Tag: lessons learned

Categories
Blog

The Bre-X Mining Scandal: Part 6 – A Guide for the 2024 Compliance Professional (Part 2)

Today, we conclude a multipart blog post series exploring one of the biggest corporate scandals of the 1990s, the Bre-X mining scandal. Our most recent blog post explored the foundational lessons from the Bre-X scandal for today’s compliance professionals, focusing on due diligence, transparency, corporate governance, and more. In today’s concluding blog post,  we focus on additional critical areas where compliance officers can play a pivotal role in ensuring organizational integrity. From fostering a strong whistleblowing culture to leveraging modern technologies for continuous monitoring, these strategies will help prevent financial fraud, uphold ethical standards, and do business in compliance into 2024 and beyond.

The Role of Whistleblowing and Ethics Programs

A lack of transparency and accountability within Bre-X contributed to the persistence of fraud for years. If a robust whistleblowing mechanism had been in place, the red flags might have been raised earlier, potentially preventing the massive fallout.

  • Encouraging Whistleblowing. One of the most critical aspects of modern compliance is creating a culture where employees feel empowered to speak up without fear of retaliation. Compliance officers should focus on building and maintaining secure, confidential channels where employees can report unethical or suspicious activities. A strong whistleblowing framework protects the organization from reputational damage and demonstrates to employees that integrity is a top priority.
  • Ethics Training. In addition to promoting whistleblowing, regular ethics training can help build a culture of transparency and accountability. Employees must be educated on the importance of ethical decision-making and how their actions contribute to the company’s long-term success. Compliance teams can reinforce the core values of honesty and integrity across the organization through frequent workshops, case studies (including Bre-X), and clear guidance on ethical behavior.

Risk Management and Scenario Planning

The Bre-X scandal is a stark reminder of the importance of comprehensive risk management. The ability to foresee potential risks and prepare accordingly can be the difference between averting a disaster or getting caught in one.

  • Assessing and Mitigating Risk. Risk management is central to the work of a compliance officer. Rigid risk assessments are non-negotiable in industries like mining—where speculation, large financial stakes, and geographical challenges intersect. Compliance professionals must develop strategies that identify, assess, and mitigate potential risks early, whether they stem from operational, financial, or reputational sources. For instance, resource overestimation, as seen in Bre-X, could have been mitigated with proper checks on geological data and third-party verification.
  • Scenario Planning. Preparing for various fraud scenarios, including “what if” situations similar to Bre-X, is a valuable exercise. Scenario planning enables organizations to consider how they would respond in the event of fraud or a major compliance breach. Companies should develop detailed crisis management plans, identify key decision-makers, and outline steps for navigating potential crises. In the event of another large-scale scandal, having these contingency plans in place will reduce the organization’s response time and limit damage.

Continuous Controls Monitoring and Auditing

The importance of continuous monitoring cannot be overstated, particularly in industries prone to high levels of fraud, such as mining, finance, or healthcare. Compliance professionals must champion ongoing oversight to ensure early detection of potential issues.

  • Ongoing Oversight. Continuous auditing of processes and transactions is an effective way to catch problems before they escalate. In the Bre-X case, regular audits of geological sample reporting and financial disclosures could have flagged discrepancies early on. Compliance teams today should implement robust monitoring programs that examine critical areas like financial performance, regulatory adherence, and ethical behavior. Routine audits of key operational processes, especially in high-risk industries, can prevent fraudulent behavior from going undetected.
  • Use of Technology. The rise of data analytics and artificial intelligence (AI) has transformed the compliance landscape. In 2024, compliance professionals must embrace technology that enhances real-time monitoring capabilities. By leveraging AI and big data, companies can detect anomalies or suspicious activities before they evolve into significant problems. For example, automated systems can track financial reporting patterns or identify irregular resource estimates, helping compliance teams intervene before major fraud occurs.

Global Considerations and Jurisdictional Awareness

In today’s globalized business environment, companies often operate in multiple countries, each with its regulatory requirements. Compliance professionals must stay abreast of international standards and ensure the organization complies with all regions.

