Categories
Blog

Reprioritizing Your Third-Party Risk Management Program – Key 2022 FCPA Enforcement Actions

From the Foreign Corruption Practices Act (FCPA) enforcement actions in 2022, one clear theme emerges; that is, organizations must reprioritize their third-party risk management programs. Many companies are becoming complacent in this arena, not realizing the potential consequences of not properly assessing their third-party risk management practices. I recently had the opportunity to visit with Alexander Cotoia of the Volkov Law Group to discuss importance of reprioritizing third-party risk management and how organizations can assess the effectiveness of their current practices. We review three 2022 FCPA enforcement actions to explore the importance of proper third-party risk management and how to avoid the potential consequences of not properly assessing these risks. Join us as we explore the details and implications of these enforcement actions and how organizations can reprioritize their compliance programs for the ever-changing dynamics of third-party risk management.

Here are the steps you need to follow to reprioritize your third-party risk management program.:

  1. Understand that third-party risk, especially as it pertains to anti bribery and corruption concerns, is a universal constant and still the highest risk.
  2. Reassess the framework by which third parties are evaluated and objectively evaluate the totality of risks posed by a potential business partner to the organization.
  3. Implement a risk-based approach to third party risk management.
  1. Understanding third-party risk

Understanding that third party risk, especially as it pertains to anti-bribery and corruption, is a universal constant is an important step in the risk management process. As evidenced by three key enforcement actions, ABB Limited, Oracle and GOL Airlines, organizations must evaluate the risks posed by potential business partners and ensure that the information collected is adequate to objectively assess the totality of the risks. Organizations should be aware that the DOJ requires companies to adopt a risk-based approach to third party risk management. To ensure that the organization is compliant with these regulations, they should review their existing practices and be prepared to supplement them if necessary. Additionally, organizations should be aware that they may be given credit for voluntary disclosure and cooperation efforts when faced with potential violations. This may be beneficial when determining penalties and is an important factor to consider when dealing with third party risk.

  1. Reassess your third-party framework

Reassessing the framework by which third parties are evaluated and objectively evaluating the totality of risks posed by a potential business partner to the organization is a critical step in reprioritizing your third-party risk management strategy. This should be approached holistically, focusing on the information being collected and its adequacy in objectively evaluating risks. Organizations should adopt a risk-based approach, as recommended by the DOJ, and not simply have a one size fits all approach. This approach should include due diligence, assessing the potential partner’s reputation and business practices, verifying their legitimacy and background, and understanding their country of origin and its laws. Additionally, organizations should consider the potential partner’s relationship with government officials and whether it could violate any anti-bribery or corruption laws. If any of these issues are identified, organizations should look into it further to ensure that their partner is compliant. By doing this, organizations can ensure that they are not engaging in any activities that could be deemed illegal or unethical. 

  1. Implement a risk-based approach

Implementing a risk-based approach to third party risk management is essential to any organization’s compliance program. This involves assessing the external parties on which an organization relies operationally, and identifying any risks associated with those external parties. This assessment should include evaluating their qualifications and experience to ensure they are able to meet the organization’s expectations. Additionally, organizations should consider conducting background checks on potential external parties, and assessing any potential conflicts of interest that may arise. Once potential external parties have been identified, organizations should consider conducting due diligence to ensure that the external party has not been involved in any fraud, bribery, or other criminal activities. Organizations should also consider developing contracts and compliance policies for external parties and monitoring their activities to ensure compliance. Finally, organizations should consider developing a training program for their external parties to ensure they understand the organization’s expectations and policies. By implementing a risk-based approach to third party risk management, organizations can reduce the risk of an FCPA violation and ensure their organization remains compliant.

Third-party risk management one of the most critical components of any organization’s compliance program. Organizations should take the initiative to reprioritize third-party risk management and assess the effectiveness of their current practices. Through the exploration of three enforcement actions and the introduction of the joint compliance note, this article has highlighted the importance of properly assessing third-party risk and how to best prepare for the ever-changing dynamics of third-party risk management. By implementing a risk-based approach to third party risk management, organizations can protect themselves from potential violations of the FCPA and ensure their organization remains compliant. With the right tools, processes, and dedication you can achieve the same results and protect your organization from costly fines and penalties.

For more information, on Diligent’s Third-party Risk Management solution, click here.

