Categories
Blog

Danske Bank: Part 4 – The Bank’s Response

We are exploring the Danske Bank A/S (Danske Bank), AML enforcement action in which Danske Bank pled guilty this week and agreed to forfeit $2 billion to resolve the US investigation into its fraud on US banks. According to the Department of Justice (DOJ) Press Release, “Danske Bank defrauded U.S. banks regarding Danske Bank Estonia’s customers and anti-money laundering controls to facilitate access to the U.S. financial system for Danske Bank Estonia’s high-risk customers, who resided outside of Estonia – including in Russia.” Danske Bank also settled with the Securities and Exchange Commission (SEC) who said, in their Press Release, the Bank misled investors about its anti-money laundering (AML) compliance program in its Estonian branch and failed to disclose the risks posed by the program’s significant deficiencies.

Most probably at this point you are thinking it is a very good thing Danske Bank is the premier financial institution in Denmark, or they might not still exist. But as we have seen right up until today, banks continue to engage in the most egregious behavior and simply are hit with another set of fines and penalties. (Wells Fargo Bank NA fined yet another $3.7 billion, this time by the Consumer Financial Protection Bureau, seeConsent Order.) I suppose it is no surprise that Danske Bank was given “too large and too important to put out of business” designation by Danish regulators. That is also probably one of the key reasons the US government brought this enforcement action. First, because the US had the teeth to do and second, the Danish regulators could simply ‘blame the Americans’.

Of course, Danske Bank itself demonstrated its colors when one of its executives said in an email, [Per the SEC Order] “[W]e should be mindful that we have a really bad case in Estonia, where I believe that all lines of defence failed. . . We should make sure that we don’t create a relationship where [Correspondent Bank 2] suddenly feels the need to share their concerns about Danske with US regulators.” The Order went on to note, “Between September 2015 and January 2016, the Danish FSA sent a draft AML inspection report to Danske which included a reprimand related to Danske’s Board of Directors’ failure to identify and address risks at Danske Estonia. In March 2016, the Danish FSA issued a final inspection report which was provided to Danske senior management in which it reprimanded Danske for its failure to identify critical risks at Danske Estonia and failure to limit these risks and concluded that Danske was not in compliance with the Danish AML Act and that “the conditions at the bank’s branch in Estonia posed a material reputation risk for the bank.””

Danske Bank did not receive credit for self-disclosure, but the bank did receive credit for its cooperation, which included full cooperation and admission of responsibility, providing documents and witnesses to be interviewed, all located outside the US and, perhaps most importantly, a “detailed analysis of cross border transactions.” As remedial steps the Bank closed its “non-residential portfolio”, terminated employees, including senior bank executives who were engaged in the conduct, improved its AML function, including a centralized money laundering financial compliance and financial crime program, hired competent and experienced AML compliance professionals and initiated direct reporting lines to the Board of Directors. The Bank agreed to a best-in-class compliance program and an independent expert appointed by the Danish FSA to oversee implementation of the remedial solution. Interestingly, if this independent expert quits for any reason the DOJ retains the right to appoint a monitor.

Danske Bank agreed to a three-year period of continuing cooperation and reporting to the DOJ. Although there is no Deferred Prosecution Agreement (DPA) since this was a criminal guilty plea it seems to act in the manner of ongoing obligations under a DPA. However, it will require Court approval and ongoing oversight because it is a plea deal and not a DPA. Danske Bank is to meet at least quarterly with the DOJ throughout the three-year term, and to submit annual progress reports to the prosecutors until the agreement expires at the end of 2025. According to Radical Compliance, the first report, due in December 2023, needs to focus on three topics:

  • Complete description of the bank’s remediation efforts to date;
  • Complete description of the testing conducted to evaluate the effectiveness of the compliance program, and the results of that testing; and
  • Proposals to assure that the compliance program is reasonably designed, implemented, and enforced.
  • The next reports, due at the end of 2024 and 2025, respectively, are supposed to cover all the same ground, and incorporate any feedback the Justice Department provides from the prior reports.

