Tag: lessons learned

Categories
Blog

The Hobson FCPA Trial: Five Operational Lessons for the Compliance Professional

If you want to see how an FCPA case gets built in real time, you could do a lot worse than studying what came out at trial in the Hobson matter. The evidence presented to the jury did not turn on a single suspicious invoice or an isolated payment. It was the aggregation of ordinary commercial mechanics (commissions, pricing pressure, contract awards) with extraordinary risk indicators (coded language, commission splits tied to named initials, informal transfer channels, and documentation gymnastics). That is exactly why the Hobson trial matters to in-house compliance professionals: it shows how day-to-day operational decisions can be reframed as corrupt intent when the surrounding facts align.

Today, we consider five lessons learned for the compliance professional, each grounded in trial evidence and framed as operational indicators you can use in your program tomorrow morning.

Lesson 1: High commissions are not a “commercial issue.” They are an anti-corruption control failure waiting to happen.

One of the most important themes in the testimony was the economics of commissions. One witness described the agent’s commission levels as unusually high in the industry, citing a long-term arrangement in the range of $7 to $7.50 per metric ton, in contrast to what he described as a far lower norm for international sales agents. That is not a mere “sales comp” debate. In a high-risk market, the commission structure becomes the channel through which influence can be purchased.

The operational problem is not simply that the commission is high. It is that the commission becomes hard to explain as legitimate, and easy to justify internally as “what it takes” to win. In the testimony, jurors heard about internal communications implying there were “a few” people the agent had to “take care of,” and the witness described being shocked at how openly the subject was discussed.

Operational indicators to take away

  • A third-party commission materially above benchmark, especially when defended as “market practice” without evidence.
  • Business rationales that drift from services rendered into “this is what it takes to get the deal.”
  • Commission tied to award timing, acceptance, or “sorting things out” with a committee-like body at the counterparty.

Program moves

  • Require commission benchmarking and documented justification for outliers, with Compliance signoff for deviations.
  • Treat commission letters and renewals as high-risk events: refresh due diligence, re-paper services scope, and re-evaluate the payment model.
  • Add a “commission-to-service” test: what services were delivered, how were they evidenced, and how do they map to the payment amount.

Lesson 2: The third party is not the risk. The relationship ownership model is the risk.

The defense narrative emphasized distance: the company hired the agent, the company paid the agent, and once the agent was paid, the payer did not control what happened next. Compliance people have heard this argument in conference rooms for twenty years, usually dressed up as “commercial reality.”

But what the trial evidence highlights is a different issue: relationship ownership. The cooperating witness testified that the defendant took the lead on the relationship because of his contact with the agent. That is a control issue. When a single commercial leader “owns” the third party informally, the organization often loses the ability to enforce discipline: who approves what, who monitors what, and who escalates what.

Operational indicators to take away

  • A relationship that is “owned” by one person, with limited transparency and limited cross-functional involvement.
  • Commission approvals and payment pressure are driven by a single commercial voice rather than by a documented governance process.
  • Escalations framed as “help me pay him so we do not lose the business,” rather than “help me validate services and risks.”

Program moves

  • Assign “relationship ownership” formally: business owner, finance owner, and compliance owner, each with defined decision rights.
  • Require periodic third-party business reviews that are not sales calls: services delivered, invoices, payment routes, red flags, and counterparty risk.
  • Put “single-threaded third-party management” on your audit plan. It is a quiet failure mode.

Lesson 3: Communications are evidence, and code words are a control signal you can detect.

The most operationally actionable evidence from the trial is the communications that Hobson used with Ahmed. Jurors heard about messages that mixed coal pricing negotiations with discussions of who would receive parts of a commission, including initials corresponding to individuals connected to the state-affiliated buyer. This is the classic compliance trap: people treat messaging as informal chatter, while prosecutors and juries treat it as evidence of intent.

Even more pointed, testimony described the use of coded language for money, including references to “Mr. Yen,” and urgency about when the money would be available and in what currency. Whether a company can see those messages at the time is a separate question. The compliance lesson is that coded language almost always sits atop a known risk: someone believes the underlying conduct would not survive daylight.

Operational indicators to take away

  • Pricing plus commission allocation discussed in the same thread, especially where there is talk of who “needs to be paid” to keep contracts.
  • Code words for money, urgency cues, and currency references.
  • Language that treats counterparty actors as extracting “shares” tied to deal economics.

Program moves

  • Train sales and trading teams on “what will read badly to a jury” without being melodramatic. Show examples of risky phrasing and rewrite them.
  • Build a targeted communications surveillance protocol for the highest-risk channels and roles, consistent with local law and internal policy.
  • Add “coded language and euphemisms” to your investigation playbook as an escalation trigger, not an afterthought.

Lesson 4: Money movement patterns are where the story crystallizes.

The government’s evidence leaned heavily on how money moved: informal transfer mechanisms, travel touchpoints, offshore entities, and a money trail that could be explained individually but looked incriminating when sequenced.

For in-house compliance, this is the heart of operational control. The trial coverage covered Western Union transfers, travel to Dubai, cash declarations, and an entity structure involving a Dubai company and a US affiliate sharing the same address. It also described an “invoice construction” episode: drafting an invoice for a substantial payment, struggling to reproduce an official seal, then sending a wire and having the funds transferred.

