Categories
Blog

Albemarle FCPA Enforcement Action: Part 4 – Internal Control Failures

Albemarle Corporation (Albemarle) recently agreed to pay more than $218 million to resolve investigations by the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) into violations of the Foreign Corrupt Practices Act (FCPA) stemming from Albemarle’s participation in corrupt schemes to pay bribes to government officials in multiple foreign countries. We have explored in some detail the DOJ Non-Prosecution Agreement (NPA). Today, I wanted to consider specifically some of the company’s failures, which were detailed in the SEC Administrative Order (Order).

Corporate Structure

At the time of the violations, Albemarle had three business units “corresponding to its primary product markets: catalysts (which contained the Refining Solutions business), lithium, and bromine. The Refining Solutions business developed and sold catalysts to oil refineries through sales offices and intermediaries around the world. The President of the Refining Solutions GBU reported directly to Albemarle’s Chief Executive Officer. Albemarle centrally coordinated its compliance, legal, finance, contracting, and internal audit functions.”

The Refining Solutions business was further broken down into four operating units. It included “Albemarle Catalysts Company B.V. in the Netherlands (“Albemarle Netherlands”); Albemarle Singapore Pte. Ltd in Singapore (“Albemarle Singapore”); Albemarle Chemicals (Shanghai) Co. Ltd. in China (“Albemarle China”); and Albemarle Middle East FZE in the UAE (“Albemarle Middle East”) (each, an “Albemarle Subsidiary,” and together, the “Albemarle Subsidiaries”). Albemarle also used sales agents to sell refinery catalysts in Vietnam, India, Indonesia, China, and the UAE.” A most exciting nugget detained in the Order revealed that “the sales agents in Indonesia and China were also retained as distributors.”

Finally, the Company “exercised control over the sales activities of the Albemarle Subsidiaries, which acted as agents for Albemarle when retaining agents to sell catalysts globally. Albemarle officers served on the Albemarle Subsidiaries’ boards of directors and held signatory authority over bank accounts at local branches of both U.S. and non-U.S. banks, used to pay sales intermediaries in the relevant countries. Albemarle sold refinery catalysts globally through agents and distributors approved by Albemarle sales, business, legal, compliance, and finance personnel and management.” 

Internal Audit-Reporting Deficiencies

In perhaps the most damning phase of the Order, the SEC detailed how the Company’s internal audit function had raised the issue of insufficient controls multiple times, stating “Despite the known risks posed by Albemarle’s reliance on third-party sales agents and distributors in the sale of catalyst products to state-owned and -controlled oil refineries, Albemarle failed for many years to institute sufficient compliance systems and devise and maintain a sufficient system of internal accounting controls concerning the retention, payment, and oversight of these intermediaries.”

These included a series of internal audit reports in 2013, 2015, and 2016, all of which identified multiple gaps in Albemarle’s internal accounting controls with respect to the Refining Solutions business’s use of intermediaries. These reports set out a series of internal control deficiencies and failures, including that sales agents and distributors were paid:

  1. With incomplete due diligence,
  2. With a lack of executed contracts,
  3. With contracts that lacked required anti-corruption provisions;
  4. At not simply higher than market rates but at rates higher than those provided for by contract.

All of this was done in contravention of Albemarle’s policies and procedures.

Internal Audit-Recommendations

Yet, the internal audit did more than report deficiencies; it also made recommendations. As far back as 2013, the internal audit team recommended that Albemarle establish a comprehensive program specifically to manage and monitor the entire life cycle for intermediaries. The Order noted that “While Albemarle hired compliance personnel, reduced the number of sales agents and distributors without contracts, and implemented software to assist in third-party onboarding and contracting,” it failed to devise and maintain a sufficient system of internal accounting controls with respect to commission rates and deviations from contracted rates. In other words, even though there were internal controls in place, apparently, they could be overridden at will.

