Categories
Blog

TD Bank: Part 5 – The Reckoning

Today, I want to review the OCC Consent Order to see the bank’s requirements. This is separate from the DOJ requirements under the Bank’s Plea Agreement(s) and the FinCEN Consent. Further, the DOJ and OCC have mandated separate monitors under their attendant settlement agreements. FinCEN’s Order imposes a four-year independent monitorship, and the DOJ Plea Agreement a 3-year Monitorship. As Matt Kelly noted in Radical Compliance, the remediation steps include:

  • Establishing a dedicated compliance committee at the board level;
  • Drafting a plan within 120 days to overhaul its AML compliance program;
  • Hiring an independent compliance consultant within 60 days to conduct their review of TD’s compliance program;
  • Hiring a senior-level AML compliance officer;
  • Staffing up a more robust AML compliance function; and
  • Implementing new policies, procedures, training, and all the other usual requirements we’ve seen from similar banking settlements.

In this blog post, we will consider some of the highlights above and beyond these remediation steps that the Bank must perform.

The Action Plan

The enforcement order mandates that within 120 days, TDBNA must submit a comprehensive BSA/AML Action Plan to the Examiner-in-Charge for approval. This plan must address the bank’s deficiencies in adhering to the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) regulations. The action plan must include detailed corrective actions, reasonable timelines for implementation, and clear accountability for executing these measures. The board of directors is responsible for overseeing the implementation, ensuring adherence, and monitoring progress, with formal reviews required at least annually.

The Action Plan must be subject to continuous updates and modifications as necessary, particularly if directed by the Examiner-in-Charge or if the bank identifies further areas of improvement. The Examiner-in-Charge must approve any significant deviations or material changes to the plan. TDBNA must also submit quarterly progress reports detailing corrective actions, outstanding issues, and timelines for resolving compliance deficiencies, ensuring transparency in the bank’s efforts to remediate its AML program.

In the event of ongoing issues or independent assessments highlighting further weaknesses, the bank must provide written documentation to the Examiner-in-Charge. The board’s review and response to these assessments will drive accountability and ensure the continuous improvement of TDBNA’s BSA/AML compliance program.

AML Program Assessment and Remediation

TDBNA’s response to its enforcement action underlines the critical role of independent third-party assessments in fortifying a bank’s BSA/AML program. The bank must engage an independent consultant, approved by the OCC, to conduct an exhaustive end-to-end review of its entire BSA/AML framework. This process begins within 60 days of the enforcement order, where TDBNA must submit the proposed consultant’s qualifications, along with a detailed scope of work and timeline, for the OCC’s review. The consultant’s expertise in BSA/AML compliance is a key requirement to ensure the assessment is thorough and capable of addressing the bank’s regulatory obligations.

The independent consultant’s primary objective is to assess the bank’s BSA/AML program against its risk profile, identifying any gaps or weaknesses in its structure and operations. This review will examine whether the bank’s transaction monitoring, suspicious activity reporting, and overall governance are robust enough to meet the demands of U.S. regulatory requirements and the bank’s evolving risk landscape. The consultant’s findings will be critical in determining how effectively TDBNA’s AML framework functions and where improvements are necessary.

Upon completing the review, the consultant will deliver a comprehensive report to TDBNA’s board of directors detailing any deficiencies in the bank’s BSA/AML program. The report will also include recommendations for remediation, ensuring the bank addresses areas of concern in a structured and strategic manner. To ensure transparency and accountability, the board will document its review of the report in official meeting minutes, which must be submitted to the OCC. Additionally, the independent consultant will provide a copy of the report directly to the Examiner-in-Charge, ensuring that regulators have a clear view of the findings and the bank’s planned corrective actions.

Beyond simply identifying deficiencies, the bank must ensure it takes prompt and effective action to remediate the issues raised by the independent consultant. TDBNA must incorporate the necessary remediation efforts into its existing BSA/AML Action Plan, ensuring that all gaps are addressed promptly and comprehensively. This integration is crucial, as failure to properly implement corrective measures could lead to further regulatory actions and potentially severe penalties. The OCC will continue to monitor the bank’s progress by submitting updated action plans and progress reports.