  • Navigating International Regulations. The Bre-X scandal highlighted the complexities of operating in different jurisdictions. While Bre-X was a Canadian company, much of its fraudulent activities occurred in Indonesia, and the regulatory landscape vastly differed between the two countries. In 2024, compliance officers must develop an in-depth understanding of the regulatory environments in each jurisdiction where their company operates. This includes legal compliance and cultural and business norms that could impact operations and risk management strategies.
  • Cross-Border Cooperation. In an interconnected world, no company is an island. Regulatory bodies across countries are increasingly cooperating on compliance and enforcement efforts, especially in mining, finance, and pharmaceuticals. Building relationships with regulatory agencies in different jurisdictions is vital for compliance professionals. These partnerships can help organizations navigate complex international regulations and stay on top of emerging global compliance trends.

The Bre-X scandal was a watershed moment for the mining industry and for compliance professionals across sectors. The lessons from this case are invaluable in shaping how compliance is approached in 2024. Compliance officers can safeguard their organizations from the devastating consequences of fraud by encouraging a culture of whistleblowing, implementing comprehensive risk management practices, leveraging technology for continuous monitoring, and understanding global regulatory landscapes.

Fraud prevention is a continuous journey that requires vigilance, transparency, and a proactive mindset. Today’s compliance professional’s responsibility is not just to respond to incidents but to anticipate them, fostering a corporate culture prioritizing ethics and accountability at every level. This concludes our series on the Bre-X scandal. By learning from the past, compliance professionals can build a more resilient, transparent future for their organizations.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Of Fat Fingers, Internal Controls and Compliance

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom and Matt delve deep into Citigroup’s $126 million trading error, resulting from poor internal controls.

They discuss how a simple ‘fat finger’ error by a trader led to a major flash crash on European stock exchanges in 2022, and how the failure of Citigroup’s internal controls allowed it to happen. The discussion covers multiple compliance lessons, including the importance of understanding the human element in control design, the need for adequate staffing and monitoring, and the necessity of consistent global risk management.

Fox and Kelly also highlight the importance of addressing findings from internal audits and maintaining urgency in improving internal controls. They emphasize that companies should think creatively about risk management, taking into account various global factors, including holidays and local regulations.

Key Highlights:

  • The Citigroup Internal Control Fiasco
  • Compliance Lessons from Citigroup’s Mistake
  • The Human Element in Compliance and Control Failures
  • Global Consistency in Risk Management

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

The Trafigura FCPA Enforcement Action – Part 4 – Lessons Learned

We conclude our exploration of the resolution of the FCPA enforcement action involving the Swiss trading firm G Trafigura Beheer B.V. (Trafigura), an international commodity trading company with its primary operations in Switzerland. The company pleaded guilty and will pay over $126 million to resolve an investigation stemming from the company’s corrupt scheme to pay bribes to Brazilian government officials to secure business with Brazil’s state-owned and state-controlled oil company, Petróleo Brasileiro S.A. – Petrobras (Petrobras). The matter was resolved via a Plea Agreement. Information detailing the company’s conduct was also issued.

Despite substantial violations of the FCPA and its extension into the corporate offices, Trafigura received the 10% discount noted above. The message from this enforcement action is the cost of failing to self-disclose, creating liability under the FCPA and creating jurisdiction for the DOJ to bring an enforcement action, denial that you have done anything wrong, failure to cooperate (at least initially), and not sanctioning any of the culpable company actors. In other words, there is a bit of reverse logic and analysis in this case. However, as noted several times, the DOJ rewarded Trafigura with some credit and gave them a discount. Most importantly, and perhaps inexorably, Trafigura was not required to retain a monitor.

Remediation 

While most of the remediation is reported as standard, the one item that every compliance professional should consider is that the company proactively discontinued using third-party agents for business origination. This point is perhaps the most significant, as we have now seen the DOJ call out Albemarle and SAP for discontinuing their use of third-party agents.