The Order concluded by noting, “As a result, sales personnel were able to increase agents’ commission rates in multiple countries – including Vietnam, India, China, and UAE – despite certain Albemarle personnel having knowledge of red flags indicating the agents would use a portion of the commission to make bribe payments to obtain contracts, influence tender specifications, or obtain nonpublic information concerning competitors’ bids.”

Internal Control Failures

The Order detailed a series of internal control failures by the Company across multiple business units in several different countries. The entire story paints a picture of a company that certainly did not have a culture of doing business ethically and in compliance.

In Vietnam, the Company “Agent was hired in 2012 at a 4.25 percent commission rate that Albemarle’s sales representative viewed as high for the region, and Albemarle approved an increase to Vietnam Agent’s commission to 6.5 percent in 2015 despite emails reflecting a high probability additional funds would be used to bribe Vietnamese government officials.” The Order went on to note, “Albemarle’s system of internal accounting controls was insufficient to prevent or detect these improper payments, which Albemarle Singapore falsely recorded as legitimate commissions in books and records that were consolidated into Albemarle’s financial statements.”

In India, multiple red flags emerged during Albemarle’s due diligence process. The India Agent claimed that its board of directors included two former senior India State-Owned Customer officials and Albemarle already had a sales agent in India. An Albemarle Subsidiary regional director alerted an Albemarle sales executive who was employed directly by Albemarle and based in the United States, of his understanding, based on a July 2009 call with an India Agent, that the agent would make corrupt payments to keep Albemarle in the bidding process. Additionally, “Albemarle increased India Agent’s commission in 2010 (via a backdated agreement) and again in 2012. A July 2014 email from an Albemarle Europe sales executive to India Agent described the commissions as “extremely high” and “far from any possible realistic justification.” Finally, “The agreement called for payment of a three percent commission to India Agent, a rate three times higher than that paid to Albemarle’s existing agent for India.”

In Indonesia, the Agent requested a commission increase expressly to fund bribes to Indonesia State-Owned Customer officials. Moreover, “Although Albemarle sales personnel declined to increase the commission and reportedly told Indonesia Agent that Albemarle did not conduct business via bribery, they did not report concerns to their supervisors, Legal, or Compliance personnel or take any steps to terminate the agency relationship. Instead, Albemarle made contractual commission payments and certain extra-contractual expense reimbursements to Indonesia Agent throughout 2013 in connection with a contract Indonesia State-Owned Customer awarded to Albemarle in April 2013. A portion of these funds was used to pay bribes.  Albemarle’s system of internal accounting controls was insufficient to prevent or detect the improper payments made to and through Indonesia Agent, which Albemarle Singapore falsely recorded as legitimate commissions and business expenses in books and records that were consolidated into Albemarle’s financial statements.”

In China, although business unit employees knew of the proposed agent’s familial relationship with the relevant government official, they failed to report it internally. Then, the Company’s compliance department’s due diligence revealed that China Agent had no website and was authorized to do business only a few weeks before China Agent’s Principal first met with Albemarle personnel. Despite these red flags, Albemarle retained the China Agent. When an Albemarle business director questioned China Agent’s compensation as “high,” an Albemarle Netherlands business director replied that he anticipated large returns on the contract. In February 2014, Albemarle agreed to increase the China Agent’s commission if it obtained higher prices from the customer. In August 2016, Albemarle China further increased the commission rate.

Finally, in the UAE, the Company did not conduct due diligence on the agent until after the agent agreement had been executed. After this initial contract was executed, a second agent was also contracted for illicit purposes. The deal with the original Agent was amended in 2013 to increase its commission by one percent — the same amount the Agent agreed to pay to the second agent, “UAE Consultant.” The UAE Consultant provided no discernable services other than conveying confidential tender evaluations and competitors’ bids obtained from the refinery and the EPC firm. In addition to commissions that Albemarle paid to the agent, Albemarle paid the agent undefined “administrative charges” equal to ten percent of its invoices for customs clearance and other non-sales services.