Ultimately, this process highlights the importance of maintaining a dynamic and adaptable BSA/AML program that can respond to emerging risks and regulatory expectations. TDBNA’s engagement with an independent consultant reminds all financial institutions that complacency in AML compliance is not an option. By continually assessing and improving their compliance frameworks, banks can better mitigate risk, avoid regulatory scrutiny, and ensure their AML programs remain strong, effective, and compliant with the law.

Three is Not Always a Crowd

Are you beginning to see a pattern here? The Bank engaged third-party consultants who identified significant weaknesses in its AML program and reported these issues to the Bank’s AML leadership. In 2018, one consultant noted that increasing regulatory requirements and transaction volumes would pressure AML operations, making it difficult to meet demands and deadlines. Additionally, the consultant found that The Bank’s testing of its transaction monitoring scenarios took less than the industry average, highlighting inefficiencies in its ability to assess and capture suspicious activity.

In 2019, another consultant flagged sub-optimal transaction monitoring scenarios based on outdated parameters. These outdated scenarios generated many alerts, overwhelming the AML team and limiting their ability to focus on truly high-risk customers and transactions. This finding pointed to a broader issue in the bank’s ability to adapt its monitoring systems to changing regulatory and risk environments, significantly undermining the effectiveness of its AML compliance efforts.

In 2021, a third consultant identified additional limitations within the Bank’s transaction monitoring program, particularly its technology infrastructure. The consultant found that the bank faced technological barriers that restricted its ability to develop new scenarios or adjust existing parameters, further hampering its AML efforts. These ongoing challenges reflect a broader need for the Bank to modernize its systems and ensure its AML program is agile enough to meet regulatory expectations and address emerging risks effectively.

Restriction on Growth

The Consent Order also required the Bank to maintain its total consolidated assets at or below the level reported on September 30, 2024. This mandate prevents the banks from increasing their average total consolidated assets beyond this threshold until they achieve compliance with all actionable articles of the order. The total consolidated assets will be measured using the banks’ respective Consolidated Reports of Condition and Income.

The asset restrictions will remain in place until the banks meet all compliance obligations outlined in the order. However, the Deputy Comptroller can temporarily suspend the asset cap in unusual circumstances. If the banks fail to meet compliance deadlines, the Deputy Comptroller may require a reduction of up to 7% of their total consolidated assets, as reported in the most recent calendar quarter.

If the Bank is notified that a reduction is necessary, it must submit a plan within 30 days for the Comptroller’s approval and have 60 days to implement the asset reduction. If non-compliance continues beyond the first year, the Deputy Comptroller may impose an additional reduction of up to 7% annually, with the same plan submission and implementation requirements applying each successive year until full compliance is achieved.

Jon Hill wrote in Law360 that this is only the second time “that a federal banking agency has slapped such handcuffs on a financial institution’s overall growth.” The first was Wells Fargo, slapped for its fraudulent accounts scandal. Moreover, while the Wells Fargo “cap has remained in place much longer than many observers originally expected, the OCC has designed its cap for TD Bank with more of a need for remedial speed in mind. In particular, the OCC order establishing the cap includes express provisions that allow the agency to reduce the size limit — that is, tighten the cuffs — by up to 7% annually if the bank does not meet certain deadlines for strengthening its U.S. anti-money laundering compliance.” The article quoted Julie A. Hill, a banking law professor and dean at the University of Wyoming College of Law, for the following, “where the asset cap has gone on for years and years as the bank has tried to get compliant.”

Put Money Where Their Mouth Is

Even more than the commitment to do business ethically and in compliance with its AML/BSA requirements, the Bank must also financially commit to compliance. The Order requires that before the Bank can declare or pay dividends, engage in share repurchases, or make any other capital distributions, the Board of Directors must certify in writing to the Examiner-in-Charge that adequate resources and staffing have been allocated to the remediation efforts required by the OCC’s order. This certification must be submitted at least 30 days before any proposed capital action. It must include a detailed description of the Bank’s current allocation of compliance resources, its progress in remediation, any anticipated changes in resource allocation, and the funding source for the proposed payment or distribution. The goal is to ensure that remediation efforts take priority over capital distributions.