Listen to Alexander Cotoia on the podcast series, sponsored by Diligent here.

Check out the Volkov Law Group here.

Categories
Compliance Into the Weeds

Compliance Issues & Events We Are Looking at for 2023

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject. In this episode, Matt and I consider a list of compliance issues and events worth watching in the next 12 months, likely to happen in the coming year, that will be most consequential for corporate compliance and audit professionals.

For 2023 (at least at this point), it is the following:

·      SEC rules on greenhouse gases.

·      PCAOB enforcement.

·      The FTC and privacy enforcement.

·      Fallout from the Oracle FCPA enforcement action.

·      New DOJ corporate crime enforcement policies.

·      An ESG controller.

·      Crash and burn of Elon Musk-style corporate governance.

 Resources

Matt Kelly in Radical Compliance

Categories
Corruption, Crime and Compliance

A Deep Dive into the Oracle FCPA SEC Settlement

Oracle Corporation settled its second FCPA case in ten years. It agreed to pay the SEC $23 million to resolve allegations that its subsidiaries in Turkey, India and the United Arab Emirates maintained slush funds to bribe foreign officials. Ten years ago in 2012, Oracle paid the SEC $2 million for creating millions of dollars in off-the-books accounts at its India subsidiary. Join Michael Volkov as he takes a deep dive in the Oracle case and provides valuable lessons for managing third-party corruption risks.

  • In the SEC’s mind, Oracle is a recidivist, having its second enforcement action case in 10 years.
  • The settlement for $23 million underscored the power of the FCPA provisions, which mandate effective internal controls and accurate books and records, and can be applied to a wide range of conduct beyond foreign bribery, Michael remarks. 
  • The controls that Oracle put in place to prevent improper use of discounts and marketing reimbursements were not effective because there was a lack of compliance culture within the business.
  • The Oracle case is one that should be studied by compliance professionals, Michael believes. It reminds you to look at your own controls that surround discounting and ensure that the necessary documentation is carried out. “No matter what controls you have in place, they still have to be adhered to with a true culture of compliance underneath it as a foundation,” he adds.

 

Resources

SEC Oracle Case

Email Michael: mvolkov@volkovlaw.com

Categories
GalloCast

Gallocast – Episode 4 – October 2022

Welcome to the GalloCast. You have heard of the Manningcast in football. Now we have the GalloCast in compliance. The two top brothers in compliance, Nick and Gio Gallo, come together for a free-form exploration of compliance topics. It is a great insight on compliance brought to you by the co-CEOs of ComplianceLine. Fun, witty, and insightful with a dash of the two brothers throughout. It’s like listening to the Brothers Gallo talk compliance at the dinner table. Hosted by Tom Fox, the Voice of Compliance. Topics in this episode include:

  • ComplianceLine rebranded to Ethico. How does this reflect the overall products and services of the organization in 2022 and beyond.
  • The Oracle FCPA Enforcement Action. What are some key lessons for compliance?
  • The Monaco Memo. Focus on employee incentives and clawbacks.
  • Employees having two jobs post pandemic. When is it a conflict of interest?
  • Quiet quitting and the opportunity for employee engagement.

Resources

Nick Gallo on LinkedIn

Gio Gallo on LinkedIn

Ethico

Categories
Blog

Use Your Eyes in Compliance

One thing compliance professionals are rarely trained to do is trust your eyes. This may be because it seems too obvious. After all the well-known Howard Sklar maxim of “Water is Wet” is largely based on the fact that if something is so obvious you may not need to train on it. Yet two recent events make clear we all need to ‘trust our eyes’ in a variety of settings. The first is in the National Football League (NFL) and it involves Miami Dolphin quarterback, Tua Tagovailoa. Three weeks ago, he was tackled, thrown to the ground and his head snapped against the tuft. This is clearly a sign a concussion may be coming. After Tua got up, he stumbled and fell and then had to be helped up by a teammate and off the field.

I say all of this with absolute certainty as I was watching the game Dolphins v. Bills and saw it along with some 70,000 in the stadium and millions on television. Unfortunately, those who did not see these actions of Tua after the hit was the Dolphins medical staff who, rather amazingly (or perhaps not), cleared him under the NFL Concussion Protocol and sent him back to play in the second half of the game. Again, finding he was fine under the concussion protocol, he was allowed to play. The Dolphins claimed that he had sustained a “back injury” and that was why he stumbled and fell, not motor impairment. The next week, Tua took another shot to his head and this time he did not get up, stumble and fall. He did not get up at all. According to New York Times (NYT), he left the field on a stretcher and was taken immediately to a local hospital.

