliance

Under Section III, there is a significant new addition to the ECCP. It forces a company to adequately compensate those employees who investigate and pass judgment on misconduct. But it is more than simply adequate compensation, as it also requires a company not to retaliate via low salaries, limited raises, or other compensation for doing their jobs as compliance officers. In other words, if the CEO is being investigated by compliance, that same CEO should not be setting or reviewing the salary of the CCO or those doing the investigation. This mandates that the DOJ review the entire corporate organization on these issues.

Three key takeaways:

1. Communications compliance will be a key issue for compliance professionals going forward in 2024.

2. You must have both appropriate internal controls and ensure they are functioning.

3. In addition to adequate resources, a compliance function must be shown to adequately pay, promote, and protect those involved in compliance investigations.

Categories
Blog

Nicholas Latham on Implementing Frameworks for Effective Risk Management in Organizations

I recently had the opportunity to visit with folks from Diligent. We look down the road at key issues in 2024 in a podcast series sponsored by Diligent entitled Compliance Professionals Adapting to Change: Industries, Regulations, and Beyond. I could chat with Nicholas Latham, Renee Murphy, Jessica Czeczuga, Yee Chow, and Alexander Cotoia. Over this series, we discussed compliance communications in regulated industries, managing conflicts of interest at the Board level, the Board’s role in compliance training and communications, navigating the current ESG landscape, and professional growth and mentorship in compliance. In this first blog post, we discuss accounting and risk management frameworks.

One of the key topics discussed in the episode was the importance of risk assessment frameworks in identifying and mitigating organizational risks. Latham highlighted two widely used frameworks, the COSO Framework for Internal Controls and ISO 31,000, which both provide a comprehensive approach to risk management. These frameworks help organizations establish effective communication processes and gain a holistic view of risk across different departments.

The COSO Framework for Internal Controls focuses on enterprise risk management. It emphasizes the need to assess an organization’s control environment, determine risk appetite, and identify crucial risks for the business’s success. Information and communication processes, including training and monitoring activities, are built around these assessments to ensure effective risk management.

We next discussed the relevance of the “Single Pane of Glass” concept, often associated with the COSO Framework for Internal Controls. This concept provides a unified view of an organization’s operations and risk management, flattening hierarchical structures and promoting transparency. By implementing this approach, executives and leaders can comprehensively understand what is happening across the organization rather than just within individual departments.

We noted the challenges associated with compliance communication issues, particularly in e-communications. Latham emphasized the importance of setting the tone at the top, with executive leadership emphasizing the criticality of compliance and its impact on the organization and its customers. Training plays a crucial role in ensuring compliance, but Latham noted that the amount and frequency of training in today’s environment may not be sufficient. He stressed the need for organizations to step up their training efforts and be prepared for increasingly stringent regulatory scrutiny.

Monitoring e-communications poses a significant challenge due to the sheer volume of interactions. Latham suggested leveraging artificial intelligence (AI) to analyze a larger communications sample and identify potential risks. This approach could help organizations identify improper processes, training gaps, or script issues that may contribute to compliance breaches.

As a compliance professional, your understanding of risk assessment frameworks, such as the COSO Framework for Internal Controls and ISO 31,000, highlights the importance of comprehensive risk management practices. The “Single Pane of Glass” concept and the challenges associated with compliance communication issues provide valuable guidance for organizations navigating the complex risk and compliance landscape. As regulatory scrutiny continues to increase, compliance professional’s expertise will continue to serve as a valuable resource for organizations seeking to enhance their risk management practices and ensure compliance in an ever-evolving technological landscape.

Ready for Purpose-Driven Compliance? Diligent equips leaders with the tools to build, monitor, and maintain an open, transparent ethics and compliance culture. For more information and to book a demo, visit Diligent.com

Join us tomorrow when we consider conflicts of interest at the Board of Directors.

Categories
Everything Compliance

Everything Compliance – The Albemarle Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quartet of Jay Rosen, Jonathan Armstrong, Matt Kelly, and special guests Karen Moore and Kristy Grant-Hart, with Tom Fox hosting. Our topic today (with the exception of Mr. Armstrong) is the recently announced Albemarle FCPA enforcement action with both the DOJ and SEC. We conclude with our always popular and fan-favor Shout Outs and Rants.

1. Matt Kelly provides an overview of the enforcement action. He rants about former House Speaker Kevin McCarthy and the GOP’s desire for chaos rather than governing.

2. Guest Karen Moore takes a deep dive into the SEC FCPA enforcement action involving Albemarle. She rants about lawyer fees over $2000+ per hour.

3. Tom Fox shouts out to the MLB playoffs and pays tribute to Dick Butkus.

4. Guest Kristy Grant-Hart takes a deep dive into the holdback provision noted in the DOJ enforcement action.

5. Jonathan Armstrong reviews CEOs misbehaving and the corporate response. He shouts out Kortney Nordrum for her presentation on what it is like to go through a data breach.

The members of the Everything Compliance are:

•       Jay Rosen– Jay is Vice President of Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

•       Jonathan Marks can be reached at jtmarks@gmail.com.

•       Special Guest Kristy Grant-Hart is the founder of Spark Consulting.

•       Special Guest Karen Moore is an Adjunct Professor at Fordham University School of Law

The host and producer, ranter (and sometimes panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Blog

Albemarle FCPA Enforcement Action: Part 5 – Lessons Learned

Over the past several blog posts, I have been exploring the Albemarle FCPA enforcement action.  We have explored in some detail the DOJ Non-Prosecution Agreement (NPA) and the SEC Administrative Order(Order). In this final blog post on the series, I want to suss out some lessons for the compliance professional.

Consequence Management

When Kenneth Polite announced the Pilot Program in conjunction with the 2023 Evaluation of Corporate Compliance Programs (ECCP), the focus was largely on clawbacks. However, the relevant section in the ECCP was entitled “Consequence Management,” indicating a broader focus on both incentives to do business ethically and in compliance as well as disincentives. The ECCP asked a series of questions:

  • Has the company considered the impact of its financial rewards and other incentives on compliance?
  • Has the company evaluated whether commercial targets are achievable if the business operates in a compliant and ethical manner?
  • What role does the compliance function have in designing and awarding financial incentives at senior levels of the organization?
  • How does the company incentivize compliance and ethical behavior? What percentage of executive compensation is structured to encourage enduring ethical business objectives?
  • Are the terms of bonus and deferred compensation subject to cancellation or recoupment, to the extent available under applicable law, in the event that non-compliant or unethical behavior is exposed before or after the award was issued?
  • Does the company have a policy for recouping compensation that has been paid where there has been misconduct?
  • Have there been specific examples of actions taken (e.g., promotions or awards denied, compensation recouped, or deferred compensation canceled) as a result of compliance and ethics considerations?

The NPA noted that Albemarle engaged in holdbacks, as they did not pay bonuses to certain employees involved in the conduct or those who had oversight. The NPA stated, “The Company withheld bonuses totaling $763,453 during its internal investigation from employees who engaged in suspected wrongdoing.” The illegal conduct involved those who “(a) had supervisory authority over the employee(s) or business area engaged in the misconduct; and (b) knew of, or were willfully blind to, the misconduct.” The significance of this effort was vital as it qualified Albemarle for an additional fine reduction of a dollar-for-dollar credit of the amount of the withheld bonuses under the Criminal Division’s March 2023 Compensation Incentives and Clawbacks Pilot Program.

Indeed, Deputy Attorney General Lisa Monaco, in a recent speech, said, “The pilot program also rewards companies that claw back or withhold incentive compensation from executives responsible for misconduct – or attempt to do so in good faith. For every dollar that a company claws back or withholds from an employee who engaged in misconduct – or a supervisor that knew of or turned a blind eye to it – the Department will deduct a dollar from the otherwise applicable penalty that the resolving company would pay.”

She specifically cited the Albemarle FCPA resolution, where “the company received a clawback credit for withholding bonuses of employees who engaged in misconduct. Not only did Albemarle keep the bonuses that would have gone to wrongdoers, but the company also received an offset against its penalty for the same amount. That’s money saved for Albemarle and its shareholders – and a concrete demonstration of the value of clawback programs.”

 Remediation During Investigation

The NPA cited several remedial actions by the company that helped Albemarle obtain the superior result in terms of the discounted fine and penalty. These steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out an effective compliance program and had tested it. The NPA provided that Albemarle:

  • Strengthening its anti-corruption compliance program by investing in compliance resources, expanding its compliance function with experienced and qualified personnel, and taking steps to embed compliance and ethical values at all levels of its business organization;
  • Transformed its business model and risk management process to reduce corruption risk in its operation and to embed compliance in the business, including implementing a go-to-market strategy that resulted in eliminating the use of sales agents throughout the Company, terminating hundreds of other third-party sales representatives, such as distributors and resellers, and shifting to a direct sales business model;
  • Provided extensive training to its sales team and restructured compensation and incentives so that compensation is no longer tied to sales amounts;
  • Used data analytics to monitor and measure the compliance program’s effectiveness and
  • We are engaged in continuous testing, monitoring, and improvement of all aspects of its compliance program, beginning almost immediately following the identification of misconduct.