Join us next time, where I will consider TD Bank and the Caremark Doctrine.

Resources

OCC

OCC Press Release

Consent Order 

Civil Money Penalty 

DOJ

TD Bank US Holding Company Information

TD Bank N.A. Information

TD Bank US Holding Company Plea Agreement and Attachments

TD Bank N.A. Plea Agreement and Attachments

Merrick Garland Remarks

Nicole Argentieri Remarks

FinCEN

Press Release

Consent Order

Categories
Blog

The Trafigura FCPA Enforcement Action – Part 4 – Lessons Learned

We conclude our exploration of the resolution of the FCPA enforcement action involving the Swiss trading firm G Trafigura Beheer B.V. (Trafigura), an international commodity trading company with its primary operations in Switzerland. The company pleaded guilty and will pay over $126 million to resolve an investigation stemming from the company’s corrupt scheme to pay bribes to Brazilian government officials to secure business with Brazil’s state-owned and state-controlled oil company, Petróleo Brasileiro S.A. – Petrobras (Petrobras). The matter was resolved via a Plea Agreement. Information detailing the company’s conduct was also issued.

Despite substantial violations of the FCPA and its extension into the corporate offices, Trafigura received the 10% discount noted above. The message from this enforcement action is the cost of failing to self-disclose, creating liability under the FCPA and creating jurisdiction for the DOJ to bring an enforcement action, denial that you have done anything wrong, failure to cooperate (at least initially), and not sanctioning any of the culpable company actors. In other words, there is a bit of reverse logic and analysis in this case. However, as noted several times, the DOJ rewarded Trafigura with some credit and gave them a discount. Most importantly, and perhaps inexorably, Trafigura was not required to retain a monitor.

Remediation 

While most of the remediation is reported as standard, the one item that every compliance professional should consider is that the company proactively discontinued using third-party agents for business origination. This point is perhaps the most significant, as we have now seen the DOJ call out Albemarle and SAP for discontinuing their use of third-party agents.

As Matt Kelly noted in Radical Compliance, in his discussion of Guvnor FCPA enforcement action, “This is the latest in a string of FCPA enforcement cases where we’ve seen a big, structural change to the sale function. Albemarle eliminated its use of third-party sales agents as part of its FCPA settlement last year; SAP eliminated its third-party sales commission model globally as part of its own FCPA settlement announced in January. Now we have a third global enterprise going that same route, reducing its FCPA risk in a deep, permanent way by restructuring its sales operations.” With Trafigura, we now have a fourth.”

As I noted in my review of the Albemarle and SAP enforcement actions, SAP eliminated its third-party sales commission model globally, prohibited all sales commissions for public sector contracts in high-risk markets, and enhanced compliance monitoring and audit programs, including the creation of a well-resourced team devoted to audits of third-party partners and suppliers. Albemarle changed its approach to sales and its sales teams. Guvnor also moved from being a third-party agent to a direct sales force.

Moving to a direct sales force does have its risks, which must be managed, but those risks can certainly be managed with an appropriate risk management strategy, monitoring of the strategy, and improvement; those risks can be managed. Yet there is another reason, and more importantly, a significant business reason, to move towards a direct sales business model. Whenever you have a third-party agent or anyone else between you and your customer, you risk losing that customer because your organization does not have a direct relationship with the customer. A direct sales business model will give your organization more direct access to your customers.

Another exciting aspect of this approach used by Albemarle, SAP, and Trafigura is that it is not an approach laid out in either the 2020 FCPA Resource Guide, 2nd edition, or the 2023 Evaluation of Corporate Compliance Programs. The companies developed all of these strategies based on their own analysis and risk models. It may have come from a realization that the risk involved with 3rd party sales models was too great, that the companies wanted more control over their sales, or another reason. Whatever the reason for the change, the DOJ clearly noted each organization and viewed it affirmatively.