It was clear to anyone who saw the first concussion, that it was just that a concussion. However, “because of the incident, the league and union said they were considering changing the protocols, which currently allow a player with “gross motor instability” to return to the game if doctors decide there is an orthopedic reason for his unsteadiness.” Some doctor said the instability was due to Tua’s bad back and that was good enough. The NYT went on to further note, “The expected change will be to instead establish ataxia, a term describing impaired balance or coordination caused by damage to the brain or nerves, as a sign that automatically disqualifies a player from returning to the game.”

All of this informs compliance programs and compliance professionals as sometimes actions do not simply pass the eye test. I thought of this in the context of the recent Oracle Corporation Foreign Corrupt Practices Act (FCPA) enforcement action. In this Oracle matter, the bribery schemes involved distributors, which were used as not only conduits to pay bribes, but as the mechanism to create a pot of money to pay bribes. The Oracle compliance program allowed sales employees at the subsidiaries to request monies meant to reimburse distributors for certain marketing expenses associated with selling Oracle products. There was a multi-pronged approval process in place. For marketing reimbursements “under $5,000, first-level supervisors at the Subsidiaries could approve the purchase order requests without any corroborating documentation indicating that the marketing activity actually took place.” Above this $5,000 threshold, additional approvals were required with additional requirements for business justification and documentation.

You can no doubt see where this is going as this internal control gap allowed for abuse. Indeed the Orderstated, “Oracle Turkey sales employees opened purchase orders totaling approximately $115,200 to [distributors] in 2018 that were ostensibly for marketing purposes and were individually under this $5,000 threshold.” That is at least 23 different expense requests to reimburse for marketing made under the threshold. Of course, there were no marketing efforts by the distributors and no follows up audits, inspections or even questions to confirm that the marketing expenses had actually occurred. The entire business unit was in on the fraud, and it stole money from the corporate office to fund it slush fund to pay bribes.

Clearly compliance was not using its eyes for if it had, it would have seen that there was a large number of marketing reimbursement requests at or below the threshold which required additional oversight and approval. Using your eyes does not mean that it is simply your eyes which catch nefarious conduct, it means that you use your eyes and if it something unusual occurs then additional investigation is warranted.

All of this brings to the second lesson from the NFL’s sordid tale involving Tua Tagovailoa; which is if the protocol does not work, change the protocol. Renee Miller, writing The Athletic, said, “The purpose of the onsite concussion “exam is to determine if any symptoms are apparent in a neurological exam (looking at reflexes, cranial nerve function and limited cognitive skills), and if so, whether they arise from a neurological origin.” It does not take into account what we all saw with our eyes, the stumbling, Tua grabbing his helmet and inability to focus. The NFL will now make a change to consider the other factors Tua exhibited. In other words, they changed the protocol to require and allow for additional information about the injured player in making a determination of that player’s returning to the game.

In the case of Oracle, there was a high risk of business unit employees using the marketing reimbursement requests to create a pot of money to pay bribes. We know this because this same bribery scheme was used by Oracle India to pay bribes and do business corruption, all of which was the subject of a prior FCPA enforcement action. Pretty clearly allowing business unit employees to obtain marketing reimbursements was something that would lead to disaster; which it did just as the Dolphins allowing Tua to come back into the second half of the Bills game where he sustained his first concussion was disastrous for Tua as he was much more seriously injured just the next week.

In compliance never forget to ‘use your eyes’ in testing your compliance program. If something does not look right, do additional investigation. If you do not do so, you may end up like Oracle, now one of 15 FCPA recidivists, a list no company wants to be on.

Categories
FCPA Compliance Report

Oracle FCPA Enforcement Action

In this episode, I take on a solo pod to discuss and consider the Oracle FCPA enforcement action brought by the Securities and Exchange Commission.

Key areas we discuss on this podcast are:

  • Background facts.
  • Same facts in same country?
  • Failure of a paper program.
  • The need for data analytics.
  • Where is the DOJ?
  • What are the lesson learned going forward?