You do not need to be a prosecutor to see the compliance problem: if you cannot explain who is being paid, why they are being paid, what they did, and where the money went, you do not have controls in place. You have hope.

Operational indicators to take away

  • Use of informal transfer services, cash, or complex routing in connection with third-party compensation.
  • Offshore entities are introduced late in the process, especially where documentation is improvised.
  • Payment routes that create distance between the payer, the payee, and the ultimate beneficiary.

Program moves

  • Tighten payment controls for third parties: no payment without a validated contract scope, documented services evidence, and verified bank account ownership.
  • Require screening for beneficial ownership and “connected parties” among third-party entities, including affiliates and payment intermediaries.
  • Implement a red-flag workflow for travel-linked payments, cash, and informal transfers: automatic review by Compliance and Finance.

Lesson 5: Investigation readiness is not a crisis skill. It is a design choice.

Finally, the verdict and the path to it underscore a point compliance professionals sometimes miss: your program is being built for a future fact-finder. In this case, the prosecution presented an overall theory built from messages, financial records, and a cooperating witness; the jury returned guilty findings across FCPA-related counts and related conspiracy and laundering charges.

The operational compliance lesson is not about litigation tactics. It is about what your systems retain and what your systems can explain. If your third-party file includes evidence of benchmarking, due diligence, contract scope, and monitoring, you have a fighting chance of showing legitimate intent. If your file is thin and the communications are ugly, the story will be told for you, in the immortal words of the Compliance Evangelist-Document Document Document.

Operational indicators to take away

  • Repeated internal discomfort expressed without escalation or remediation; IE., the “we know this is strange, but we need the deal” pattern.
  • Documents created to facilitate payment rather than to evidence legitimate services.
  • Controls that rely on “we did not know” rather than “we can show what we did and why.”

Program moves

  • Update your investigations protocol to integrate commercial data: pricing, commissions, and contract award timing, not just payment logs.
  • Build a rapid response kit for third-party risk: document hold, device preservation process, and review checklist for messaging platforms.
  • Treat high-risk third-party relationships as living files: quarterly updates, not annual check-the-box refreshes.

The Hobson trial is a reminder that compliance does not fail in the abstract. It fails in the seams: a commission justified without evidence, a relationship owned by one person, a payment routed because “it is easier,” and a set of messages that people assumed would never be read out loud in a courtroom. If you want your program to prevent the next case, focus on those seams, because prosecutors, juries, and regulators will, too.

Resources:

Articles by Matthew Santoni in Law360

Coal Exec Knew Egyptian Broker Paid Bribes, Jury Told

Coal Exec’s Co-Worker Says Emails Hinted At Egypt Bribes

Egypt’s ‘Social Law’ Doesn’t Endorse Bribery, Jury Told

Coal Exec Used ‘Mr. Yen’ To Talk Kickbacks, FBI Testifies

Coal Exec ‘Had No Ability’ To OK Paying Bribes, Jury Told

Jury Finds Ex-Coal Exec Guilty Of Authorizing Bribes

 

Categories
Blog

Wells Fargo, Risk Management and Reputational Recovery: Part 2 – Lessons Learned

On June 3, 2025, the Federal Reserve lifted its unprecedented $2 trillion asset cap on Wells Fargo, marking the symbolic end to one of the most consequential compliance enforcement actions in modern U.S. banking history. For the compliance and risk management community, this moment is not a victory lap; it is a case study of how compliance failures cascade, reputational risk becomes operationally tangible, and regulatory patience has its limits.

Over these two blog posts, I have explored what happened, why it mattered, and what lessons every compliance professional should carry forward. Yesterday, we examined the unique penalty imposed on Wells Fargo. Today, we reflect on the lessons learned by compliance professionals.

1. Sales Incentives Must Be Auditable and Aligned with Ethics

Incentive structures sit at the very core of behavioral risk. At Wells Fargo, the sales-driven “Gr-eight” initiative, designed to sell eight products per customer, transformed from a marketing aspiration into an existential risk. The program rewarded aggressive cross-selling, but without effective compliance oversight, it became a toxic engine of misconduct. Employees, facing immense pressure to meet unrealistic sales goals, began opening unauthorized accounts and manipulating customer data, led by the very highest levels of the company. This was not isolated behavior; it was systemic fraud incentivized by misaligned performance metrics.

For compliance professionals, the lesson is straightforward: incentive programs must be co-designed with risk and compliance in the room. It is not enough to reward growth; companies must also reward growth achieved in an ethical manner. This means conducting behavioral audits of how incentive programs are experienced in practice, not just how they appear on paper. Are salespeople bending the rules to meet targets? Are managers discouraging whistleblowing to protect metrics?

Moreover, all incentive plans should undergo compliance risk assessments. This includes mapping the downstream effects of reward systems, integrating compliance KPIs, and instituting real-time monitoring mechanisms. Transparency is key; employees must understand that ethical behavior is not just expected but tracked and rewarded.

Wells Fargo’s downfall was a direct result of a cultural failure to align incentives with values. When success is measured solely by numbers, ethics become expendable. Compliance leaders must ensure that incentive systems pass both the audit test and the mirror test: can they be audited for integrity, and can you look in the mirror knowing they support the organization’s stated values?

In the modern regulatory environment, misaligned incentives are no longer just a business risk—they are a regulatory and reputational time bomb waiting to detonate.