Bribery Schemes

This area is essential for all compliance professionals to take note of. The bribes were initially funded with a $ 0.20 surcharge or uplift for every barrel of oil traded. With the price of oil fluctuating wildly at the time in question, between $60 to $100 per barrel, I am not sure such a small amount would even seem anomalous. It would not rise to a rounding error but generate $19 million in bribes. While I am not sure that the bribery scheme was designed to be so hard to detect, the reality is that no compliance professional could look at the trades and determine if a bribe was baked into the pricing.

Yet there was even a deeper part of the bribery scheme. Executives at Trafigura and corrupt traders at Petrobras prearranged the oil trading prices rather than letting the market determine them. The information noted, “The Trafigura Executive 2 and Brazilian Official 1 agreed to prices for trades of oil products and bribe amounts for each trade. After determining the price, Trafigura Executive 2 instructed Trafigura traders to negotiate with Petrobras, which Trafigura Executive 2 knew to be a sham, to arrive at the pre-agreed price.” [emphasis supplied]

Finally, another set of bribes was funded through an unrelated business unit. This occurred when one of the two corrupt Trafigura executives involved in the bribery scheme was transferred to run the company’s Singapore business unit. From there, this corrupt executive had a corrupt third party in Hong Kong bill the Singapore business unit for non-existent consulting services related to the Chinese market for $500,000. This money funded additional bribes to corrupt Petrobras employees. This extra step would require someone in compliance to connect the dots between a corrupt third-party bribery scheme in Singapore and China and the corruption at Petrobras in Brazil.

Lack of a Monitor

The following DOJ Memo governs the decision of whether a company needs a monitor: Revised Memorandum on Selection of Monitors in Criminal Division Matters, released in March 2023. The memo has 10 factors a prosecutor must consider.

  1. Did the corporation voluntarily self-disclose?
  2. At the time of the resolution and after a thorough risk assessment, has the company implemented an effective compliance program and sufficient internal controls to detect and prevent similar misconduct in the future?
  3. At the time of the resolution, the company had adequately tested its compliance program and internal controls to demonstrate that they would likely detect and prevent similar misconduct.
  4. Whether the underlying criminal conduct was long-lasting or pervasive across the business organization or was approved, facilitated, or ignored by senior management, executives, or directors (including through a corporate culture that tolerated risky behavior or misconduct or did not encourage open discussion and reporting of possible risks and concerns),.
  5. Whether the underlying criminal conduct involved exploiting an inadequate compliance program or system of internal controls.
  6. Did the conduct involve the active participation of compliance personnel?
  7. Did the company take adequate investigative or remedial measures to address the underlying criminal conduct, including terminating business relationships and practices that contributed to it?
  1. At the time of the resolution, the company’s risk profile had substantially changed.
  2. Whether the corporation faces any unique risks or compliance challenges.
  3. Is the company subject to other oversight?

A review of the Information and Plea Agreement reveals no self-disclosure. Equally significantly, there is no information about whether the company has implemented an effective compliance program or sufficient controls, let alone tested them. According to the data, the conduct was long-lasting across multiple business units. If there were internal controls in place, they were undoubtedly inadequate. There does not appear to be involvement in the compliance function. The only positive factor from the resolution documents is that Trafigura did terminate its use of third parties to initiate and foster business development, but that appears to be the only factor they have met.

Writing again in Radical Compliance, Matt Kelly said, “Either way, these cases send mixed messages to the compliance community. It looks like you can get away with not self-disclosing misconduct and perhaps even slow-rolling your cooperation if you’re prepared to invest lots in a newly invigorated compliance program and tolerate the Fraud Section as your new BFFs for the next three years of a settlement agreement.”

If the DOJ has discontinued its monitoring program or changed the requirements, it is undoubtedly its prerogative to do so. It would be helpful if they communicated that change to the compliance community.

Categories
Compliance Tip of the Day

Compliance Tip of the Day: How an Investigation Informs Remediation

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

In this episode, we consider why and how an investigation can be a key to your remediation after an incident occurs.

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 9, Internal Controls

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in an ongoing best practices compliance program.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 9, Internal Controls. The DOJ has made it clear that any organization under FCPA scrutiny must use its internal controls to continuously test, monitor, and improve all aspects of its compliance program.