Of course, there is the Chief Compliance Officer (CCO) certification. Would you like to be the CCO who has to certify the Danske Bank AML compliance program is “reasonably and effectively designed to deter and prevent violations of money laundering, anti-money laundering, and bank fraud laws throughout the bank’s operations”?

Tomorrow, we conclude with final thoughts and lessons learned.

Categories
Blog

ABB FCPA Resolution: Part 5 – A Win for Compliance

We conclude our exploration of the latest resolution of a Foreign Corruption Practices Act (FCPA) violation involving the Swiss construction giant, ABB Ltd. There have been several reference documents used this week and they include the Securities and Exchange Commission Complaint (SEC Order); the Department of Justice (DOJ) Press Release. Plea Agreement (ABB Plea Agreement) and Deferred Prosecution Agreement(DPA), the ABB South Africa Plea Agreement and Criminal Information, the ABB Management Services Plea Agreement and Criminal Information.

Over this blog post series, we have been exploring these key questions: How did ABB obtain such a superior resolution? And, as a three-time FCPA violator, how did the company avoid a monitor? Today, we celebrate how this most unusual FCPA enforcement action is a huge victory for compliance.

How did ABB obtain such a superior resolution?

There appears to be three components to ABB’s avoidance of a monitor. It all began with ABB’s attempt to self-disclose. Please note this attempt was not successful as the South African press broke the story of ABB’s bribery and corruption between the time ABB called to set up meeting and actually sat down with the DOJ. Yet the DOJ was impressed enough with ABB’s intent or at least desire to self-disclose that it spent a considerable amount of ink in the resolution documents detailing how ABB got close but missed timely self-disclosing.

Yet this putative failure at self-disclosure laid the groundwork for everything that followed, eventually leading to the stunning result. As the DOJ stated in the DPA, “in evaluating the appropriate disposition of this matter-including the appropriate form of the resolution-considered evidence that, within a very short time of leaning of the misconduct, the Company contacted the Fraud Section and scheduled a meeting to discuss matters under investigation by the Fraud Section and the Company. The Company did not specifically identify the South Africa misconduct in that meeting request, but it disclosed the South Africa misconduct during the scheduled meeting, subsequently presented evidence to the Offices that it intended to disclose the misconduct related to South Africa during the scheduled meeting and did not know of any imminent media reports when the meeting was scheduled.”

The second component is the above-noted discussion about ABB’s near self-disclosure. While it could have amounted to an own goal, given the lengthy DOJ discussion in the settlement documents, it appears the DOJ received ABB’s near miss more favorably. The second point is something every Chief Compliance Officer (CCO) and outside counsel need to understand; that being truly extraordinary.

Matt Kelly identified the one piece of information which took what is now this standard recitation of extraordinary cooperation to a truly high level of ‘extraordinary’. In a blog post, Kelly pointed out that in the SEC Order, it stated, “ABB’s cooperation included real-time sharing of facts learned during its own internal investigation.” This meant “ABB was sharing information with regulators as quickly as it found those facts, without necessarily knowing how such admissions might affect its overall case and settlement chances.” He then opined, “When you don’t know the full extent of your sins and the punishment to follow, but you cooperate with regulators anyway — that’s an impressive commitment to the culture of compliance that the Justice Department wants to see.”

Next were the actions by ABB in their remediation. The Plea Agreement reported that ABB “engaged in extensive remedial measures, including hiring experienced compliance personnel and, following a root-cause analysis of the conduct described in the Statement of Facts, investing significant additional resources in compliance testing and monitoring throughout the organization; implementing targeted training programs, as well as on-site supplementary case-study sessions; conducting continuing monitoring and testing to assess engagement with new training measures; restructuring of reporting by internal project teams to ensure compliance oversight; and promptly disciplining employees involved in the misconduct.” This final point was expanded on in the SEC Order which reported that all employees involved in the misconduct were terminated.

As a three-time FCPA violator, how did the company avoid a monitor?