 Resources

For a White Paper on the Oracle FCPE enforcement action, email tfox@tfoxlaw.com

Categories
Blog

Oracle: FCPA Recidivist Part 4 – the Comeback and DOJ

After revisiting “Parking in India” from 2012, we return to explore more from the Foreign Corrupt Practices Act (FCPA) recidivist Oracle Corporation. We previously reviewed the bribery schemes in general and how they worked in practice. Given not simply the recidivist status but the nature and location of the bribery schemes, one might reasonably ask questions about the resolution. Quite simply, how did Oracle achieve the result they did?

The Comeback

Under the FCPA Corporate Enforcement Policy, as developed by the Department of Justice (DOJ), the requirements for leniency were (1) self-disclosure, (2) extensive cooperation during the investigation and (3) thorough remediation up to the conclusion of the matter. Under the recent Monaco Memo, this prong 3 was further explained as creating a compliance program to address the issues which led to the compliance program and then testing that program prior to the conclusion of the resolution. While the Securities and Exchange Commission (SEC) does not have a similar written Policy they have followed the DOJ’s lead on since the implementation of the FCPA Corporate Enforcement Policy in November 2017.

In the 2022 Order, it specified there was some type of self-disclosure. The Order stated, “the Commission [SEC] considered that Oracle self-reported certain unrelated conduct, remedial acts it undertook, and cooperation afforded the Commission Staff.” This is one of the most oblique references to self-disclosure seen in an FCPA enforcement action. It is not clear what the ‘unrelated conduct’ might have been nor how it related to the FCPA violations. Whatever this unrelated conduct was, it was self-disclosed to the SEC and apparently that self-disclosure was enough to satisfy the SEC that self-disclosure had occurred.

The next requirement is thorough cooperation with the SEC during the investigation. Here the Order stated, “Oracle’s cooperation included sharing facts developed in the course of its own internal investigations, voluntarily providing translations of key documents, and facilitating the staff’s requests to interview current and former employees of Oracle’s foreign subsidiaries.” Each one of these factors should be digested by every compliance officer to understand what the SEC thinks is important. It may be different from the DOJ, particularly after the Monaco Memo, but these actions are all clearly important to the SEC.

Finally, of course, is the remediation. Here the Order specified several actions in greater detail than in most Orders. The Order stated, “Oracle’s remediation includes:

  • terminating senior regional managers and other employees involved in the misconduct and separating from employees with supervisory responsibilities over the misconduct;
  • terminating distributors and resellers involved in the misconduct;
  • strengthening and expanding its global compliance, risk, and control functions, including the creation of over 15 new positions and teams at headquarters and globally;
  • improving aspects of its discount approval process and increasing transparency in the product discounting process through the implementation and expansion of transactional controls;
  • increasing oversight of, and controls on, the purchase requisition approval process;
  • limiting financial incentives and business courtesies available to third parties, particularly in public sector transactions;
  • improving its customer registration and payment checking processes and making other enhancements in connection with annual technology conferences;
  • enhancing its proactive audit functions;
  • introducing measures to improve the level of expertise and quality of its partner network and reducing substantially the number of partners within its network;
  • enhancing the procedures for engaging third parties, including the due diligence processes to which partners are subjected;
  • implementing a compliance data analytics program; and
  • enhancing training and communications provided to employees and third parties regarding anti-corruption, internal controls, and other compliance issues.”

 Resources

These changes appear to be extensive and potentially significant within the greater Oracle compliance program. There was increased resources made available to Oracle through an increase in head count (15 new positions), restructuring of compliance groups and creation of new compliance teams. Additionally, the implementation of a compliance data analytics program would also fall under additional resources. Finally, Oracle moved to more proactive auditing.

Discipline

There were terminations of Oracle employees including “senior regional managers and other employees involved in the misconduct” in addition to the termination of distributors and resellers involved in the misconduct. While not tied to a disciplinary role but clearly in the less is more approach Oracle substantially reduced the number of business partners within its network.

Training

Next was in the area of training. There was enhanced “training and communications provided to employees and third parties regarding anti-corruption, internal controls, and other compliance issues.” This would seem to indicate enhanced training for those remaining business partners.