SAP

As a part of its remediation, the company conducted a gap analysis of internal controls. This remediation found those internal controls “lacking.” SAP also undertook a “comprehensive risk assessment focusing on high-risk areas and controls around payment processes and enhancing its regular compliance risk assessment process.” Using this risk assessment as a starting point, the company performed a gap analysis, determined the overall remediation regime needed, and effectuated that remediation. 

ABB

The ABB Plea Agreement reported that ABB “performed a root-cause analysis of the conduct at issue. From there, the company revamped its internal controls, investing significant additional resources in control testing and monitoring throughout the organization. While not often seen as a part of internal controls, the company restructured its reporting by internal project teams to ensure compliance controls oversight.

Additionally, ABB essentially created its monitoring program around controls, testing its compliance program, and reporting to the DOJ. In the “Written Work Plans, Reviews, and Reports” section, ABB agreed to conduct a first review and prepare a report, followed by at least two follow-up reviews and reports. But more than simply reporting on control testing, ABB agreed to create and submit for review a work plan for this ongoing testing of its compliance program, as the program was detailed in the DPA. The DPA specified, “No later than one (I) year from the date this Agreement is executed, the Company shall submit to the Offices a written report setting forth:

  • a complete description of its remediation efforts to date;
  • a complete description of the controls testing conducted to evaluate the effectiveness of the compliance program and the results of that testing; and
  • It proposes to ensure that its compliance program is reasonably designed, implemented, and enforced so that the program is effective in deterring and detecting violations of the FCPA and other applicable anti-corruption laws.”

The bottom line is that all these companies worked very hard to significantly enhance their controls, testing, and monitoring and then improve based on that information. None of the actions taken by these companies were particularly new or even innovative. Indeed, these strategies have been available from the DOJ since at least the first edition of the FCPA Resource Guide in 2012. It was, however, the work by the company to understand the deficiencies in their internal controls regime and their superior efforts to upgrade them.

Albemarle

The Albemarle SEC Order was instructive regarding internal controls for a different reason than we have been considering throughout this series. The Order detailed a series of internal control failures by the company across multiple business units in several other countries. The entire story painted a picture of a company that did not have adequate or easily overridden internal controls.

Vietnam. The Order noted, “Albemarle’s system of internal accounting controls was insufficient to prevent or detect these improper payments, which Albemarle Singapore falsely recorded as legitimate commissions in books and records consolidated into Albemarle’s financial statements.”

India. A backdated agreement increased an India agent’s commission multiple times without compliance oversight or approval. Commissions went from “extremely high” to “far from any possible realistic justification.” Finally, “the agreement called for payment of a three percent commission to India Agent, a rate three times higher than that paid to Albemarle’s existing agent for India.”

Indonesia. Albemarle’s system of internal accounting controls was insufficient to prevent or detect the improper payments made to and through Indonesia Agent, which Albemarle Singapore falsely recorded as legitimate commissions and business expenses in books and records consolidated into Albemarle’s financial statements.”

China.  When an Albemarle business director questioned China Agent’s compensation as “high,” an Albemarle Netherlands business director provided the business justification that he anticipated significant returns on the contract.

UAE.  No due diligence was conducted on an agent until after the agent agreement had been executed. The agent provided no discernible services other than conveying confidential tender evaluations and competitors’ bids obtained from the customer.

Each of these resolutions drives home the importance of internal controls, creation, and remediation as a key part of your overall compliance regime during any investigation. The sooner you can start on your internal controls, the better off you will be in your negotiations with the DOJ and SEC.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 4, Start with a Root Cause Analysis

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 4, Root Cause, Risk Assessment, and Gap Analysis. Your remediation should begin with a root cause analysis. From there, move on to a risk assessment and gap analysis, and then you are ready to start your complete remediation.

SAP

The SAP Deferred Prosecution Agreement (DPA) laid out the best example of how this works in practice. The DPA reported extensive remediation by SAP, and the information provided in the DPA is instructive for every compliance professional. SAP engaged in a wide range of remedial actions. It all started with a root cause analysis. Root Cause analysis was enshrined in the FCPA Resource Guide, 2nd edition, as one of the Hallmarks of an Effective Compliance Program. It stated, “The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigation’s structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.”