2. Regulatory Fatigue Is Not an Excuse

One of the most sobering realities of the Wells Fargo asset cap was its duration: seven years. That’s nearly a decade of constrained growth, investor frustration, and board-level scrutiny. Some might assume that regulatory attention naturally fades over time, but the Wells Fargo case proves otherwise. Regulators did not relent. They did not forget. And they did not lift the restrictions until the institution proved it had earned back the trust lost through systemic misconduct.

For compliance professionals, this underscores a critical truth: regulatory fatigue is no excuse for underperformance or delay. Treating compliance obligations as a burdensome box-checking exercise is what led Wells Fargo into this mess in the first place. Real remediation requires patience, perseverance, and, above all, a cultural shift in how the organization views compliance.

This shift is not cosmetic. Instead, it is strategic. It means compliance is embedded in daily operations rather than being relegated to periodic reports. It means senior leadership engages deeply in control redesigns, audits, and training rather than just approving them. It means boards of directors receive regular updates that go beyond dashboards to include narrative risk insights, root cause analyses, and forward-looking risk indicators.

Wells Fargo’s journey illustrates the high cost of superficial remediation. CEO Charlie Scharf’s arrival in 2019 marked a turning point because he treated compliance not as an obstacle but as a foundation. His willingness to restructure the operating model around risk oversight demonstrated that regulatory trust must be rebuilt brick by brick, meeting by meeting, order by order.

There are no shortcuts. Compliance professionals must prepare their organizations for the long haul. When the pressure to “move on” arises, as it inevitably will, it is the CCO’s duty to say: not yet. True cultural transformation takes time, and regulators will accept nothing less.

3. Asset Caps and Structural Penalties Are the New Frontier

The $2 trillion asset cap imposed on Wells Fargo was unprecedented, but it may not be the last of its kind. It has become a powerful precedent for how regulators can discipline systemically critical financial institutions that fail to meet compliance and ethical standards. Unlike traditional fines, which can be absorbed as the cost of doing business, the asset cap was a structural constraint on the company’s operations. It limited the bank’s ability to grow, serve customers, issue loans, and participate in high-margin Wall Street business lines. It was a living penalty, a regulatory scarlet letter that reshaped how Wells Fargo operated at every level.

For the compliance and risk community, this evolution is of profound significance. It suggests that enforcement tools are expanding beyond punitive monetary settlements to include operational restrictions that fundamentally alter business strategy. This signals a clear shift in regulatory philosophy: punishment should not only be proportional to misconduct. Still, it should also force organizations to re-engineer the systems that enabled that misconduct in the first place.

Compliance leaders must now broaden their risk lens. A mature compliance risk assessment framework must consider not only reputational and financial risks but also operational penalties that can hinder competitiveness. Could your business withstand a regulator-imposed halt to product launches? A limitation on asset growth? A prohibition on acquisitions? These are no longer hypothetical concerns; they are real enforcement options, as Wells Fargo learned.

Moreover, structural penalties create long-term internal pressure. Wells Fargo invested heavily, incurring more than $2.5 billion in extra costs and hiring 10,000 additional compliance personnel to satisfy the consent orders. That level of expenditure may not be feasible for smaller institutions, making early detection and proactive compliance investment even more critical.

The future of enforcement is structural. Innovative compliance programs must prepare for this new reality before regulators force the issue.

4. Invest in the Right People

Wells Fargo’s long road to regulatory redemption was not paved by technology alone or process overhauls, and people drove it. After years of reputational damage, CEO turnover, and regulatory gridlock, the appointment of Charlie Scharf in 2019 signaled a fundamental shift. Scharf understood what prior leadership had not: you cannot reform risk culture without reforming the people responsible for it. He replaced key executives, restructured risk and compliance teams, and built a leadership bench equipped to navigate the demands of a post-scandal environment.

For compliance professionals, the takeaway is clear: people are the heart of your program. You can build a library of policies and procure the most advanced analytics platforms, but without qualified, empowered, and appropriately incentivized professionals, those systems will fail. Effective compliance begins with hiring not just for expertise but also for integrity and courage. Your CCO must have access to the board, independence from business pressures, and the authority to challenge decisions without fear of reprisal.

At Wells Fargo, the turnaround required hiring an “army” of more than 10,000 new risk and compliance professionals. While most companies will not need to scale at that level, the principle remains: a token compliance function cannot defend against systemic risk. The right people in the right roles with clear mandates and sufficient resourcing are the first line of defense.

Equally important is leadership. Scharf’s experience leading Visa and BNY Mellon gave him a strategic understanding of regulatory expectations. He began each executive meeting with a regulatory update, not as a formality but as a signal. This was not compliance theater. This was operational DNA.

In today’s risk environment, talent is your most significant differentiator. Invest in leaders who understand governance, not just growth. Because when crisis strikes, the question isn’t what systems are in place. It’s who is leading them.

What’s Next for Wells Fargo—and You

Now that the cap is lifted, Wells Fargo is poised to grow again. It can expand lending, scale its wealth management services, and bolster its Wall Street business. But as Scharf and analysts have noted, this is “still a journey.”

Even without the cap, consent orders remain in effect. More critically, public trust is still under repair.