Internal Controls

Finally, there was the area of internal controls enhancement. Here there were improvements in the following areas: (a) discounting by improving aspects of the Oracle discount approval process and increasing transparency in the product discounting process through the implementation and expansion of transactional controls; (b) procurement through the increased oversight of, and controls on, the purchase requisition approval process; (c) removal of perverse incentives by limiting financial motivations and business courtesies available to third parties; (d) basic GTE by improving its customer registration and payment checking processes and making other enhancements in connection with Oracle technology conferences.

DOJ

Obviously, recidivist behavior is one of the key areas the DOJ focused on in the Monaco Memo. It is one of the factors the DOJ assesses in any resolution of an enforcement action. The Monaco Memo does note that civil penalties over five years old will be given lesser weight so perhaps the 2012 SEC FCPA enforcement action involving Oracle’s conduct in India plays into the SEC analysis here. There is also the question of a monitor for a company with recidivist behavior which Oracle avoided in this SEC resolution. In the Monaco Memo, two of the areas of evaluation are:

  1. Whether, at the time of the resolution and after a thorough risk assessment, the corporation has implemented an effective compliance program and sufficient internal controls to detect and prevent similar misconduct in the future;
  2. Whether, at the time of the resolution, the corporation has adequately tested its compliance program and internal controls to demonstrate that they would likely detect and prevent similar misconduct in the future;

While the SEC Order lays out in detail the remediation, there is no information on any testing performed by Oracle on the new components of its compliance program or on its controls.

As yet there is no information on a DOJ resolution. Given the tenor of the most recent DOJ announcements including the Monaco Memo, and the subsequent speech by Principal Associate Deputy Attorney General Marshall Miller and speech by Assistant Attorney General Kenneth A. Polite, it appears that recidivism will be greatly frowned upon. Also, unclear would be whether the DOJ would require a monitor based upon the remediation made by Oracle as reported in the SEC Order. As noted, there is no indication of testing of the compliance program enhancements. All in all, lots of questions for the DOJ and we will have to wait for a DOJ resolution to see if we can begin to answer some of them.

Please join me tomorrow where I conclude this series by considering what does it all mean for the compliance professional.

Categories
From the Editor's Desk

September and October in Compliance Week

Welcome to From the Editor’s Desk, a podcast where co-hosts Tom Fox and Kyle Brasseur, EIC at Compliance Week, unpack some of the top stories which have appeared in Compliance Week over the past month, look at top compliance stories upcoming for the next month, talk some sports and generally try to solve the world’s problems.

In this month’s episode, we look back at top stories in CW from September around the FCPA enforcement actions involving GOL and Oracle, the Monaco Doctrine as reflected in the Monaco Memo, and the SEC spanking of banks for nearly $2MM over employees using messaging apps. We discussed the ESG virtual event and previewed the CW 2022 in Europe, which will be held in Scotland, and the virtual 3rd Party Risk conference, scheduled for December.

We conclude with a look at some of the top sports stories, including a look at the Tua Tagavoiloa and the NFL concussion protocols, and ask Kyle how he would have covered; the Boston Celtic’s imbroglio regarding its suspended head coach Ime Udoka and  Aaron Judge and his season for the ages.

Categories
Blog

Oracle: FCPA Recidivist Part 5 – What Does It All Mean?

In this post, we conclude our exploration of the Foreign Corrupt Practices Act (FCPA) enforcement action involving the now recidivist Oracle Corporation. This enforcement action was concluded with the Securities and Exchange Commission (SEC) resulting in an Order. After having examined the background facts and bribery schemes in some details, we turn to what does it all mean for FCPA enforcement going forward and what lessons can the compliance profession draw from Oracle’s missteps.

Paper Programs Fail

One of the most prominent lessons to be garnered from this matter is that paper compliance programs Do Not Work. That may sound like perhaps the most basic truism in all of compliance but here we are in 2022, looking at a major multinational organization which had a ‘check-the-box’ compliance program around distributors and it eventually bit them in the backside.

After having its first FCPA enforcement action in 2012 involving distributors in India, where deep and unwarranted discounts were used to create a pot of slush funds to pay bribes, Oracle instituted a requirement for a ‘second set of eyes’ outside the business unit for unusual or excessive discounts. According to its policies regarding distributors, a valid and legitimate business reason was required to provide a discount to a distributor. Oracle used a three-tier system for approving discount requests above designated amounts, depending on the product. In the first level, Oracle at times allowed subsidiary employees to obtain approval from an approver in a subsidiary other than that of the employee seeking the discount. At the next level and for higher level of discounts, Oracle required the subsidiary employee to obtain approval from another geographic region and the final level (and for the highest discounts) was from someone at the Oracle corporate headquarters. So far so good.