ABB essentially created its own monitorship around testing its compliance program and reporting to the DOJ. In a section entitled “Written Work Plans, Reviews and Reports”, ABB agreed to conduct a first review and prepare a first report, followed by at least two follow-up reviews and reports. But more than simply reporting, ABB agreed to create and submit for review a workplan for this ongoing testing of its compliance program, as the program was detailed in the DPA. The DPA specified, “No later than one (I) year from the date this Agreement is executed, the Company shall submit to the Offices a written report setting forth:

  • a complete description of its remediation efforts to date;
  • a complete description of the testing conducted to evaluate the effectiveness of the compliance program and the results of that testing; and
  • its proposals to ensure that its compliance program is reasonably designed, implemented, and enforced so that the program is effective in deterring and detecting violations of the FCPA and other applicable anti-corruption laws.”

ABB also agreed to meet with the DOJ quarterly to submit and discuss the results of its ongoing testing. While I am sure many other companies have made a similar proposal to the DOJ, through its actions during the pendency of the investigation, ABB convinced the DOJ it could be trusted to follow through with its commitment.

How does all of this work into the DOJ decision not to require a monitor? There is now a 10-factor test that was laid out in the Monaco Memo. Factor 1 is whether the company self-disclosed the incident at issue. Factors 4-6 all relate to conduct and actions when the illegal activity occurred, not after discovery and self-disclosure. Factor 4 relates to the length or pervasiveness of the conduct and whether senior management was involved. Factor 5 reviews “the exploitation of an inadequate compliance program or system of internal controls.” Factor 6 asks if compliance personnel were involved or were basically negligent in failing to “appropriately escalate or respond to red flags.” Factors 7-10 considered ABB’s actions post-reporting, how the company became aware of the matter, its root cause analysis, its remedial actions and overall reduction in the company’s risk profile. While there was no substantive discussion of these factors in the any of the resolution documents, it appears the DOJ criteria for a monitor was not met.

The ABB FCPA resolution represents one of the biggest wins for corporate compliance that we have seen in recent memory. A now thrice-recidivist received a discount on its overall fine and penalty and avoided a monitor through truly exception work after the bribery and corruption was uncovered. Every compliance officer should thoroughly study this matter to see the specific steps ABB engaged in, starting with their first phone call to the DOJ. During your investigation, embrace the DOJ’s need for speed in communicating new and salient facts as they are uncovered, perform a root cause analysis and then remediate, remediate, and remediate. ABB is to be commended and indeed celebrated for its success in this matter.

Categories
Blog

ABB FCPA Resolution: Part 4 – ABB Shines

We continue our exploration of the latest resolution of a Foreign Corruption Practices Act (FCPA) violation involving the Swiss construction giant, ABB Ltd. The most obvious significance is from the fact that ABB is now the first three-time convicted violator of the FCPA, having prior FCPA resolutions in 2004 and 2010. The moniker of a three-time FCPA violator is certainly not one that any corporation wants to claim, yet here we are. The total fine and penalty for the violation was $315 million, with credited amounts going to South Africa, Switzerland, and Germany for ABB’s violations of those country’s anti-corruption laws. There was also a $75 million fine credited to the Securities and Exchange Commission (SEC). In addition to the SEC Order, the DOJ Press Release and Plea Agreement are also available. Conspicuously missing at this point are resolution documents from South Africa, Switzerland, and Germany.

We are exploring this FCPA enforcement action to see what lessons might be garnered from it. While we are doing so, please keep three key questions in mind: (1) How did ABB obtain such a superior resolution? (2) As a three-time FCPA violator, how did the company avoid a monitor? (3) Why was there no requirement for Chief Compliance Officer (CCO) certification? Today, we consider how ABB was able to obtain such a superior result.

Initially, I should note that question 3 which I have posed all week was answered in the Deferred Prosecution Agreement (DPA), released Wednesday. There is a CCO certification. It was not referenced in the DOJ Press Release or the ABB Plea Agreement.