This means a company should respond to the specific incident of misconduct that led to the FCPA violation. This means your organization “should also integrate lessons learned from misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.” The SAP DPA noted that SAP engaged in the following steps based on these factors:

1. Conducted a root cause analysis of the underlying conduct, then remediated those root causes through enhancement of its compliance program;
2. Conducted a gap analysis of internal controls, remediating those found lacking;
3. Undertook a “comprehensive risk assessment focusing on high-risk areas and controls around payment processes and enhancing its regular compliance risk assessment process”;
4. SAP documented using “comprehensive operational and compliance data” in its risk assessments.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct and remediate those causes promptly and appropriately to prevent future compliance breaches. This SAP did it during its remediation phase.

Albemarle

Albemarle also received credit “because it engaged in extensive and timely remedial measures.” This remedial action began based on the company’s root cause analysis of its FCPA violations.
This root cause analysis led to a risk assessment, which led to remediation. All of these steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out an effective compliance program and had tested it.

ABB

ABB also did an excellent job in its remedial efforts. According to the ABB Plea, ABB “engaged in extensive remedial measures, including hiring experienced compliance personnel and following a root-cause analysis of the conduct,” which led to the FCPA enforcement action. More on the ABB remediation later.

Each entity worked diligently to rebuild its compliance programs from the ground up. Whatever the faults of their prior compliance programs, each company was quite diligent in revamping their compliance regimes. While each company builds out a program based on its own risk, there is quite a bit of guidance you can draw from if your company finds itself in this position.

Here, the DOJ communicates that your remedial measures should start with a root cause analysis of the FCPA violation. From there, move to a risk assessment and internal control gap analysis to create a clear risk management strategy.

Categories
Compliance Into the Weeds

Compliance into the Weeds – Remediation During an Enforcement Action

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt take a deep dive into the issue of how and whether you should remediate during an enforcement action.

The importance of early and continuous remediation of compliance issues cannot be overstated. It is a critical aspect of maintaining a healthy relationship with regulators and ensuring effective strategies are in place to address any uncovered issues. Tom firmly believes in the necessity of initiating the remediation process as early as possible, even during the investigation phase. He emphasizes the importance of regular communication with regulators and the potential risks of delaying remediation.

Matt echoes Fox’s sentiments. He highlights the confidence that early remediation brings to compliance officers and the increased likelihood of successful resolution. Join Tom Fox and Matt Kelly as they delve deeper into this topic in this episode of the Compliance into the Weeds podcast.

 Key Highlights:

  • Proactive Remediation for Effective Compliance Management
  • Navigating Personnel Matters During Remediation
  • Logical and Consistent Employee Discipline Compliance
  • Remediation Strategies for Confident Compliance Officers

 Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to Better Reporting and Investigations – How an Investigation Informs Remediation

There is nothing like an internal whistleblower report about a FCPA violation, the finding of such an issue or (even worse) a subpoena from the DOJ to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However, it may well be the time for a very serious reality check.
In addition to robust investigation, a company must engage in remediation of the offending conduct. The 2020 Update to the Evaluation of Corporate Compliance Programs mandated the additional significance of this by providing that this process must be considered “both at the time of the offense and at the time of the charging decision and resolution”. When you consider the strictures around continuous monitoring and continuous improvement in compliance programs it is clear why this analysis is so important. Obviously, a key test of any compliance program is when a deficiency is found and a violation occurs. The question then becomes, what did you do about it.
But from the DOJ (and Securities and Exchange Commission) perspective, the key is to use the information to both fix the problem so that it does not occur again but also improve your compliance regime.

Three key takeaways:

  1. How does your investigation inform your remediation plan?
  2. A compliance program failure offers a way to upgrade your regime.
  3. Your investigative team must inform your remediation team.
Categories
31 Days to More Effective Compliance Programs

Day 31 – Using a Root Cause Analysis for Remediation

The 2020 Update re-emphasized the need to perform a root cause analysis and, equally importantly, use it to remediate your compliance program. It stated, “a hallmark of a compliance program that works effectively in practice is the extent to which a company can conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”
It went on to state what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk”).”