The problem was there was no requirement for evidence of a business justification to support the requested discount. The Order noted, “Oracle reviewers could request documentary support, Oracle policy did not require documentary support for the requested discounts – even at the highest level.” A statement of why you need a discount without any supporting documents as evidence is simply that – a statement. In other words, there was no way for a higher-level approver to determine if such a request was valid or fraudulent. Ronald Reagan was on to a basic compliance concept when he intoned “Trust, but verify.” Those words still ring true as a basic requirement in any compliance program.

Data Analytics

The Oracle enforcement action emphasized why data analytics is mandatory for any current compliance program. In addition to creating slush funds through discounts to distributors, slush funds were created through fraudulent reimbursement requests for expenses associated with marketing Oracle’s products. If the request were under $5,000, business unit level supervisors at the subsidiaries could approve them without any corroborating documentation indicating that the marketing activity actually took place. In one example from the Order, it noted that an Oracle Turkey sales employees obtained such fraudulent reimbursements totaling approximately $115,200 in 2018 that were “ostensibly for marketing purposes and were individually under this $5,000 threshold.” There was apparently no one looking to see who and how often these reimbursement requests were made by any single employee or approved by any supervisor.

This is as basic a fraud scheme as one can imagine. Think of employee gift, travel and entertainment (GTE) reimbursement where anything over $100 must be preapproved. One BD type or one business unit routinely submits requests after purchases of $99.99 so no preapproval is required. The supervisor approves it, and it is automatically paid to the employee. One reimbursement at $99.99 may not raise a red flag but multiple requests should. The same concept holds true in this situation. However, no one at Oracle was looking at this bigger picture. This is where a data analytics program would pick up such anomalies and flag it for closer inspection and investigation. Oracle appears to have realized this through part of its remediation which included the implementation of a compliance data analytics program moving to proactive auditing.

Internal Control Upgrades

Putting in compliance enhancements to remediate your control failures is a key part to any FCPA enforcement resolution. In this area, there were improvements in the following capacities: (a) in distributor discounting by improving aspects of the Oracle discount approval process and increasing transparency in the product discounting process through the implementation and expansion of transactional controls; (b) in the Oracle procurement process through the increased oversight of, and controls on, the purchase requisition approval process; (c) by the removal of perverse incentives by limiting financial motivations and business courtesies available to third parties; (d) in basic gifts, travel and entertainment policies (GTE) by improving its customer registration and payment checking processes in connection with Oracle technology conferences.

Basic GTE

I cannot believe that in 2022 we are talking about companies that still do not have the most basic GTE policies in force. Since at least 2007, the Department of Justice (DOJ) made clear what was appropriate in business travel, business courtesies and business entertainment. Oracle’s 112 Project decidedly was not as it was designed to appear as a business trip to Oracle’s home office (then in California) related to Oracle’s bid on a project. However, the trip was designed to be a sham to hide boondoggle travel for four government officials. The alleged business meeting at the corporate headquarters lasted only 15 minutes and for the rest of the week, the Oracle BD folks entertained the government officials in Los Angeles and Napa Valley and then took them to a “theme park” in the greater Los Angeles area. Any travel involving government officials or any other covered persons under the FCPA should be submitted to and approved by your compliance function, including costs and the itinerary.

There was much to consider from the SEC enforcement action under the FCPA involving Oracle. We still have not heard from the DOJ. There may be more to come….

Categories
Compliance Into the Weeds

The Oracle FCPA Enforcement Action

Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. In this episode, we look at the recently announced SEC Foreign Corrupt Practices Act enforcement action involving Oracle. Highlights include:

  1. Recidivist behavior in some countries with similar schemes.
  2. Policy, procedure, and internal controls failures.
  3. Why no monitor.
  4. Compliance programs lessons learned.
  5. What about the DOJ?

 Resources

Matt in Radical Compliance

Tom in the FCPA Compliance and Ethics Blog

  1. Background
  2. The Schemes in Action
  3. Parking in India
  4. The Comeback and DOJ
  5. What it all means