The (almost) Self-Disclosure

The FCPA Corporate Enforcement Policy discounts up to and including a full declination on self-disclosure. But now, it is about  a ‘timely’ self-disclosure. When announcing the Monaco Memo, Deputy Attorney General Lisa Monaco emphasized not only the requirement for self-disclosure but the need for speed in self-disclosure. The DOJ wants speed as well because, “If disclosures come too long after the misconduct in question, they reduce the likelihood that the government may be able to adequately investigate the matter in time to seek appropriate criminal charges against individuals. The expiration of statutes of limitations, the dissipation of corroborating evidence, and other factors can inhibit individual accountability when the disclosure of facts about individual misconduct is delayed.” Additionally, the first factor the DOJ uses in making a determination of whether a monitor will be assigned is “Whether the corporation voluntarily self-disclosed the underlying misconduct in a manner that satisfies the particular DOJ unit or sections component’s self-disclosure policy.”

The sequence around this issue of self-disclosure is every company’s nightmare, a press report comes out and blindsides an organization (think the New York Times (NYT) breaking the Walmart FCPA story.) The detail provided in the Plea Agreement is as insightful as it is instructive. It details that although “within a very short time of learning of the misconduct, the Parent Company [ABB] contacted the Fraud Section and scheduled a meeting to discuss matters under investigation by the Fraud Section and the Parent Company. The Company did not specifically identify the South Africa misconduct in that meeting request, but it disclosed the South Africa misconduct during the scheduled meeting, subsequently presented evidence to the Offices that it intended to disclose the misconduct related to South Africa during the scheduled meeting and did not know of any imminent media reports when the meeting was scheduled. However, before the scheduled meeting occurred and prior to making any such disclosure to the Fraud Section, a media report was published related to the misconduct.”

While I doubt ABB would have been given a full declination if they had timely self-disclosed, this lengthy discussion in the Plea Agreement clearly focuses on the DOJ’s desire for a timely self-disclose. It was also equally probable that it was a factor in the lack of assignment of a monitor. We do not know the length of time between initial notice of the bribery and corruption to the corporate headquarters of the Board, we do know the gold standard for self-reporting which was Cognizant Technology Solutions, who self-disclosed two weeks after the initial report to the company’s Board of Directors. (Also recall that Cognizant had C-Suite involvement in the bribery scheme.)

This fact pattern also demonstrates why the need for speed in self-disclosure is so critical. A company can never know in what forum, who or how information about bribery and corruption will be made public. In Walmart’s case it was above the fold, on the front page of the Sunday NYT. In addition to the DOJ’s prescription for timely reporting, this matter demonstrates the public relations disaster which will befall a company which sits on a self-disclosure. Imaginably the answer is the one suggested by Matt Kelly, writing in Radical Compliance, who said, “So perhaps the lesson here is that when you have an FCPA issue, just announce it on Twitter and [hash] tag the Criminal Division.”

Extensive Cooperation

This component of the FCPA Corporate Enforcement Policy is a bit harder to suss out as the Plea Agreement stated that ABB received credit for extraordinary cooperation based on the following: “(i) promptly providing information obtained through its internal investigation, which allowed the Offices to preserve and obtain evidence as part of their own independent investigation; (ii) making regular and detailed factual presentations to the Offices; (iii) voluntarily making foreign-based employees available for interviews in the United States; (iv) producing relevant documents located outside the United States to the Offices in ways that did not implicate foreign data privacy laws; and (v) collecting, analyzing, and organizing voluminous evidence and information that it provided to the Offices, including the translation of certain foreign language documents.”

However, once again, it was Kelly who identified the one piece of information which took what is now this standard recitation of extraordinary cooperation to a truly high level of ‘extraordinary’. He pointed out that in the SEC Order, it stated, “ABB’s cooperation included real-time sharing of facts learned during its own internal investigation.”  This meant “ABB was sharing information with regulators as quickly as it found those facts, without necessarily knowing how such admissions might affect its overall case and settlement chances.” He then opined, “When you don’t know the full extent of your sins and the punishment to follow, but you cooperate with regulators anyway — that’s an impressive commitment to the culture of compliance that the Justice Department wants to see.”