As Matt Kelly noted in Radical Compliance, in his discussion of Guvnor FCPA enforcement action, “This is the latest in a string of FCPA enforcement cases where we’ve seen a big, structural change to the sale function. Albemarle eliminated its use of third-party sales agents as part of its FCPA settlement last year; SAP eliminated its third-party sales commission model globally as part of its own FCPA settlement announced in January. Now we have a third global enterprise going that same route, reducing its FCPA risk in a deep, permanent way by restructuring its sales operations.” With Trafigura, we now have a fourth.”

As I noted in my review of the Albemarle and SAP enforcement actions, SAP eliminated its third-party sales commission model globally, prohibited all sales commissions for public sector contracts in high-risk markets, and enhanced compliance monitoring and audit programs, including the creation of a well-resourced team devoted to audits of third-party partners and suppliers. Albemarle changed its approach to sales and its sales teams. Guvnor also moved from being a third-party agent to a direct sales force.

Moving to a direct sales force does have its risks, which must be managed, but those risks can certainly be managed with an appropriate risk management strategy, monitoring of the strategy, and improvement; those risks can be managed. Yet there is another reason, and more importantly, a significant business reason, to move towards a direct sales business model. Whenever you have a third-party agent or anyone else between you and your customer, you risk losing that customer because your organization does not have a direct relationship with the customer. A direct sales business model will give your organization more direct access to your customers.

Another exciting aspect of this approach used by Albemarle, SAP, and Trafigura is that it is not an approach laid out in either the 2020 FCPA Resource Guide, 2nd edition, or the 2023 Evaluation of Corporate Compliance Programs. The companies developed all of these strategies based on their own analysis and risk models. It may have come from a realization that the risk involved with 3rd party sales models was too great, that the companies wanted more control over their sales, or another reason. Whatever the reason for the change, the DOJ clearly noted each organization and viewed it affirmatively.

Bribery Schemes

This area is essential for all compliance professionals to take note of. The bribes were initially funded with a $ 0.20 surcharge or uplift for every barrel of oil traded. With the price of oil fluctuating wildly at the time in question, between $60 to $100 per barrel, I am not sure such a small amount would even seem anomalous. It would not rise to a rounding error but generate $19 million in bribes. While I am not sure that the bribery scheme was designed to be so hard to detect, the reality is that no compliance professional could look at the trades and determine if a bribe was baked into the pricing.

Yet there was even a deeper part of the bribery scheme. Executives at Trafigura and corrupt traders at Petrobras prearranged the oil trading prices rather than letting the market determine them. The information noted, “The Trafigura Executive 2 and Brazilian Official 1 agreed to prices for trades of oil products and bribe amounts for each trade. After determining the price, Trafigura Executive 2 instructed Trafigura traders to negotiate with Petrobras, which Trafigura Executive 2 knew to be a sham, to arrive at the pre-agreed price.” [emphasis supplied]

Finally, another set of bribes was funded through an unrelated business unit. This occurred when one of the two corrupt Trafigura executives involved in the bribery scheme was transferred to run the company’s Singapore business unit. From there, this corrupt executive had a corrupt third party in Hong Kong bill the Singapore business unit for non-existent consulting services related to the Chinese market for $500,000. This money funded additional bribes to corrupt Petrobras employees. This extra step would require someone in compliance to connect the dots between a corrupt third-party bribery scheme in Singapore and China and the corruption at Petrobras in Brazil.

Lack of a Monitor

The following DOJ Memo governs the decision of whether a company needs a monitor: Revised Memorandum on Selection of Monitors in Criminal Division Matters, released in March 2023. The memo has 10 factors a prosecutor must consider.

  1. Did the corporation voluntarily self-disclose?
  2. At the time of the resolution and after a thorough risk assessment, has the company implemented an effective compliance program and sufficient internal controls to detect and prevent similar misconduct in the future?
  3. At the time of the resolution, the company had adequately tested its compliance program and internal controls to demonstrate that they would likely detect and prevent similar misconduct.
  4. Whether the underlying criminal conduct was long-lasting or pervasive across the business organization or was approved, facilitated, or ignored by senior management, executives, or directors (including through a corporate culture that tolerated risky behavior or misconduct or did not encourage open discussion and reporting of possible risks and concerns),.
  5. Whether the underlying criminal conduct involved exploiting an inadequate compliance program or system of internal controls.
  6. Did the conduct involve the active participation of compliance personnel?
  7. Did the company take adequate investigative or remedial measures to address the underlying criminal conduct, including terminating business relationships and practices that contributed to it?
  1. At the time of the resolution, the company’s risk profile had substantially changed.
  2. Whether the corporation faces any unique risks or compliance challenges.
  3. Is the company subject to other oversight?