The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach using data already in the organization. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step process in which one method can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event, and you will have a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence.

When you step back and consider what the DOJ was trying to accomplish with its 2020 Update, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk.

Three key takeaways:

  1. The key is objectivity and independence.
  2. The critical element is how you used the information you developed in the root cause analysis.
  3. The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach using data already in the organization.
Categories
Blog

Profit Sharing as Bribery: The Honeywell FCPA Enforcement Action: Part 3 – The Comeback

To close out 2022 in Foreign Corrupt Practices Act (FCPA) enforcement actions, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) announced settlements of FCPA enforcement actions with Honeywell UOP, a US-based subsidiary of Honeywell International Inc. For its actions, Honeywell agreed to a criminal penalty of about $79 million, with the DOJ crediting up to $39.6 million of the criminal penalty for Honeywell’s payments to authorities in Brazil in related proceedings. The company agreed to pay the SEC $81.5 million in disgorgement and prejudgment interest and the SEC provided for an offset of up to $38.7 million for payments to Brazilian authorities. Today, I want to conclude with some lessons learned.

Honeywell’s Comeback

  1. Overcoming a Failure of Culture

When the underlying facts of this enforcement action began, Honeywell had one of the most corrupt cultures you could have imagined. As I noted yesterday, the bribery scheme in Brazil began with the business unit outright lying to the compliance function about a corrupt agent. But do not absolve the company’s compliance function as apparently they performed no due diligence or did even the bare minimum for agents in a clear high-risk jurisdiction. Unfortunately, this outright corruption and/or malfeasance only went downhill from there. There was a profit-sharing agreement with the corrupt Petrobras agent which clearly showed malfeasance from Honeywell’s finance folks for paying such a scheme where there was no written agreement or any other evidence which warranted payments of over $10 million. The bribery scheme in Algeria involved the corrupt third-party Unaoil and once again bribe payments were approved all the way up the business and compliance line with Honeywell Belgium finance signing off as well.

Yet even with this clear culture of corruption, Honeywell received a 25% discount off the minimum fine and penalty under the US Sentencing Guidelines. They did this without self-disclosing. Once again since Unaoil was involved, it would be a logical assumption, the Unaoil executive brought to the US and given immunity proved the initial information on Honeywell’s corruption. Honeywell did turn things around so that in addition to the 25% discount, they were not required to sustain a monitor. All in all, quite a comeback.

2. Extraordinary Cooperation

According to the Deferred Prosecution Agreement (DPA), Honeywell received full credit for its cooperation with the DOJ through its “(i) proactively disclosing certain evidence of which the Fraud Section and the Office were previously unaware; (ii) providing information obtained through its internal investigation, which allowed the government to preserve and obtain evidence as part of its own independent investigation; (iii) making detailed presentations to the Fraud Section and the Office; (iv) voluntarily facilitating interviews of employees; (v) collecting and producing voluminous relevant documents and translations to the Fraud Section and the Office, including documents located outside the United States.” The SEC added in its Order, “Honeywell cooperated in the Commission’s investigation by identifying and timely producing key documents identified in the course of its own internal investigation, providing the facts developed in its internal investigation, and making current or former employees available to the Commission staff, including those who needed to travel to the United States.”

2. Extensive Remediation

Honeywell was given credit by both the SEC and DOJ for its remedial efforts. The SEC said, the “remediation included: (i) strengthening its ethics and compliance organization; (ii) terminating sales directors involved in the misconduct in Brazil and demoting an employee with significant supervisory responsibilities over the misconduct in Brazil; (iii) implementing a program to eliminate UOP’s use of sales agents altogether (as of 3Q 2021, UOP had reduced its sales agent force by two-thirds); (iv) enhancing Honeywell’s policies and procedures including with respect to due diligence of third parties (including consolidating the due diligence process into one automated system and requiring third parties to submit quarterly reports and FCPA certifications); (v) improving Honeywell’s financial controls over third parties (including implementing digital end-to-end controls over payments to third party sales agents and ensuring that payments to sales intermediaries are made by wire transfer to an account belonging to the same party and to a bank account where the sales intermediary resides); and (vi) enhancing training provided to Honeywell employees and sales intermediaries regarding anti-corruption, controls, and other compliance issues.”