For the rest of the financial sector and, frankly, any large organization, the lesson is this: enforcement is not just about punishment. It’s about operational reform. The Wells Fargo story serves as a blueprint for how misconduct can metastasize when culture, incentives, and oversight fail to align and how painfully slow and expensive the path back to credibility can be.

Compliance Is Not a Department—It’s a Discipline

The Wells Fargo saga is not merely a tale of scandal and sanction. It is a real-world case study of how compliance failures metastasize when unchecked and how painful, expensive, and prolonged the road to recovery becomes when structural change is delayed. For seven years, Wells Fargo was held in regulatory purgatory not because of a single incident but because its culture, controls, and leadership failed to recognize that ethics and governance are non-negotiable pillars of business continuity.

Each of the four lessons discussed ethical incentive alignment, stamina in regulatory remediation, preparing for structural penalties, and investing in the right people—reinforces a central truth: compliance is not episodic. It is continuous, cultural, and deeply tied to leadership.

When incentives ignore integrity, misconduct becomes inevitable. When organizations view compliance obligations as burdens rather than opportunities for reform, they erode trust. When regulators respond with operational penalties as they now can and will, compliance becomes not just a cost center but a barrier to growth. And when companies finally decide to rebuild, it is the strength and credibility of their people that determines whether that effort will succeed.

Wells Fargo survived its reckoning. But survival came at a steep price: lost market share, damaged reputation, investor doubt, and a compliance bill in the billions. For the rest of us, the goal is not to weather such a storm but to avoid it entirely. That means taking compliance seriously before the headlines, before the enforcement actions, and before the crisis.

In the post-Wells era, corporate compliance is no longer optional or siloed; it is a fundamental aspect of business operations. It is embedded, empowered, and expected to lead. As compliance professionals, our charge is clear: build systems that promote integrity, protect the enterprise, and earn the trust that regulators can’t mandate but can take away.

Resources:

  1. Wells Fargo Is Allowed to Grow Again After 7 Years Under Asset-Cap Penalty, by Gina Heeb in the Wall Street Journal.
  2. Wells Fargo Asset Cap Lifted by Fed, Paving Way for Growth by Yizou Wang in Bloomberg.
  3. Wells Fargo’s Asset Cap Has Been a Good Punishment in Bloomberg by Paul Davies.
Categories
Blog

The Bre-X Mining Scandal: Part 6 – A Guide for the 2024 Compliance Professional (Part 2)

Today, we conclude a multipart blog post series exploring one of the biggest corporate scandals of the 1990s, the Bre-X mining scandal. Our most recent blog post explored the foundational lessons from the Bre-X scandal for today’s compliance professionals, focusing on due diligence, transparency, corporate governance, and more. In today’s concluding blog post,  we focus on additional critical areas where compliance officers can play a pivotal role in ensuring organizational integrity. From fostering a strong whistleblowing culture to leveraging modern technologies for continuous monitoring, these strategies will help prevent financial fraud, uphold ethical standards, and do business in compliance into 2024 and beyond.

The Role of Whistleblowing and Ethics Programs

A lack of transparency and accountability within Bre-X contributed to the persistence of fraud for years. If a robust whistleblowing mechanism had been in place, the red flags might have been raised earlier, potentially preventing the massive fallout.

  • Encouraging Whistleblowing. One of the most critical aspects of modern compliance is creating a culture where employees feel empowered to speak up without fear of retaliation. Compliance officers should focus on building and maintaining secure, confidential channels where employees can report unethical or suspicious activities. A strong whistleblowing framework protects the organization from reputational damage and demonstrates to employees that integrity is a top priority.
  • Ethics Training. In addition to promoting whistleblowing, regular ethics training can help build a culture of transparency and accountability. Employees must be educated on the importance of ethical decision-making and how their actions contribute to the company’s long-term success. Compliance teams can reinforce the core values of honesty and integrity across the organization through frequent workshops, case studies (including Bre-X), and clear guidance on ethical behavior.

Risk Management and Scenario Planning

The Bre-X scandal is a stark reminder of the importance of comprehensive risk management. The ability to foresee potential risks and prepare accordingly can be the difference between averting a disaster or getting caught in one.

  • Assessing and Mitigating Risk. Risk management is central to the work of a compliance officer. Rigid risk assessments are non-negotiable in industries like mining—where speculation, large financial stakes, and geographical challenges intersect. Compliance professionals must develop strategies that identify, assess, and mitigate potential risks early, whether they stem from operational, financial, or reputational sources. For instance, resource overestimation, as seen in Bre-X, could have been mitigated with proper checks on geological data and third-party verification.
  • Scenario Planning. Preparing for various fraud scenarios, including “what if” situations similar to Bre-X, is a valuable exercise. Scenario planning enables organizations to consider how they would respond in the event of fraud or a major compliance breach. Companies should develop detailed crisis management plans, identify key decision-makers, and outline steps for navigating potential crises. In the event of another large-scale scandal, having these contingency plans in place will reduce the organization’s response time and limit damage.

Continuous Controls Monitoring and Auditing

The importance of continuous monitoring cannot be overstated, particularly in industries prone to high levels of fraud, such as mining, finance, or healthcare. Compliance professionals must champion ongoing oversight to ensure early detection of potential issues.