A review of the Information and Plea Agreement reveals no self-disclosure. Equally significantly, there is no information about whether the company has implemented an effective compliance program or sufficient controls, let alone tested them. According to the data, the conduct was long-lasting across multiple business units. If there were internal controls in place, they were undoubtedly inadequate. There does not appear to be involvement in the compliance function. The only positive factor from the resolution documents is that Trafigura did terminate its use of third parties to initiate and foster business development, but that appears to be the only factor they have met.

Writing again in Radical Compliance, Matt Kelly said, “Either way, these cases send mixed messages to the compliance community. It looks like you can get away with not self-disclosing misconduct and perhaps even slow-rolling your cooperation if you’re prepared to invest lots in a newly invigorated compliance program and tolerate the Fraud Section as your new BFFs for the next three years of a settlement agreement.”

If the DOJ has discontinued its monitoring program or changed the requirements, it is undoubtedly its prerogative to do so. It would be helpful if they communicated that change to the compliance community.

Categories
The Compliance Life

Scott Garland – Lessons Learned in Ethics and Going Forward

The Compliance Life details the journey to and in the role of a Chief Compliance Officer. How does one come to sit in the CCO chair? What skills does a CCO need to navigate the compliance waters in any company successfully? What are some of the top challenges CCOs have faced, and how did they meet them? These questions and many others will be explored in this new podcast series. Over four episodes each month on The Compliance Life, I visit with one current or former CCO to explore their journey to the CCO chair. This month, I am joined by Scott Garland, Managing Director at AMI. Scott came to AMI from the DOJ, where he held the role of Professional Responsibility Officer. As he described, it was akin to a CCO role for the US Attorney’s Office for Massachusetts.

Some of the key lessons Garland learned in the role of Professional Responsibility Officer, which apply to the skill set needed to be a CCO, include; (1) Always do the right thing, but it is not always obvious what that is; (2) the issue you are presented might not be the real issue, or the sole real issue, (3) being calm and nonjudgmental helps people open up, (4) try and balance analysis with action, pragmatism with principles, using tenets of risk management, (5) craft advice that is simple, clear, and unambiguous. (6)Do not just say what not to do; also say what to do and when to come back for more help, (7)  admit mistakes as soon as possible, and (8) good people make mistakes. Most people will forgive a mistake if done unintentionally; you are forthright about it and try to fix it.

Garland recently joined Affiliated Monitors, Inc. as Managing Director – Sanctions, Cyber, Fraud, and Ethics Compliance & Monitoring. One of the reasons he did so was to help companies strengthen their compliance operations in these areas in a couple of areas. The first is before the government comes knocking by proactively assessing a company’s compliance operations and ethical culture and recommending improvements. The second is after the government knocks, acting as an independent monitor of the company’s compliance with a plea agreement, settlement agreement, consent decree, court or administrative order; emphasize not playing gotcha or playing the blame game, but rather with helping the company improve through lasting change.

Resources

Scott Garland’s Profile on AMI

Categories
Blog

Would You Buy a New Car From Them? Part 2 – Lessons for Compliance

Over this series, I am reviewing the corruption enforcement action Involving the company formerly known as Chrysler Group LLC, now FCA US LLC (Chrysler or the company herein) which was criminally sentenced to pay a fine of over $96 million and a forfeiture money judgment over $203 million. These amounts were above a previous civil penalty of $310 million. All of this was for designing a vehicle emissions system for the company’s Jeep Grand Cherokee and Ram 1500 that would evade federal emissions standards for diesel vehicles and then lying about it to federal authorities. It was a different type of corruption from a Foreign Corrupt Practices Act (FCPA) enforcement action but corruption, nonetheless. Today, I want to consider some of the lessons for the anti-corruption compliance professional.