The DOJ noted that Honeywell, “(i) commencing remedial measures based on internal investigations of the misconduct prior to the commencement of the Fraud Section’s and the Office’s investigation; (ii) disciplining certain employees involved in the relevant misconduct, including terminating one employee; (iii) strengthening its anti-corruption compliance program by investing in compliance resources, expanding its compliance function with experienced and qualified personnel, and taking steps to embed compliance and ethical values at all levels of its business organization; (iv) substantially reducing its anti-corruption risk profile by taking steps to eliminate the Company’s use of sales intermediaries and, in the interim, rolling out a single, automated sales intermediary due diligence tool that requires responsible managers to provide quarterly compliance certifications for all existing sales intermediaries; (v) establishing monitor and audit processes to regularly review and update the compliance program; and (vi) enhancing its internal reporting, investigations, and risk assessment processes.”

From the SEC Order, the two key changes were: “(iv) enhancing Honeywell’s policies and procedures including with respect to due diligence of third parties (including consolidating the due diligence process into one automated system and requiring third parties to submit quarterly reports and FCPA certifications); (v) improving Honeywell’s financial controls over third parties (including implementing digital end-to-end controls over payments to third party sales agents and ensuring that payments to sales intermediaries are made by wire transfer to an account belonging to the same party and to a bank account where the sales intermediary resides);”. Both of these remediations speak to the use of tech solutions to enhance compliance. Under Prong IV, the implementation of one automated system for third parties.

From the DOJ DPA, the key changes were “(iii) strengthening its anti-corruption compliance program by investing in compliance resources, expanding its compliance function with experienced and qualified personnel, and taking steps to embed compliance and ethical values at all levels of its business organization; (iv) substantially reducing its anti-corruption risk profile by taking steps to eliminate the Company’s use of sales intermediaries and, in the interim, rolling out a single, automated sales intermediary due diligence tool that requires responsible managers to provide quarterly compliance certifications for all existing sales intermediaries;”. Once again, the tech solution noted in Prong IV was critical but also note the language found in Prong III about have ‘experienced and qualified [compliance] personnel.

By putting these remedial actions in place, Honeywell was able to avoid a monitor. This means the company not only put the changes in place but have also tested them to the satisfaction of the DOJ and SEC. But more than setting out what Honeywell did to make its comeback; these  remedial efforts of Honeywell provide a clear set of guidelines for the compliance professional to review in looking at your own program. This enforcement actions seems a fitting end for the year 2022 in FCPA enforcement.

Categories
The Corruption Files

Episode 15 – The ABB Settlement

Establishing trust can greatly affect the outcome of a case. Thomas Fox and Michael DeBernardis talk about ABB’s 2022 bribery case in South Africa, how self-disclosure benefits any situation, the DOJ’s approach on cracking down recidivists, choosing the right people for your team, and being wary of waivers.

▶️ The ABB Settlement with Tom Fox and Mike DeBernardis Background facts to the case. (00:00:29)

Tom lays out the facts of the ABB settlement. Michael points out the DOJ’s plans for penalizing recidivists and ABB’s biggest compliance misstep. (00:07:07)

Tom emphasizes the importance of compliance oversight, being vigilant of billing in high-risk jurisdictions, and the benefit of ABB’s “almost” self-disclosure. (00:12:08)

Mike discusses the impact of trust and incentivizing other recidivists to come forward and the risks of going off of real-time information. (00:18:27)

Tom mentions how having someone with experience concluding resolutions in the DOJ can make a difference. Even with a fairly low penalty, ABB is still required to report on its compliance program. (00:24:22)

Mike prefers having an independent monitor in place. However, he highlights ABB’s trust in their team to do a thorough job of reporting. (00:27:31)

Mike gives credit to ABB’s swift actions and extensive remediation, describing the DOJ’s outcome as “threading the needle”. Thomas believes the case is still a win for compliance. Michael drives home how doubling down on compliance pays off.

—————————————————————————-

Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.