It also ties directly into what DAG Monaco said in the Monaco Doctrine, which noted, “it is imperative that Department prosecutors gain access to all relevant, non­ privileged facts about individual misconduct swiftly and without delay.” [emphasis supplied] This now means, “to receive full cooperation credit, corporations must produce on a timely basis all relevant, non-privileged facts and evidence about individual misconduct such that prosecutors have the opportunity to effectively investigate and seek criminal charges against culpable individuals.” If a company fails to meet this burden, it will “place in jeopardy their eligibility for cooperation credit.” The DOJ goes the next step by placing the burden on companies to demonstrate timeliness, stating they “bear the burden of ensuring that documents are produced in a timely manner to prosecutors.”

Extensively Remediate

Finally, were the actions by ABB in their remediation. The Plea Agreement reported that ABB “engaged in extensive remedial measures, including hiring experienced compliance personnel and, following a root-cause analysis of the conduct described in the Statement of Facts, investing significant additional resources in compliance testing and monitoring throughout the organization; implementing targeted training programs, as well as on-site supplementary case-study sessions; conducting continuing monitoring and testing to assess engagement with new training measures; restructuring of reporting by internal project teams to ensure compliance oversight; and promptly disciplining employees involved in the misconduct.” This final point was expanded on in the SEC Order which reported that all employees involved in the misconduct were terminated.

At this point, there are not many specific components of the ABB remediation available, but we do know that ABB was given credit for hiring “experienced compliance personnel,” starting with the hiring of Natalia Shehadeh, SVP and Chief Integrity Officer, and then allowing Shehadeh to hire a dream team of compliance professionals to work with her. I would go so far as to say Shehadeh and her team are Compliance Dream Team II as the first (which Shehadeh was a part of) was the Compliance Dream Team created by Billy Jacobson at Weatherford to get that company through its FCPA and Oil-For-Food enforcement actions.

Join us tomorrow where we conclude our look at the ABB FCPA resolution and posit why it is a complete win for compliance.

Categories
Blog

Oracle: FCPA Recidivist Part 4 – the Comeback and DOJ

After revisiting “Parking in India” from 2012, we return to explore more from the Foreign Corrupt Practices Act (FCPA) recidivist Oracle Corporation. We previously reviewed the bribery schemes in general and how they worked in practice. Given not simply the recidivist status but the nature and location of the bribery schemes, one might reasonably ask questions about the resolution. Quite simply, how did Oracle achieve the result they did?

The Comeback

Under the FCPA Corporate Enforcement Policy, as developed by the Department of Justice (DOJ), the requirements for leniency were (1) self-disclosure, (2) extensive cooperation during the investigation and (3) thorough remediation up to the conclusion of the matter. Under the recent Monaco Memo, this prong 3 was further explained as creating a compliance program to address the issues which led to the compliance program and then testing that program prior to the conclusion of the resolution. While the Securities and Exchange Commission (SEC) does not have a similar written Policy they have followed the DOJ’s lead on since the implementation of the FCPA Corporate Enforcement Policy in November 2017.

In the 2022 Order, it specified there was some type of self-disclosure. The Order stated, “the Commission [SEC] considered that Oracle self-reported certain unrelated conduct, remedial acts it undertook, and cooperation afforded the Commission Staff.” This is one of the most oblique references to self-disclosure seen in an FCPA enforcement action. It is not clear what the ‘unrelated conduct’ might have been nor how it related to the FCPA violations. Whatever this unrelated conduct was, it was self-disclosed to the SEC and apparently that self-disclosure was enough to satisfy the SEC that self-disclosure had occurred.

The next requirement is thorough cooperation with the SEC during the investigation. Here the Order stated, “Oracle’s cooperation included sharing facts developed in the course of its own internal investigations, voluntarily providing translations of key documents, and facilitating the staff’s requests to interview current and former employees of Oracle’s foreign subsidiaries.” Each one of these factors should be digested by every compliance officer to understand what the SEC thinks is important. It may be different from the DOJ, particularly after the Monaco Memo, but these actions are all clearly important to the SEC.