Two of the factors are relatively new and certainly are noteworthy for the compliance professional. The first is the change in the company’s approach to sales and their sales teams. Obviously, it was corrupt third-party agents that brought the company to such FCPA grief. Many of the quotes in the NPA and Order make it clear that Albemarle executives had an aversion to paying bribes but had greater moral flexibility when a third-party agent was involved. This led to the company moving away from third-party agents to a direct sales force.

Moving to a direct sales force does have its risks, which must be managed, but those risks can certainly be managed with an appropriate risk management strategy, monitoring of the strategy, and improvement; those risks can be managed. Yet there is another reason, and more importantly, a significant business reason, to move towards a direct sales business model. Every time you have a third-party agent or anyone else between you and your customer, you risk losing that customer because your organization does not have a direct relationship with the customer. By having a direct sales business model, your organization will have a direct relationship with your customer and, therefor, the ability to develop it further.

The NPA also specifically called out the Company’s use of data analytics in two ways. The first was to monitor the Company’s compliance program, and the second was to measure the compliance program’s effectiveness. While this language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance functions’ access to all company data, this is the first time it has been called out in a settlement agreement in this manner. Moreover, although not specifically tied to the lack of a required corporate Monitor, it would appear that by using data analytics, Albemarle was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation.

Internal Controls Over Commission Increases

According to the SEC Order, the Company failed to devise and maintain a sufficient system of internal accounting controls with respect to commission rates and deviations from contracted rates. In other words, even though there were internal controls in place for the setting of third-party agents’ commissions, they could be overridden at will. The Order concluded by noting, “As a result, sales personnel were able to increase agents’ commission rates in multiple countries – including Vietnam, India, China, and UAE – despite certain Albemarle personnel having knowledge of red flags indicating the agents would use a portion of the commission to make bribe payments to obtain contracts, influence tender specifications, or obtain nonpublic information concerning competitors’ bids.”

Every compliance professional should review their company’s controls over agents’ commission rates to make sure the business unit personnel alone cannot raise commission rates. While business units can always make the business case, this enforcement action drives home the message that the compliance function is not ‘one and done’ when an agent is approved but must be monitored throughout the third-party relationship lifecycle. Any requested change to a commission rate must go through the same analysis and approval process as the original approval.

Timely Self-Disclosure

There was a significant discussion in the NPA around Albemarle’s voluntary self-disclosure to the DOJ. However, NPA noted that “the disclosure was not “reasonably prompt” as defined in the Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy and the U.S. Sentencing Guidelines.” The NPA reported that Albemarle learned of allegations regarding possible misconduct in Vietnam approximately 16 months before disclosing it to the DOJ. Interestingly, the SEC Order only stated, “Albemarle made an initial self-disclosure to the Commission of potential FCPA violations in Vietnam following its completion of an internal investigation of such conduct and, at the same time, self-reported potential violations it was investigating in India, Indonesia, and China. Albemarle later self-disclosed to the Commission potential violations in other jurisdictions as part of an expanded internal investigation.”

This meant the self-disclosure “was not within a reasonably prompt time after becoming aware of the misconduct in Vietnam,” and it means that Albemarle did not meet the standard for voluntary self-disclosure under the Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy. While the DOJ “gave significant weight” to the Company’s voluntary, even if untimely, disclosure of the misconduct, it is undoubtedly cautionary.

What the DOJ wants is self-disclosure as soon as possible. One only needs to recall the case of Cognizant Technologies, where the company received a complete Declination where there were allegations of C-Suite involvement in the bribery schemes. This Declination was provided in large part because the company made its self-disclosure only two weeks after the information filtered up to the Board of Directors. While Cognizant Technologies may be the gold standard, it shows that if a company timely self-discloses, it can be considered for a full Declination.

The Albemarle FCPA resolution documents are chocked full of solid information that every compliance professional can use in the future. They are well worth a deep dive—finally, a kudos to Albemarle for obtaining this superior result.