The actions by the company are instructive for what not to do in any corruption investigation. The Plea Agreement specified that the company did not receive credit for self-disclosure as it did not self-disclose its criminal conduct or fraud. The company did receive some cooperation credit for cooperating during the scope of the investigation but did not receive any credit for failures in both taking timely remedial action and for failing to discipline senior executives who were involved in or had knowledge of the criminal action and fraud. (Recall that one executive involved directly in the fraud was with the company until 2020.)

All these actions were very costly to the company in terms of how it was evaluated under the US Sentencing Guidelines. Under Section 8(C)2.5(g)(2) a company can receive credit of up to five (5) points for cooperating in the investigation and affirmatively accepting responsibility for it’s conduct. The company only received a two (2) point discount. Since the Plea Agreement specified the company did cooperate in the investigation, it clearly did not accept responsibility for its conduct. The lack of those three points in discount cost the company somewhere in the estimated range of $20 to $30 million in additional fines and penalties.

The Plea Agreement also specified for the first time the Monaco Doctrine of evaluating past conduct as a part of the overall evaluation of the company. The Plea Agreement detailed that the company had a prior criminal conviction for bribery and corruption under the National Labor Relations Act (NLRA) for bribing union officials. However, it is not clear how that worked into the overall fine and penalty except to note that the company paid the maximum under the US Sentencing Guidelines, after credit for the civil penalty.

Additionally, while there is no requirement for a monitor in this resolution of the criminal action, there was a such a requirement in the Consent Decree from the civil action. It mandated an Independent Compliance Auditor for a period of three years from the resolution of the civil matter, which was May 2019.

Lessons Learned

There are multiple lessons for the anti-corruption compliance professional from this enforcement action. Obviously, the need to engage in robust remediation for the matter at issue and your compliance program is critical. Moreover, and once again the Department of Justice (DOJ) criticized a company for tardiness in disciplining those who were involved in the fraud or those who were aware of it. As I noted in Part 1, multiple former company employees were criminally indicted for their conduct in this sordid affair. Yet some of them were with the company until 2019 and 2020 and not all were terminated, some left the company in voluntary separations, which sounds suspiciously like retirements. Such actions could save your organization literally millions of dollars.

One of the clearest, which was not stated in any of the resolution documents, was that every Chief Compliance Officer (CCO) needs to read the newspapers and stay abreast of current events in their industry. It was September 2015 that the Volkswagen (VW) emissions-testing scandal became public. It was by far the largest scandal in emissions-testing and cost VW billions in investigative and remediation costs, fines, penalties, buy-backs, market share loss and reputational damages. To say that anyone at the company was not aware of it is to simply defy belief.

Beyond just the CCO, every Board member was no doubt aware of the VW emissions-testing scandal. Under the current state of the Caremark Doctrine, there may well be a duty to make an inquiry by the Board of auto manufacturers to senior management to investigate if they have been involved in similar conduct. Here we do not know how the scandal got to the attention of the DOJ, but it was clear from the Plea Agreement, it was not from self-disclosure. CCOs and Boards need to be much more proactive when competitors get into trouble about investigating similar products or services which could lead to criminal and civil fines and penalties.

This matter warrants consideration by every CCO in every US public and private company. Every CCO can also use the case as instruction and training for both senior management and their company Board of Directors.