Finally, of course, is the remediation. Here the Order specified several actions in greater detail than in most Orders. The Order stated, “Oracle’s remediation includes:

  • terminating senior regional managers and other employees involved in the misconduct and separating from employees with supervisory responsibilities over the misconduct;
  • terminating distributors and resellers involved in the misconduct;
  • strengthening and expanding its global compliance, risk, and control functions, including the creation of over 15 new positions and teams at headquarters and globally;
  • improving aspects of its discount approval process and increasing transparency in the product discounting process through the implementation and expansion of transactional controls;
  • increasing oversight of, and controls on, the purchase requisition approval process;
  • limiting financial incentives and business courtesies available to third parties, particularly in public sector transactions;
  • improving its customer registration and payment checking processes and making other enhancements in connection with annual technology conferences;
  • enhancing its proactive audit functions;
  • introducing measures to improve the level of expertise and quality of its partner network and reducing substantially the number of partners within its network;
  • enhancing the procedures for engaging third parties, including the due diligence processes to which partners are subjected;
  • implementing a compliance data analytics program; and
  • enhancing training and communications provided to employees and third parties regarding anti-corruption, internal controls, and other compliance issues.”

 Resources

These changes appear to be extensive and potentially significant within the greater Oracle compliance program. There was increased resources made available to Oracle through an increase in head count (15 new positions), restructuring of compliance groups and creation of new compliance teams. Additionally, the implementation of a compliance data analytics program would also fall under additional resources. Finally, Oracle moved to more proactive auditing.

Discipline

There were terminations of Oracle employees including “senior regional managers and other employees involved in the misconduct” in addition to the termination of distributors and resellers involved in the misconduct. While not tied to a disciplinary role but clearly in the less is more approach Oracle substantially reduced the number of business partners within its network.

Training

Next was in the area of training. There was enhanced “training and communications provided to employees and third parties regarding anti-corruption, internal controls, and other compliance issues.” This would seem to indicate enhanced training for those remaining business partners.

Internal Controls

Finally, there was the area of internal controls enhancement. Here there were improvements in the following areas: (a) discounting by improving aspects of the Oracle discount approval process and increasing transparency in the product discounting process through the implementation and expansion of transactional controls; (b) procurement through the increased oversight of, and controls on, the purchase requisition approval process; (c) removal of perverse incentives by limiting financial motivations and business courtesies available to third parties; (d) basic GTE by improving its customer registration and payment checking processes and making other enhancements in connection with Oracle technology conferences.

DOJ

Obviously, recidivist behavior is one of the key areas the DOJ focused on in the Monaco Memo. It is one of the factors the DOJ assesses in any resolution of an enforcement action. The Monaco Memo does note that civil penalties over five years old will be given lesser weight so perhaps the 2012 SEC FCPA enforcement action involving Oracle’s conduct in India plays into the SEC analysis here. There is also the question of a monitor for a company with recidivist behavior which Oracle avoided in this SEC resolution. In the Monaco Memo, two of the areas of evaluation are:

  1. Whether, at the time of the resolution and after a thorough risk assessment, the corporation has implemented an effective compliance program and sufficient internal controls to detect and prevent similar misconduct in the future;
  2. Whether, at the time of the resolution, the corporation has adequately tested its compliance program and internal controls to demonstrate that they would likely detect and prevent similar misconduct in the future;

While the SEC Order lays out in detail the remediation, there is no information on any testing performed by Oracle on the new components of its compliance program or on its controls.

As yet there is no information on a DOJ resolution. Given the tenor of the most recent DOJ announcements including the Monaco Memo, and the subsequent speech by Principal Associate Deputy Attorney General Marshall Miller and speech by Assistant Attorney General Kenneth A. Polite, it appears that recidivism will be greatly frowned upon. Also, unclear would be whether the DOJ would require a monitor based upon the remediation made by Oracle as reported in the SEC Order. As noted, there is no indication of testing of the compliance program enhancements. All in all, lots of questions for the DOJ and we will have to wait for a DOJ resolution to see if we can begin to answer some of them.