  • Ongoing Oversight. Continuous auditing of processes and transactions is an effective way to catch problems before they escalate. In the Bre-X case, regular audits of geological sample reporting and financial disclosures could have flagged discrepancies early on. Compliance teams today should implement robust monitoring programs that examine critical areas like financial performance, regulatory adherence, and ethical behavior. Routine audits of key operational processes, especially in high-risk industries, can prevent fraudulent behavior from going undetected.
  • Use of Technology. The rise of data analytics and artificial intelligence (AI) has transformed the compliance landscape. In 2024, compliance professionals must embrace technology that enhances real-time monitoring capabilities. By leveraging AI and big data, companies can detect anomalies or suspicious activities before they evolve into significant problems. For example, automated systems can track financial reporting patterns or identify irregular resource estimates, helping compliance teams intervene before major fraud occurs.

Global Considerations and Jurisdictional Awareness

In today’s globalized business environment, companies often operate in multiple countries, each with its regulatory requirements. Compliance professionals must stay abreast of international standards and ensure the organization complies with all regions.

  • Navigating International Regulations. The Bre-X scandal highlighted the complexities of operating in different jurisdictions. While Bre-X was a Canadian company, much of its fraudulent activities occurred in Indonesia, and the regulatory landscape vastly differed between the two countries. In 2024, compliance officers must develop an in-depth understanding of the regulatory environments in each jurisdiction where their company operates. This includes legal compliance and cultural and business norms that could impact operations and risk management strategies.
  • Cross-Border Cooperation. In an interconnected world, no company is an island. Regulatory bodies across countries are increasingly cooperating on compliance and enforcement efforts, especially in mining, finance, and pharmaceuticals. Building relationships with regulatory agencies in different jurisdictions is vital for compliance professionals. These partnerships can help organizations navigate complex international regulations and stay on top of emerging global compliance trends.

The Bre-X scandal was a watershed moment for the mining industry and for compliance professionals across sectors. The lessons from this case are invaluable in shaping how compliance is approached in 2024. Compliance officers can safeguard their organizations from the devastating consequences of fraud by encouraging a culture of whistleblowing, implementing comprehensive risk management practices, leveraging technology for continuous monitoring, and understanding global regulatory landscapes.

Fraud prevention is a continuous journey that requires vigilance, transparency, and a proactive mindset. Today’s compliance professional’s responsibility is not just to respond to incidents but to anticipate them, fostering a corporate culture prioritizing ethics and accountability at every level. This concludes our series on the Bre-X scandal. By learning from the past, compliance professionals can build a more resilient, transparent future for their organizations.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Of Fat Fingers, Internal Controls and Compliance

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom and Matt delve deep into Citigroup’s $126 million trading error, resulting from poor internal controls.

They discuss how a simple ‘fat finger’ error by a trader led to a major flash crash on European stock exchanges in 2022, and how the failure of Citigroup’s internal controls allowed it to happen. The discussion covers multiple compliance lessons, including the importance of understanding the human element in control design, the need for adequate staffing and monitoring, and the necessity of consistent global risk management.

Fox and Kelly also highlight the importance of addressing findings from internal audits and maintaining urgency in improving internal controls. They emphasize that companies should think creatively about risk management, taking into account various global factors, including holidays and local regulations.

Key Highlights:

  • The Citigroup Internal Control Fiasco
  • Compliance Lessons from Citigroup’s Mistake
  • The Human Element in Compliance and Control Failures
  • Global Consistency in Risk Management

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

The Trafigura FCPA Enforcement Action – Part 4 – Lessons Learned

We conclude our exploration of the resolution of the FCPA enforcement action involving the Swiss trading firm G Trafigura Beheer B.V. (Trafigura), an international commodity trading company with its primary operations in Switzerland. The company pleaded guilty and will pay over $126 million to resolve an investigation stemming from the company’s corrupt scheme to pay bribes to Brazilian government officials to secure business with Brazil’s state-owned and state-controlled oil company, Petróleo Brasileiro S.A. – Petrobras (Petrobras). The matter was resolved via a Plea Agreement. Information detailing the company’s conduct was also issued.

Despite substantial violations of the FCPA and its extension into the corporate offices, Trafigura received the 10% discount noted above. The message from this enforcement action is the cost of failing to self-disclose, creating liability under the FCPA and creating jurisdiction for the DOJ to bring an enforcement action, denial that you have done anything wrong, failure to cooperate (at least initially), and not sanctioning any of the culpable company actors. In other words, there is a bit of reverse logic and analysis in this case. However, as noted several times, the DOJ rewarded Trafigura with some credit and gave them a discount. Most importantly, and perhaps inexorably, Trafigura was not required to retain a monitor.

Remediation 

While most of the remediation is reported as standard, the one item that every compliance professional should consider is that the company proactively discontinued using third-party agents for business origination. This point is perhaps the most significant, as we have now seen the DOJ call out Albemarle and SAP for discontinuing their use of third-party agents.

As Matt Kelly noted in Radical Compliance, in his discussion of Guvnor FCPA enforcement action, “This is the latest in a string of FCPA enforcement cases where we’ve seen a big, structural change to the sale function. Albemarle eliminated its use of third-party sales agents as part of its FCPA settlement last year; SAP eliminated its third-party sales commission model globally as part of its own FCPA settlement announced in January. Now we have a third global enterprise going that same route, reducing its FCPA risk in a deep, permanent way by restructuring its sales operations.” With Trafigura, we now have a fourth.”