The SEC Order lays out in greater detail how the Company’s internal controls were circumvented. It also detailed some of the specific language in emails, which cleared denoted coded language around the payment of bribes.

Join us tomorrow to review some of the key lessons learned.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Messaging App Enforcement and Internal Controls

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt consider the recent SEC and CFTC enforcement actions around messaging app non-compliance.

Join Tom and Matt as they take a deep dive into the enforcement actions and then consider how such claims would impact non-regulated industries. Regulated industries, particularly broker-dealer firms like Wells Fargo and Morgan Stanley, are facing enforcement actions and hefty fines for their employees’ use of messaging apps like WhatsApp and Snapchat that allow record preservation to be disabled. The involvement of senior managers in these misconducts has prompted the SEC to require an independent compliance consultant in settlements.

The conversation between Tom and Matt emphasizes the importance of messaging policies and procedures in regulated industries and the need for stricter compliance measures. They also discuss the complexities and potential consequences of record-keeping obligations and the regulatory concerns over the use of messaging apps. The conversation briefly touches on the future of AI chatbots in customer service, with differing perspectives on their ethical implications. Overall, the conversation highlights the significance of messaging policies, enforcement, and compliance in regulated industries.

Key Highlights

·      Enforcement Actions Against Regulated Industries

·      Enforcement actions and messaging policies

·      Record-keeping obligations for broker dealers and other industries

·      Regulatory concerns over the use of messaging apps

·      Internal Controls and non-regulated industries

 Resources

Matt 

LinkedIn

Blog Post in Radical Compliance

No Smoke and No Fire: The Rise of Internal Controls Absent Anti-Bribery Violations in FCPA Enforcement by Karen Woody in Cardoza Law Review

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Man Chooses the Target

Compliance Man Takes a Eurotrip – Piotr Żyłka on Poland’s Compliance Revolution

Compliance Man is back for a new season! Get ready for a EuroTrip with Tom Fox and Tim Khasanov-Batirov on their hit podcast, Compliance Man! Join Tom Fox and co-host Timur Khasanov-Batirov on a Euro trip as they delve into the world of Poland’s Compliance Revolution with guest Piotr Żyłka.

The implementation of the Whistleblowing Directive and the Corporate Sustainability Due Diligence Directive into the Polish Legal System could be a major step forward in the fight against corruption. Tom Fox and Tim Khasinov-Batirov had a conversation with Piotr Żyłka, an author of the It’s All About Compliance blog, publisher, and compliance platform in Europe, to discuss the Polish compliance scene and the need for a Polish FCPA. Piotr discussed the banking law requirements, the DOJ guidelines, the New York City Bar Association paper, and the influence of foreign companies on compliance controls in Poland. He also highlighted the need for trainings, engagement of top management, and internal controls like KYC. Tom and Tim thanked Piotr for his time and knowledge and invited him to come back on the podcast to share his views.

Key Highlights

·      Internal Controls in Poland

·      Compliance in Poland

·      Sanctions Compliance

·      A Polish FCPA Needed?

 Resources

Piotr Żyłka on LinkedIn

It’s All About Compliance

Tim Khasanov-Batirov on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Man Chooses the Target

Compliance Man Takes a EuroTrip – Alex Movchan on Internal Controls in the EU

Compliance Man is back for a new season! Get ready for a EuroTrip with Tom Fox and Tim Khasanov-Batirov on their hit podcast, Compliance Man! Join Tom Fox and co-host Tim Khasanov-Batirov on a Euro trip as they delve into the world of internal controls in Europe, with special guest Alex Movchan, president of the Institute for Internal Controls in Central Europe and chief risk officer at a global medical device company. They discuss internal control strategies and best practices, including SOX and COSO frameworks, the importance of IT general controls, and adapting to changes in the market. The episode also explores the challenges of merging companies with different internal control frameworks, tailoring internal controls to specific country offices, and promoting compliance initiatives to top management.

Don’t miss out on this insightful conversation about compliance and risk management. Tune in to the “Compliance Man: Eurotrip-Internal Controls in Europe,” hosted by Tom Fox and Tim Khasanov-Batirov.

Key Highlights:

  • Internal Controls in Different Regions
  • Importance of Internal Controls in Emerging Markets
  • Compliance Frameworks in Europe
  • Updating Internal Control Frameworks in Response to ESG
  • Structuring Internal Controls for Decision-making Mechanisms
  • Importance of Compliance Officer and Internal Control Collaboration

Notable Quotes:

“Internal controls are the backbone of every compliance program; what we need is to have control over the situation, which means that you have to have internal controls in place.”

“When it comes to private owners and family-owned business, this is like a very different owner to owner.”

“We need to adapt faster as the internal controls professionals and as business managers, we need to update to the changes faster because the ones who update faster, the internal control frameworks, will be on the top of the markets.”

“Half of the companies just don’t know how to start.”

 Resources:

Alex Movchan on LinkedIn

Tim Khasanov-Batirov on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

Compliance into the Weeds: A Material Weaknesses Catastrophe

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds!

In this episode, co-hosts Tom Fox and Matt Kelly dissect a disastrous 10k report filed by Ammo Incorporated, exposing the company’s shocking governance and compliance breakdown. The lack of personnel, internal control processes, and proper segregation of duties are just some of the material weaknesses that led to this corporate disaster. The hosts provide insightful lessons on what companies should avoid to maintain internal governance, share tips on approaching remediation, and emphasize the importance of self-awareness among senior management and the board. Tune in to hear how this niche investigative story was uncovered, and how Twitter played a crucial role in the investigation. Don’t miss Compliance into the Weeds – the podcast that will change the way you think about governance and compliance!

 Key Highlights 

·      Material weaknesses in internal governance practices

·      Material weaknesses in operations at Ammo

·      Challenges with Ammo Inc.’s strategic shift and internal controls

·      Remediating Company Failures: Story’s Disclosure

 Resources

Matt 

LinkedIn

Blog Post in Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – The Board as an Internal Control

James Doty, former Commissioner of the Public Company Accounting Oversight Board (PCAOB) was once asked if the Board or its sub-committee which handles audits was a part of a company’s internal financial controls. He answered that yes, he believed that was one of the roles of an Audit Committee or full Board. I had never thought of the Board as an internal control but the more I thought about it, the more I realized it was an important insight for any Chief Compliance Officer or compliance practitioner as it also applies to compliance internal control.
In the FCPA Resource Guide, 2nd edition, in the Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first is in Hallmark No. 1, which states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, where it discusses that the CCO should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight of the effectiveness of a company’s compliance program. The Department of Justice’s (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Doty’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program.

A Board’s oversight is part of effective compliance controls, then the failure to do so may result in something far worse than bad governance. Such inattention could directly lead to a FCPA violation and could even form the basis of an independent SOX violation as to the Board.
Three Key Takeaways

  1. A Board must engage in active oversight.
  2. A Board should review the design of internal controls on a regular basis.
  3. Failure to do so could form the basis for an independent legal violation under SOX.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Culture as a Foundational Internal Control

To conclude this month’s series on Internal Controls, I am joined by Vin DiCianni, Founder and CEO of AMI. We discuss how corporate culture is a foundational internal control. It is a fascinating topic that is not discussed enough by compliance professionals.

3 Key Takeaways.

  1. It must start at the top.
  2. Hiring is critical to creating and sustaining an ethical culture.
  3. Creative internal controls around culture.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Assessing Compliance Internal Controls

One of the specific requirements in the 2020 Update is around internal controls and, more specifically, control testing. It stated:
Control Testing – Has the company reviewed and audited its compliance program relating to the misconduct?  More generally, what testing of controls, collection and analysis of compliance data, and interviews of employees and third parties does the company undertake?  How are the results reported and action items tracked?  

Fortunately, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Internal Controls Framework considers assessing compliance with internal controls. In “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls,” COSO laid out its views on assessing the effectiveness of internal controls. It noted that an effective system of internal controls provides “reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting, and compliance.” Moreover, such a structured protocol can only meet two over-arching requirements. First, each of the five components is present and functioning. Second, the five components operate in an integrated fashion with each other. One of the most critical components of the COSO Framework is that it sets internal control standards against those you can audit to assess the strength of your compliance with internal controls.

Three key takeaways:

  1. An effective system of internal controls provides reasonable assurance of achieving the company’s objectives relating to operations, reporting, and compliance.
  2. There are two over-arching requirements for effective internal controls. First, each of the five components is present and functional. Second are the five components operating together in an integrated approach.
  3. For an anti-corruption compliance program, you can use the Hallmarks of an Effective Compliance Program as your guide to testing against.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls-COSO Objective I-Control Environment

Both Board of Directors’ independence and Compliance Committee (or other applicable committees) oversight issue are essential to this Objective because the Compliance Committee needs to be actively engaged to be comfortable that the company has implemented the internal controls under Sarbanes-Oxley (SOX) 404(a); as required under Principles 1 & 2. The external auditors must then be comfortable that this requirement is met. Finally, there must be evidence that the company has appropriate disclosure controls because that is central to the objective. This is all tested against Board independence and Compliance Committee oversight over those activities that management has undertaken and their engagement and conversations with their external auditor. Under Principle 3, structures in reporting lines, authority, and responsibility are essential to recognizing revenue. There are processes in an entity’s internal controls or financial reporting details. There are policies, and there is documentation, the authority and documentation of the judgments are being made, the review of those in responsibility for making those ultimate judgments about the recognition of revenue and the recognition or timing of the revenue and the expenses, that those need to be in place.

Under Principle 4, a business must attract, develop, and retain competent talent. Of course, this is good business as well. But it is more than simply some appropriate levels of staffing; one of the reasons that companies have said they do not have money to reinvest in the deep dive study and process improvement necessary to implement it [the 2013 Framework] is that it comes down to both to commitment level from the top and the tone at the top that this important and these financial disclosures are critical to the ability of the investors to rely on the company’s disclosures. You must ensure the team can access the right level of technical accounting talent and business process and controls talent to make the judgments.” All these leads, of course, tie into Principle 5, which mandates that individuals be held responsible. This requires someone to document that they have made a judgment based upon the evidence they have accumulated, that the company has analyzed that evidence, and has gone through the process of comparing this to the COSO 2013 Framework and the spirit of the standard. Howell said, “those individuals are being held responsible for doing that properly. When you tie all that back together, when you get to the control environment, the COSO principle number one is that it can be completely tied back to what is required.” 

Three Key Takeaways:

  1. What controls do you have in place to measure conduct at the top?
  2. Reporting lines must be clear and functioning.
  3. You must provide the right personnel with the right resources.

For more information on building a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

 

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – The COSO 2013 Internal Controls Framework

COSO was adopted in 1992 as a framework for a basis to design and test internal controls’ effectiveness. In 2010, updating this more than 20-year-old COSO Framework was deemed necessary to provide a more supportable approach when adversarial third parties challenged whether a company has effective internal controls (such as the SEC). , I believe the SEC will use this to review a company’s compliance with internal controls. This means that you need to understand what is required under the COSO 2013 Internal Controls Framework and can show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.

The COSO 2013 Internal Controls Framework defines internal controls, from bottom to top, with the following Objectives: a) Control Environment, b) Risk Assessment, c) Control Activities, d) Information and Communication, and e) Monitoring. From these five Objectives come 17 Principles which we explore in more detail.
Three key takeaways:

  1. You must use the 2013 Internal Controls Framework or a similar source for your internal controls structure.
  2. The 2013 Internal Controls Framework identifies the following areas: a) Control Environment, b) Risk Assessment, c) Control Activities, d) Information and Communication, and e) Monitoring.
  3. Your internal controls must be sustainable.

For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.