Please join me tomorrow where I conclude this series by considering what does it all mean for the compliance professional.

Categories
Blog

Compliance Lessons from a Fraudulent Unicorn

With a name like HeadSpin Inc., you would probably expect nothing less than what has transpired over the past few months with the former Silicon Valley darling and unicorn. According to a Securities and Exchange Commission (SEC) Press Release, in August 2021, the SEC sued Manish Lachwani, the company’s former Chief Executive Officer (CEO), stating he “engaged in a fraudulent scheme to propel HeadSpin’s valuation to over $1 billion by falsely inflating the company’s key financial metrics and doctoring its internal sales records.” Lachwani, “controlled all important aspects of HeadSpin’s financials and sales operations, significantly inflated the value of numerous customer deals and fraudulently treated potential deal amounts that he had discussed with customers as if they were guaranteed future payments.” He created fake invoices and altered genuine invoices to make it appear as though customers had been billed higher amounts.
Lesson No. 1 – (with a nod to Elizabeth Holmes) Don’t Be a Fraudulent Unicorn
All of this was done so Lachwani could garner additional investor monies through Series B and Series C funding rounds which would eventually drive the company’s value over the $1 billion mark so it could obtain magical unicorn status. Lachwani is alleged to have enriched himself by selling $2.5 million of his HeadSpin shares in a fundraising round during which he made misrepresentations to an existing HeadSpin investor. All of this brought the attention of the SEC.
Lesson No. 2 – The Most Important Internal Control is Segregation of Duties
 How could Lachwani get away with such shenanigans in an entity allegedly worth over $1 billion? In addition to lying, cheating, creating fraudulent invoices and other forms of creative financing, he abrogated one of the most basic internal controls in compliance (and finance) – segregation of duties (SODs). According to the SEC Complaint (Lachwani Complaint), “Lachwani was able to carry out his fraudulent scheme for years because he controlled and managed all the key aspects of HeadSpin’s financials and sales operations, and he kept HeadSpin employees in those different departments isolated from each other. For instance, virtually all the information provided to HeadSpin’s bookkeeper, including the supporting documentation for claimed revenue amounts, flowed through Lachwani.”
The Lachwani Complaint specifically noted, “Lachwani dictated the inflated revenue numbers each quarter to HeadSpin’s bookkeeper, who recorded those numbers in the company’s financial statements. He frequently sent the numbers without supporting documentation (like contracts and invoices) notwithstanding the bookkeeper’s regular requests for such backup, and he sometimes sent her fake or altered invoices that he had created, including the three fictional invoices related to Customer 2 and a doctored invoice related to Customer 1.”
Lesson No. 3 – Returning the Money to Those Harmed is Very Significant
 All of this played out last week when Lachwani’s former employer HeadSpin settled a SEC enforcement action via a Complaint (HeadSpin Compliant). What relief did the SEC receive? (It is awaiting Court approval.) The SEC asked for “an order permanently enjoining Defendant from directly or indirectly violating Section 10(b) of the Exchange Act”. There was no request for monetary fine, penalty or profit disgorgement. How did HeadSpin achieve this notable goal? Through its remediation efforts.
The two critical remedial steps were to get rid of the corrupt (now former) CEO Lachwani and to repay investors from the Series B and Series C funding rounds. The HeadSpin Complaint stated, “HeadSpin revised its valuation from approximately $1.1 billion down to approximately $300 million. The company also returned approximately 70% of principal to investors in the Series B and C funding rounds through a recapitalization process. The company further offered to return the remaining funds in the form of promissory notes with one percent interest. Approximately 31 investors chose to retain their HeadSpin stock instead of exchanging for promissory notes.”
This is obviously a step more than profit disgorgement. Here the money was returned to those who invested based upon the fraudulent misrepresentations. Additionally, HeadSpin offered to return money to additional investors beyond the Series B and Series C investors.
Lesson No. 4 – Structural Remedial Measures are Critical
Another set of remedial steps were generally described in the SEC Press Release announcing the HeadSpin resolution. The Press Release note, “HeadSpin’s remedial actions also included hiring new senior management, expanding its board, and instituting processes and procedures designed to ensure transparency and accuracy of deal reporting and associated revenues.” This was phrased slightly differently by HeadSpin, who said in their Press Release, “Upon learning of the alleged actions approximately two years ago, the Company immediately replaced its CEO, strengthened its leadership team, appointed an external auditor and implemented numerous financial and internal controls and corporate governance practices.”
What remediation did HeadSpin engage in which persuaded the SEC not to ask for financial penalties? There are several key actions every compliance professional should study.