Resources

DOJ Press Release

Information

Plea Agreement

Consent Decree from the civil action

Categories
Blog

Cookies, Chocolates and IP: The Stericycle FCPA Enforcement Action – Part IV

Last week, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) announced a Foreign Corrupt Practices Act (FCPA) enforcement action, involving the waste management company, Stericycle, Inc. (Stericycle). According to the Information and Deferred Prosecution Agreement (DPA), Stericycle entered into a three-year DPA. The company was charged with two counts of conspiracy to violate (1) the anti-bribery provision of the FCPA, and (2) the FCPA’s books and records provision. Under the DPA, Stericycle agreed to a criminal penalty of $52.5 million of which the DOJ agreed to credit up to one-third of the criminal penalty against fines the company pays to authorities in Brazil in related proceedings. According to the SEC Cease and Desist Order (Order), Stericycle violated the anti-bribery, books and records, and internal accounting controls provisions of the FCPA and agreed to pay approximately $28.2 million in disgorgement and prejudgment interest. The SEC Order also provided for an offset of up to approximately $4.2 million of any disgorgement paid to Brazilian authorities. Today we consider the lessons learned.
Rapid Expansion
Similar to what we saw in the WPP enforcement action, Stericycle engaged in rapid expansion in a series of foreign jurisdiction. In this case it was Latin America. Stericycle does not seem to have made the same mistakes as WPP in holding back part of the overall acquisition payout to the owners in the locales where they purchased entities and thereby incentivizing corruption to meet sales goals. Under Stericycle, there was nothing about this same type of incentive plan used by WPP. However, Stericycle did appear to keep the former owners on as the executives in these new foreign subsidiaries without taking into account how those former owners may have done business or the risk model it entailed.
Which brings us to pre-acquisition due diligence, which is not simply looking at the financial issues involved but also considering the potential purchase from the compliance perspective. How did the companies which were purchased to form the foreign subsidiaries in Latin America do business before they were purchased? Did Stericycle review those companies from the compliance standpoint?
Moreover, and as Candice Tal, founder of Infortal, continually reminds us, due diligence is more than simply a site investigation or a couple of interviews. It should include “an in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other lawsuits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publicly.” Clearly, Stericycle did not engage in this level of due diligence in either the acquisitions of the entities which became Stericycle subsidiaries in Latin America, nor in their key personnel. Employees up and down the chain of an organization do not simply wake up one day and decide to engage in bribery and corruption and create a full set of records so the effectiveness of your bribery-based business process can be evaluated. 
Impact of the FCPA Corporate Enforcement Policy
The Stericycle enforcement action once again demonstrates how the FCPA Corporate Enforcement Policy can benefit even the most corrupt organization and allow a significant reduction of the overall fine and penalty under the US Sentencing Guidelines. According to the DPA, Stericycle received a 25% discount off the bottom of the applicable Sentencing Guidelines fine range for its cooperation during the pendency of the investigation and the extensive remediation.
I have previously estimated Stericycle saved between $25 million to $30 million from their final criminal fine. That is certainly a significant amount and one every Chief Compliance Officer (CCO) needs to have ready to submit to your CEO to demonstrate the power of committing time and resources to both internal investigations and remediation during the pendency of the investigation.
Impact from the Lisa Monaco Doctrine
a. The Monitor
The is first FCPA enforcement action to show the full impact of the change in DOJ enforcement priorities after the Lisa Monaco speech of October 2021, in a variety of ways. The first is the imposition of a monitor. It was required under both the DPA and the Order. Interestingly, even though the company was long aware of its compliance and ethical failures and even though it had been investigating this matter since at least 2016; the company could not seem to get its collective act together enough to fully implement and test the new compliance regime set out in the DPA. The DPA stated, “despite its extensive remedial measures described above, the Company to date has not fully implemented or tested its enhanced compliance program, and thus the imposition of an independent compliance monitor for a term of two years, as described more fully below and in Attachment D, is necessary to prevent the recurrence of misconduct.” [Emphasis supplied] Clearly the DOJ (and SEC) did not trust that the company would follow through with its resolution documents obligations and was “necessary to prevent the recurrence of misconduct.”
b. Culture
One part of the Monaco speech which drew much criticism from the White-Collar defense bar and others were her remarks around culture and that the DOJ would start assessing corporate culture in the context of other fines, penalties and regulatory enforcement actions from outside the FCPA context. Many articulated fears that conduct completely unrelated to a FCPA enforcement action could form the basis of a FCPA enforcement action. Those fears were alleviated in the Stericycle DPA which stated, “the Company has some history of prior civil and regulatory settlements, but no prior criminal history”. At least at this point, no unrelated civil or regulatory actions were assessed in the context of a FCPA enforcement action.
There was and continues to be much to consider and learn from the Stericycle FCPA enforcement action. I am sure we will be revisiting it in the future.