As I noted in my review of the Albemarle and SAP enforcement actions, SAP eliminated its third-party sales commission model globally, prohibited all sales commissions for public sector contracts in high-risk markets, and enhanced compliance monitoring and audit programs, including the creation of a well-resourced team devoted to audits of third-party partners and suppliers. Albemarle changed its approach to sales and its sales teams. Guvnor also moved from being a third-party agent to a direct sales force.

Moving to a direct sales force does have its risks, which must be managed, but those risks can certainly be managed with an appropriate risk management strategy, monitoring of the strategy, and improvement; those risks can be managed. Yet there is another reason, and more importantly, a significant business reason, to move towards a direct sales business model. Whenever you have a third-party agent or anyone else between you and your customer, you risk losing that customer because your organization does not have a direct relationship with the customer. A direct sales business model will give your organization more direct access to your customers.

Another exciting aspect of this approach used by Albemarle, SAP, and Trafigura is that it is not an approach laid out in either the 2020 FCPA Resource Guide, 2nd edition, or the 2023 Evaluation of Corporate Compliance Programs. The companies developed all of these strategies based on their own analysis and risk models. It may have come from a realization that the risk involved with 3rd party sales models was too great, that the companies wanted more control over their sales, or another reason. Whatever the reason for the change, the DOJ clearly noted each organization and viewed it affirmatively.

Bribery Schemes

This area is essential for all compliance professionals to take note of. The bribes were initially funded with a $ 0.20 surcharge or uplift for every barrel of oil traded. With the price of oil fluctuating wildly at the time in question, between $60 to $100 per barrel, I am not sure such a small amount would even seem anomalous. It would not rise to a rounding error but generate $19 million in bribes. While I am not sure that the bribery scheme was designed to be so hard to detect, the reality is that no compliance professional could look at the trades and determine if a bribe was baked into the pricing.

Yet there was even a deeper part of the bribery scheme. Executives at Trafigura and corrupt traders at Petrobras prearranged the oil trading prices rather than letting the market determine them. The information noted, “The Trafigura Executive 2 and Brazilian Official 1 agreed to prices for trades of oil products and bribe amounts for each trade. After determining the price, Trafigura Executive 2 instructed Trafigura traders to negotiate with Petrobras, which Trafigura Executive 2 knew to be a sham, to arrive at the pre-agreed price.” [emphasis supplied]

Finally, another set of bribes was funded through an unrelated business unit. This occurred when one of the two corrupt Trafigura executives involved in the bribery scheme was transferred to run the company’s Singapore business unit. From there, this corrupt executive had a corrupt third party in Hong Kong bill the Singapore business unit for non-existent consulting services related to the Chinese market for $500,000. This money funded additional bribes to corrupt Petrobras employees. This extra step would require someone in compliance to connect the dots between a corrupt third-party bribery scheme in Singapore and China and the corruption at Petrobras in Brazil.

Lack of a Monitor

The following DOJ Memo governs the decision of whether a company needs a monitor: Revised Memorandum on Selection of Monitors in Criminal Division Matters, released in March 2023. The memo has 10 factors a prosecutor must consider.

  1. Did the corporation voluntarily self-disclose?
  2. At the time of the resolution and after a thorough risk assessment, has the company implemented an effective compliance program and sufficient internal controls to detect and prevent similar misconduct in the future?
  3. At the time of the resolution, the company had adequately tested its compliance program and internal controls to demonstrate that they would likely detect and prevent similar misconduct.
  4. Whether the underlying criminal conduct was long-lasting or pervasive across the business organization or was approved, facilitated, or ignored by senior management, executives, or directors (including through a corporate culture that tolerated risky behavior or misconduct or did not encourage open discussion and reporting of possible risks and concerns),.
  5. Whether the underlying criminal conduct involved exploiting an inadequate compliance program or system of internal controls.
  6. Did the conduct involve the active participation of compliance personnel?
  7. Did the company take adequate investigative or remedial measures to address the underlying criminal conduct, including terminating business relationships and practices that contributed to it?
  1. At the time of the resolution, the company’s risk profile had substantially changed.
  2. Whether the corporation faces any unique risks or compliance challenges.
  3. Is the company subject to other oversight?

A review of the Information and Plea Agreement reveals no self-disclosure. Equally significantly, there is no information about whether the company has implemented an effective compliance program or sufficient controls, let alone tested them. According to the data, the conduct was long-lasting across multiple business units. If there were internal controls in place, they were undoubtedly inadequate. There does not appear to be involvement in the compliance function. The only positive factor from the resolution documents is that Trafigura did terminate its use of third parties to initiate and foster business development, but that appears to be the only factor they have met.

Writing again in Radical Compliance, Matt Kelly said, “Either way, these cases send mixed messages to the compliance community. It looks like you can get away with not self-disclosing misconduct and perhaps even slow-rolling your cooperation if you’re prepared to invest lots in a newly invigorated compliance program and tolerate the Fraud Section as your new BFFs for the next three years of a settlement agreement.”

If the DOJ has discontinued its monitoring program or changed the requirements, it is undoubtedly its prerogative to do so. It would be helpful if they communicated that change to the compliance community.

Categories
The Compliance Life

Scott Garland – Lessons Learned in Ethics and Going Forward

The Compliance Life details the journey to and in the role of a Chief Compliance Officer. How does one come to sit in the CCO chair? What skills does a CCO need to navigate the compliance waters in any company successfully? What are some of the top challenges CCOs have faced, and how did they meet them? These questions and many others will be explored in this new podcast series. Over four episodes each month on The Compliance Life, I visit with one current or former CCO to explore their journey to the CCO chair. This month, I am joined by Scott Garland, Managing Director at AMI. Scott came to AMI from the DOJ, where he held the role of Professional Responsibility Officer. As he described, it was akin to a CCO role for the US Attorney’s Office for Massachusetts.

Some of the key lessons Garland learned in the role of Professional Responsibility Officer, which apply to the skill set needed to be a CCO, include; (1) Always do the right thing, but it is not always obvious what that is; (2) the issue you are presented might not be the real issue, or the sole real issue, (3) being calm and nonjudgmental helps people open up, (4) try and balance analysis with action, pragmatism with principles, using tenets of risk management, (5) craft advice that is simple, clear, and unambiguous. (6)Do not just say what not to do; also say what to do and when to come back for more help, (7)  admit mistakes as soon as possible, and (8) good people make mistakes. Most people will forgive a mistake if done unintentionally; you are forthright about it and try to fix it.

Garland recently joined Affiliated Monitors, Inc. as Managing Director – Sanctions, Cyber, Fraud, and Ethics Compliance & Monitoring. One of the reasons he did so was to help companies strengthen their compliance operations in these areas in a couple of areas. The first is before the government comes knocking by proactively assessing a company’s compliance operations and ethical culture and recommending improvements. The second is after the government knocks, acting as an independent monitor of the company’s compliance with a plea agreement, settlement agreement, consent decree, court or administrative order; emphasize not playing gotcha or playing the blame game, but rather with helping the company improve through lasting change.

Resources

Scott Garland’s Profile on AMI

Categories
Blog

Would You Buy a New Car From Them? Part 2 – Lessons for Compliance

Over this series, I am reviewing the corruption enforcement action Involving the company formerly known as Chrysler Group LLC, now FCA US LLC (Chrysler or the company herein) which was criminally sentenced to pay a fine of over $96 million and a forfeiture money judgment over $203 million. These amounts were above a previous civil penalty of $310 million. All of this was for designing a vehicle emissions system for the company’s Jeep Grand Cherokee and Ram 1500 that would evade federal emissions standards for diesel vehicles and then lying about it to federal authorities. It was a different type of corruption from a Foreign Corrupt Practices Act (FCPA) enforcement action but corruption, nonetheless. Today, I want to consider some of the lessons for the anti-corruption compliance professional.

The actions by the company are instructive for what not to do in any corruption investigation. The Plea Agreement specified that the company did not receive credit for self-disclosure as it did not self-disclose its criminal conduct or fraud. The company did receive some cooperation credit for cooperating during the scope of the investigation but did not receive any credit for failures in both taking timely remedial action and for failing to discipline senior executives who were involved in or had knowledge of the criminal action and fraud. (Recall that one executive involved directly in the fraud was with the company until 2020.)

All these actions were very costly to the company in terms of how it was evaluated under the US Sentencing Guidelines. Under Section 8(C)2.5(g)(2) a company can receive credit of up to five (5) points for cooperating in the investigation and affirmatively accepting responsibility for it’s conduct. The company only received a two (2) point discount. Since the Plea Agreement specified the company did cooperate in the investigation, it clearly did not accept responsibility for its conduct. The lack of those three points in discount cost the company somewhere in the estimated range of $20 to $30 million in additional fines and penalties.

The Plea Agreement also specified for the first time the Monaco Doctrine of evaluating past conduct as a part of the overall evaluation of the company. The Plea Agreement detailed that the company had a prior criminal conviction for bribery and corruption under the National Labor Relations Act (NLRA) for bribing union officials. However, it is not clear how that worked into the overall fine and penalty except to note that the company paid the maximum under the US Sentencing Guidelines, after credit for the civil penalty.

Additionally, while there is no requirement for a monitor in this resolution of the criminal action, there was a such a requirement in the Consent Decree from the civil action. It mandated an Independent Compliance Auditor for a period of three years from the resolution of the civil matter, which was May 2019.

Lessons Learned

There are multiple lessons for the anti-corruption compliance professional from this enforcement action. Obviously, the need to engage in robust remediation for the matter at issue and your compliance program is critical. Moreover, and once again the Department of Justice (DOJ) criticized a company for tardiness in disciplining those who were involved in the fraud or those who were aware of it. As I noted in Part 1, multiple former company employees were criminally indicted for their conduct in this sordid affair. Yet some of them were with the company until 2019 and 2020 and not all were terminated, some left the company in voluntary separations, which sounds suspiciously like retirements. Such actions could save your organization literally millions of dollars.

One of the clearest, which was not stated in any of the resolution documents, was that every Chief Compliance Officer (CCO) needs to read the newspapers and stay abreast of current events in their industry. It was September 2015 that the Volkswagen (VW) emissions-testing scandal became public. It was by far the largest scandal in emissions-testing and cost VW billions in investigative and remediation costs, fines, penalties, buy-backs, market share loss and reputational damages. To say that anyone at the company was not aware of it is to simply defy belief.

Beyond just the CCO, every Board member was no doubt aware of the VW emissions-testing scandal. Under the current state of the Caremark Doctrine, there may well be a duty to make an inquiry by the Board of auto manufacturers to senior management to investigate if they have been involved in similar conduct. Here we do not know how the scandal got to the attention of the DOJ, but it was clear from the Plea Agreement, it was not from self-disclosure. CCOs and Boards need to be much more proactive when competitors get into trouble about investigating similar products or services which could lead to criminal and civil fines and penalties.

This matter warrants consideration by every CCO in every US public and private company. Every CCO can also use the case as instruction and training for both senior management and their company Board of Directors.

Resources

DOJ Press Release

Information

Plea Agreement

Consent Decree from the civil action

Categories
Blog

Cookies, Chocolates and IP: The Stericycle FCPA Enforcement Action – Part IV

Last week, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) announced a Foreign Corrupt Practices Act (FCPA) enforcement action, involving the waste management company, Stericycle, Inc. (Stericycle). According to the Information and Deferred Prosecution Agreement (DPA), Stericycle entered into a three-year DPA. The company was charged with two counts of conspiracy to violate (1) the anti-bribery provision of the FCPA, and (2) the FCPA’s books and records provision. Under the DPA, Stericycle agreed to a criminal penalty of $52.5 million of which the DOJ agreed to credit up to one-third of the criminal penalty against fines the company pays to authorities in Brazil in related proceedings. According to the SEC Cease and Desist Order (Order), Stericycle violated the anti-bribery, books and records, and internal accounting controls provisions of the FCPA and agreed to pay approximately $28.2 million in disgorgement and prejudgment interest. The SEC Order also provided for an offset of up to approximately $4.2 million of any disgorgement paid to Brazilian authorities. Today we consider the lessons learned.
Rapid Expansion
Similar to what we saw in the WPP enforcement action, Stericycle engaged in rapid expansion in a series of foreign jurisdiction. In this case it was Latin America. Stericycle does not seem to have made the same mistakes as WPP in holding back part of the overall acquisition payout to the owners in the locales where they purchased entities and thereby incentivizing corruption to meet sales goals. Under Stericycle, there was nothing about this same type of incentive plan used by WPP. However, Stericycle did appear to keep the former owners on as the executives in these new foreign subsidiaries without taking into account how those former owners may have done business or the risk model it entailed.
Which brings us to pre-acquisition due diligence, which is not simply looking at the financial issues involved but also considering the potential purchase from the compliance perspective. How did the companies which were purchased to form the foreign subsidiaries in Latin America do business before they were purchased? Did Stericycle review those companies from the compliance standpoint?
Moreover, and as Candice Tal, founder of Infortal, continually reminds us, due diligence is more than simply a site investigation or a couple of interviews. It should include “an in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other lawsuits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publicly.” Clearly, Stericycle did not engage in this level of due diligence in either the acquisitions of the entities which became Stericycle subsidiaries in Latin America, nor in their key personnel. Employees up and down the chain of an organization do not simply wake up one day and decide to engage in bribery and corruption and create a full set of records so the effectiveness of your bribery-based business process can be evaluated. 
Impact of the FCPA Corporate Enforcement Policy
The Stericycle enforcement action once again demonstrates how the FCPA Corporate Enforcement Policy can benefit even the most corrupt organization and allow a significant reduction of the overall fine and penalty under the US Sentencing Guidelines. According to the DPA, Stericycle received a 25% discount off the bottom of the applicable Sentencing Guidelines fine range for its cooperation during the pendency of the investigation and the extensive remediation.
I have previously estimated Stericycle saved between $25 million to $30 million from their final criminal fine. That is certainly a significant amount and one every Chief Compliance Officer (CCO) needs to have ready to submit to your CEO to demonstrate the power of committing time and resources to both internal investigations and remediation during the pendency of the investigation.
Impact from the Lisa Monaco Doctrine
a. The Monitor
The is first FCPA enforcement action to show the full impact of the change in DOJ enforcement priorities after the Lisa Monaco speech of October 2021, in a variety of ways. The first is the imposition of a monitor. It was required under both the DPA and the Order. Interestingly, even though the company was long aware of its compliance and ethical failures and even though it had been investigating this matter since at least 2016; the company could not seem to get its collective act together enough to fully implement and test the new compliance regime set out in the DPA. The DPA stated, “despite its extensive remedial measures described above, the Company to date has not fully implemented or tested its enhanced compliance program, and thus the imposition of an independent compliance monitor for a term of two years, as described more fully below and in Attachment D, is necessary to prevent the recurrence of misconduct.” [Emphasis supplied] Clearly the DOJ (and SEC) did not trust that the company would follow through with its resolution documents obligations and was “necessary to prevent the recurrence of misconduct.”
b. Culture
One part of the Monaco speech which drew much criticism from the White-Collar defense bar and others were her remarks around culture and that the DOJ would start assessing corporate culture in the context of other fines, penalties and regulatory enforcement actions from outside the FCPA context. Many articulated fears that conduct completely unrelated to a FCPA enforcement action could form the basis of a FCPA enforcement action. Those fears were alleviated in the Stericycle DPA which stated, “the Company has some history of prior civil and regulatory settlements, but no prior criminal history”. At least at this point, no unrelated civil or regulatory actions were assessed in the context of a FCPA enforcement action.
There was and continues to be much to consider and learn from the Stericycle FCPA enforcement action. I am sure we will be revisiting it in the future.