  1. The Board convened a special committee of independent directors to lead an investigation.
  2. The Board (through its investigation) identified the CEO as the person responsible for the illegal conduct and terminated his employment.
  3. Additionally, the Board removed key senior management, here the Chief Operating Officer (COO), General Counsel (GC) and Controller who, although not responsible for or a part of the illegal conduct, failed to carry out their responsibilities to prevent such wrongdoing.
  4. After this clean sweep, the Board brought in a new management team and retained subject-matter experts to correct prior deficiencies.
  5. The Board added new board members with appropriate subject-matter expertise.
  6. HeadSpin implemented new internal controls and policies and procedures.

Lesson No. 5 – Creative Lawyerin’ in Remediation Can Pay Big Results
There is one more strand that should be considered from the HeadSpin matter. After the Lisa Monaco speech in October, SEC Chair Gary Gensler announced her remarks are “broadly consistent” with his own view of how to deal with corporate offenders. The HeadSpin enforcement action may offer guidance of how the SEC may implement Gensler’s remarks, through providing creative remedial measures, such as repaying those injured directly. The bottom line is that creative lawyerin’ in the form of aggressive remediation, may get you significant cooperation credit leading to a no fine or penalty resolution.
 

Categories
31 Days to More Effective Compliance Programs

Day 20 | Responding to investigative findings


There is nothing like an internal whistleblower report about a compliance violation, the finding of such an issue, or (even worse) a subpoena from the DOJ or notice letter from the SEC to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However, it may well be the time for a very serious reality check.
 You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.
One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. In an interview with Russ Berland, CCO at Aventiv Technologies, he noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “a tricky place, because you get your fifteen minutes to really get everyone’s full attention, and from then on, you’re fighting with everybody else for their attention, like the normal things in business life.”
Three key takeaways:

  1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.
  2. Be aware of how your investigation can impact and even inform your remediation efforts.
  3. Be prepared to deal with the dreaded “where else” question.
Categories
31 Days to More Effective Compliance Programs

Day 30 | Using a root cause analysis for remediation


We previously considered the Prong in the Evaluation that was not present in the Ten Hallmarks of an Effective Compliance Program; that being root cause analysis. The requirement was first raised in the 2017 Evaluation. It was then carried forward as a requirement in the FCPA Corporate Enforcement Policy, later in 2017. It was discussed again in the 2019 Guidance.
You should begin with the question of who should perform the remediation; should it be an investigator or an investigative team which were a part of the root cause analysis? Jonathan Marks, believes the key is both “independence and objectivity.” It may be that an investigator or investigative team is a subject matter expert and “therefore more qualified to get that particular recourse”. Yet to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution.
Marks further noted that the company may also have deficiencies in internal controls. More importantly, the failure to remediate gaps in internal controls “provides the opportunity for additional errors or misconduct to occur, and thus could damage the company’s credibility with regulators” by allowing the same or similar conduct to reoccur. Finally, with both the 2019 Guidance and FCPA Corporate Enforcement Policy, the DOJ has added its voice to prior SEC statements that regulators “will focus on what steps the company took upon learning of the misconduct, whether the company immediately stopped the misconduct, and what new and more effective internal controls or procedures the company has adopted or plans to adopt to prevent a recurrence.
Three key takeaways:

  1. The key is objectivity and independence.
  2. The critical element is how did you use the information you developed in the root cause analysis?
  3. The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization.