Tag: SAP

Categories
Blog

Deere’s FCPA Enforcement Action: Performing a Root Cause Analysis to Inform Remediation

We recently had a Foreign Corrupt Practices Act (FCPA) enforcement action that reminded me that everything old is new again in anti-corruption compliance. The Securities and Exchange Commission (SEC) FCPA enforcement action involving Deere and Company (Deere) has bribery schemes torn literally from the first decade of the 21st century as they involved gifts, travel, and entertainment. In other words, it was about a low set of hanging fruit that any compliance officer would see. Today, I want to take a multipart look at the case and see what lessons the enforcement action can provide to the 2024 compliance professional.

Compliance Professionals all know the pressure to act swiftly when misconduct is discovered. It is often tempting to jump straight into remediation to address the problem, protect the company, and appease regulators. However, the case of Deere’s recent FCPA enforcement action reminds us that acting without first understanding the root cause of the misconduct can lead to superficial fixes that fail to prevent future violations.

In the Deere enforcement action, the company faced significant penalties due to bribes paid by subsidiaries of Wirtgen Group, which Deere acquired in 2017. Between 2011 and 2017, Wirtgen subsidiaries engaged in corrupt practices, paying bribes to government officials in several countries, including China and India. While Deere eventually addressed the misconduct post-acquisition, its failure to perform robust due diligence and root cause analysis before remediation exposed it to regulatory and reputational damage.

This case highlights the critical need for companies to conduct a thorough root cause analysis before embarking on remediation efforts. In this blog post, we will detail why a root cause analysis should always precede remediation, what the process entails, and how it can protect your company from future enforcement actions and compliance failures.

Understanding the True Nature of the Problem

The first and most obvious reason to conduct a root cause analysis before remediation is to ensure you address the correct problem. In the Deere case, the misconduct stemmed from bribery by Wirtgen subsidiaries, but the real issue wasn’t just the bribery itself—it was the company’s failure to identify and prevent this behavior in the first place. Simply punishing the employees involved or updating internal policies would have been insufficient without understanding why these bribes were paid.

Before designing an effective remediation plan, you must understand why the misconduct occurred. Was it due to weak internal controls? A culture that tolerated unethical behavior? Inadequate training? A failure to perform due diligence on third parties? Each of these potential causes requires a different remediation strategy. If you do not identify the true cause of the problem, your remediation efforts will be superficial and may not prevent future violations. Root cause analysis allows compliance officers to uncover the underlying reasons for misconduct, enabling them to design targeted solutions that address the actual problem—not just the symptoms.

Root Cause Analysis Helps Identify Systemic Issues

One of the biggest risks when dealing with FCPA violations or corporate misconduct is that the issue may not be isolated to one event or individual. Corruption or compliance failures are often systemic, indicating deeper issues within the company’s culture, policies, or risk management framework. If Deere had conducted a more thorough root cause analysis post-acquisition, it could have uncovered broader issues in Wirtgen’s compliance program and taken proactive steps to address those weaknesses company-wide.

Root cause analysis forces you to ask tough questions about your company’s broader compliance infrastructure. Are certain business units, regions, or third-party relationships more misconduct-prone? Are there patterns of behavior that suggest systemic problems? You can implement more effective, company-wide remediation efforts by identifying these systemic issues beyond addressing a single incident.

Regulators Expect a Root Cause Analysis

Regulators, including the DOJ and the Securities and Exchange Commission (SEC), expect companies to conduct thorough root-cause analyses when investigating FCPA violations. The DOJ’s 2024 ECCP explicitly states that prosecutors will consider whether a company has adequately identified and remediated the root causes of misconduct when determining penalties. Additionally, this was specifically called out in the SAP Deferred Prosecution Agreement (DPA) earlier this year, where the DOJ stated, “5. Conducted a root cause analysis of the underlying conduct then remediating those root causes through enhancement of its compliance program;”.

In the Deere enforcement action, part of the company’s challenge was showing regulators that it had addressed the bribes themselves and the underlying reasons that allowed the misconduct to occur. Companies that skip the root cause analysis and rush into remediation without clearly understanding what went wrong will likely face harsher penalties.

Performing a root cause analysis is more than good practice; it has moved to a regulatory expectation. The more comprehensive your analysis, the more likely regulators (DOJ and SEC) are to view your remediation efforts as credible. A company that can demonstrate it understands the root cause of its compliance failures—and has taken meaningful steps to address those causes—is more likely to receive leniency during enforcement actions.

Preventing Recurrence: Moving Beyond Quick Fixes

One of the major pitfalls of jumping into remediation without a root cause analysis is the risk of implementing quick fixes that don’t address the root problem. For example, in the Deere case, if the company had updated its anti-corruption policy without addressing the broader cultural or systemic issues, it would have left the door open for future violations.

Root cause analysis ensures that your remediation efforts are comprehensive and designed to prevent future violations. Instead of focusing solely on policies or individuals, you’re addressing the broader systems and processes that allowed the misconduct to occur. This might involve rethinking your company’s approach to third-party due diligence, improving internal reporting mechanisms, or enhancing employee training programs to emphasize ethical behavior. A quick fix might resolve the immediate problem, but a comprehensive root cause analysis will prevent recurrence and protect your company long-term.

Improving Your Compliance Program Over Time

Root cause analysis is not a reactive tool; it is a mechanism to continuously improve your company’s compliance program. By regularly performing root cause analyses in response to compliance failures or near misses, you can identify trends, weaknesses, and gaps in your existing program. This allows you to make proactive adjustments and improvements, ensuring that your compliance program evolves to meet new risks and challenges.

Compliance is an ongoing process, and root cause analysis is key. By taking the time to understand why compliance failures happen, you can strengthen and improve your program over time. Don’t wait for a major enforcement action to identify weaknesses in your compliance program—use root cause analysis as a tool for continuous improvement.

Building a Culture of Accountability

Finally, one of the most important benefits of conducting a root cause analysis before remediation is that it fosters a culture of accountability. When employees see that the company is taking a thoughtful, thorough approach to addressing misconduct, they’re more likely to trust the compliance function and adhere to ethical standards.

In the Deere case, the company’s failure to identify and address the root causes of Wirtgen’s corrupt practices could have contributed to a culture where employees felt that bribery was tolerated or encouraged. By contrast, companies emphasizing accountability and transparency in their root cause analyses send a clear message: misconduct will be thoroughly investigated, and systemic issues will be addressed.

Building a strong culture of compliance starts with holding people—and processes—accountable. Root cause analysis helps you identify the individuals responsible for misconduct and the broader systems and structures that allowed it to happen. This accountability, in turn, strengthens your compliance culture and reinforces your company’s commitment to ethical behavior.

The Deere FCPA enforcement action powerfully reminds us of the importance of conducting a root cause analysis before proceeding with remediation. Companies need to understand why misconduct occurred before implementing superficial fixes. By taking the time to perform a thorough root cause analysis, compliance professionals can ensure that their remediation efforts are comprehensive, effective, and designed to prevent future violations.

Remember, root cause analysis isn’t just a best practice, as the DOJ has now noted several times in several places and through several different media; it is a regulatory expectation. It’s also a critical tool for improving your compliance program, building a culture of accountability, and protecting your company from future compliance failures. This means that before you rush to fix the problem, ensure you understand it first. Only then can you design a remediation plan that addresses the cause of misconduct and sets your company up for long-term success.

Categories
FCPA Survival Guide

FCPA Survival Guide – Step 9 – Internal Controls

How can you survive an FCPA enforcement action? In this special podcast series, Tom Fox and Nick Gallo outline the Top 10 things you can do to reduce your overall fine and penalty, perhaps down to a complete declination. All of the actions you can take come from recent DOJ prosecutions under the FCPA and speeches from DOJ representatives. This podcast, sponsored by Ethico, is the companion series to the book The FCPA Survival Guide: Surviving and Thriving a Foreign Corrupt Practices Act Enforcement Action. Today, we discuss lesson number nine: internal controls.

Tom and Nick delve into the importance of internal controls in compliance, emphasizing the pivotal role they play in business operations. After studying the COSO Framework, Tom shares his transformation into a firm believer in internal controls, underscoring that robust financial controls can cover a significant portion of compliance requirements. They discuss real-world examples, including SAP’s lack of payment process controls and ABB’s successful avoidance of a monitor through proactive measures. The episode highlights the necessity of continuous improvement and collaboration between legal, financial, and business units to ensure the effectiveness of internal controls and the appropriate handling of overrides. The session concludes with a nod to the upcoming episode on speak-up, triage, and internal investigation.

Key Highlights and Issues

  • The Importance of Internal Controls
  • Financial Controls and Compliance
  • Continuous Improvement in Internal Controls
  • Effective Collaboration and Overrides

Resources:

Nick Gallo on LinkedIn

Ethico

The FCPA Survival Guide: Surviving and Thriving a Foreign Corrupt Practices Act Enforcement Action

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
FCPA Survival Guide

FCPA Survival Guide – Step 8 – Investing in Compliance

How can you survive an FCPA enforcement action? In this special podcast series, Tom Fox and Nick Gallo outline the Top 10 things you can do to reduce your overall fine and penalty, perhaps down to a complete declination. All of the actions you can take come from recent DOJ prosecutions under the FCPA and speeches from DOJ representatives. This podcast, sponsored by Ethico, is the companion series to the book The FCPA Survival Guide: Surviving and Thriving a Foreign Corrupt Practices Act Enforcement Action. Today, we discuss lesson number eight: investing in your compliance program.

Tom and Nick highlight case studies from Albemarle, SAP, and ABB, emphasizing the importance of investing in resources, experienced personnel, and the need for continuous testing. The conversation underscores how these efforts build a credible compliance story for the DOJ and provide insights into successfully navigating FCPA remediation.

Key Highlights and Issues

  • Enhancing Your Compliance Program
  • ABB’s Compliance Transformation
  • Building a Compliance Story
  • The Importance of Authenticity in Compliance
  • Crafting a Persuasive Compliance Narrative

Resources:

Nick Gallo on LinkedIn

Ethico

The FCPA Survival Guide: Surviving and Thriving a Foreign Corrupt Practices Act Enforcement Action 

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Compliance Lessons from The SAP FCPA Enforcement Action

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

In today’s episode, we consider SAP FCPA enforcement actions, which present numerous lessons learned. We unpack the key compliance takeaways.

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Blog

The FCPA Survival Guide

Today, I am thrilled to announce my first podcast series based on a book I have written. The book and the podcast series are titled FCPA Survival Guide and Ethico sponsors. The book is available in the Kindle format, and you can purchase it on Amazon.com here. You can listen to the podcast here. In the podcast, I am joined by Nick Gallo, Captain Culture and co-CEO at Ethico, throughout this special 10-part podcast series.

Over the past 18 months, the Department of Justice (DOJ) has clearly and consistently communicated its expectations for any company that finds itself in an FCPA enforcement action. The book and podcast are designed for the compliance professional and business executive who finds themselves in an investigation. It details your steps to obtain the most favorable resolutions possible. Since the advent of the FCPA Corporate Enforcement Policy in 2017 (now Corporate Enforcement Policy), the presumption for any company that self-discloses a potential FCPA violation to the DOJ is declination. Yet even if a company does not self-disclose or there are aggravating factors, a company can take advantage of significant discounts from the DOJ. In the DOJ’s own words, this book and podcast outline what a company can do and its actions to reduce fines and penalties.

The enforcement actions that formed the basis of the book and podcast series involve the following entities: ABB, Albemarle, SAP, and Gunvor. The book includes complete discussions of these enforcement actions and the lessons every compliance professional should take from them. Navigating the complex world of corporate compliance, especially when dealing with the DOJ and Foreign Corrupt Practices Act (FCPA), requires a clear strategy and decisive action. The book and podcast series details the top ten things you should prioritize to ensure your company stays on the right side of the law and minimizes the risks of costly enforcement actions.

1. Self-Disclosure

The DOJ places the highest value on self-disclosure. Companies that voluntarily come forward to report potential violations of the FCPA are more likely to receive favorable treatment. For instance, in the ABB enforcement action, despite the company being unable to disclose its misconduct before the media publicly revealed it, the DOJ still considered ABB’s intent to self-disclose positively. Similarly, in the Albemarle enforcement action, even though the disclosure was delayed by 16 months, the DOJ acknowledged the company’s effort, though it stressed the importance of timely self-disclosure. Kenneth Polite, then Assistant Attorney General, emphasized the importance of self-disclosure by stating that companies that uncover criminal misconduct should voluntarily self-disclose to avoid more severe penalties. The DOJ’s Corporate Enforcement Policy provides significant incentives, such as a presumption against prosecution and reduced penalties, for companies that self-disclose, fully cooperate, and timely remediate.

2. Speed in Reporting

Timely disclosure is critical, but it continues beyond there. The DOJ expects companies to share information with regulators as quickly as they uncover facts, even if they are unsure how this might affect their case. In 2023, Assistant Attorney General Kenneth Polite highlighted the transition from ‘full’ to ‘extraordinary’ cooperation, stressing the importance of immediate and consistent truth-telling and evidence-sharing. The DOJ values collaboration, allowing them to obtain evidence they otherwise could not, such as quickly providing electronic devices or recorded conversations. Companies must be prepared to share information in real time, as seen in the SEC Order against ABB, where the company’s rapid information sharing was crucial.

3. Extensive Remediation

Effective remediation is essential and must be well-documented with data analytics. Companies must invest significantly in compliance personnel, training, and monitoring. ABB, Albemarle, Gunvor, and SAP all demonstrated extensive remediation efforts, including hiring experienced compliance personnel, conducting root cause analyses, and restructuring their compliance programs. Albemarle, for example, strengthened its anti-corruption compliance program by investing in resources, expanding its compliance function, and eliminating the use of sales agents. SAP enhanced its compliance monitoring and audit programs, while ABB continuously tested and monitored.

4. Root Cause, Risk Assessment, and Gap Analysis

Remediation should begin with a root cause analysis, risk assessment, and gap analysis. This approach helps identify the underlying issues and address them effectively. SAP’s Deferred Prosecution Agreement (DPA) emphasized the importance of root cause analysis. The company conducted a thorough analysis, remediated the root causes, performed a gap analysis of internal controls, and conducted a comprehensive risk assessment focusing on high-risk areas and controls around payment processes.

5. Data Analytics

Implementing a data analytics program is now a best compliance practice. It allows for continuous monitoring and measuring of the compliance program’s effectiveness. Albemarle and SAP used data analytics to monitor compliance program effectiveness and identify high-risk transactions. This capability helped them avoid the need for a corporate monitor by demonstrating effective control implementation and testing.

6. Clawbacks and Holdbacks

The DOJ expects companies to include and enforce clawback and holdback provisions in their compensation agreements. These measures ensure that those involved in misconduct do not benefit from their actions. Albemarle and SAP implemented holdbacks, withholding bonuses from employees involved in wrongdoing. This approach penalized the individuals and qualified the companies for additional fine reductions under the DOJ’s Compensation Incentives and Clawbacks Pilot Program.

7. Change in Sales Models

Companies using third-party agents for sales should consider moving to a direct sales model to reduce corruption risks. This change helps ensure better control and compliance oversight. Albemarle eliminated third-party sales agents and switched to a direct sales model. SAP prohibited all sales commissions for public sector contracts in high-risk markets and enhanced its compliance monitoring and audit programs.

8. Enhancement of Compliance Programs

It is crucial to significantly enhance the compliance program, including increasing budget, headcount, and expertise. This enhancement should cover reporting, investigations, and consequence management processes. Albemarle and SAP significantly invested in their compliance programs, restructuring their Offices of Ethics and Compliance, enhancing policies and procedures, and increasing resources devoted to compliance. ABB also invested in compliance testing and monitoring throughout its organization.

9. Internal Controls

Companies must use their internal controls to continuously test, monitor, and improve all aspects of their compliance programs. This approach ensures ongoing effectiveness and adaptability. SAP conducted a gap analysis of its internal controls and enhanced its compliance risk assessment process. ABB invested in controls testing and monitoring, restructuring internal reporting to ensure compliance oversight. Albemarle’s SEC Order highlighted the need for adequate internal controls to prevent and detect improper payments.

10. Investigation Protocol

Having a robust investigation protocol that can quickly triage any claim and escalate decisions. This protocol should facilitate timely self-disclosure and determine the best course of action. A culture of “speak up” encourages employees to report wrongdoing. Effective triage helps prioritize and allocate resources for investigations. Detailed written procedures ensure transparency and responsibility in managing allegations.

These top ten actions provide a roadmap for companies to navigate compliance challenges effectively. These steps, from self-disclosure and rapid information sharing to extensive remediation and robust internal controls, help build a strong compliance program that meets DOJ expectations. Companies can mitigate risks by integrating data analytics, enforcing clawbacks, enhancing compliance efforts, and demonstrating their commitment to ethical conduct.

This is my first pairing of a book and limited podcast series. I hope that however you consume information via written word or audio, I can provide it to you.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 9, Internal Controls

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in an ongoing best practices compliance program.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 9, Internal Controls. The DOJ has made it clear that any organization under FCPA scrutiny must use its internal controls to continuously test, monitor, and improve all aspects of its compliance program.

SAP

As a part of its remediation, the company conducted a gap analysis of internal controls. This remediation found those internal controls “lacking.” SAP also undertook a “comprehensive risk assessment focusing on high-risk areas and controls around payment processes and enhancing its regular compliance risk assessment process.” Using this risk assessment as a starting point, the company performed a gap analysis, determined the overall remediation regime needed, and effectuated that remediation. 

ABB

The ABB Plea Agreement reported that ABB “performed a root-cause analysis of the conduct at issue. From there, the company revamped its internal controls, investing significant additional resources in control testing and monitoring throughout the organization. While not often seen as a part of internal controls, the company restructured its reporting by internal project teams to ensure compliance controls oversight.

Additionally, ABB essentially created its monitoring program around controls, testing its compliance program, and reporting to the DOJ. In the “Written Work Plans, Reviews, and Reports” section, ABB agreed to conduct a first review and prepare a report, followed by at least two follow-up reviews and reports. But more than simply reporting on control testing, ABB agreed to create and submit for review a work plan for this ongoing testing of its compliance program, as the program was detailed in the DPA. The DPA specified, “No later than one (I) year from the date this Agreement is executed, the Company shall submit to the Offices a written report setting forth:

  • a complete description of its remediation efforts to date;
  • a complete description of the controls testing conducted to evaluate the effectiveness of the compliance program and the results of that testing; and
  • It proposes to ensure that its compliance program is reasonably designed, implemented, and enforced so that the program is effective in deterring and detecting violations of the FCPA and other applicable anti-corruption laws.”

The bottom line is that all these companies worked very hard to significantly enhance their controls, testing, and monitoring and then improve based on that information. None of the actions taken by these companies were particularly new or even innovative. Indeed, these strategies have been available from the DOJ since at least the first edition of the FCPA Resource Guide in 2012. It was, however, the work by the company to understand the deficiencies in their internal controls regime and their superior efforts to upgrade them.

Albemarle

The Albemarle SEC Order was instructive regarding internal controls for a different reason than we have been considering throughout this series. The Order detailed a series of internal control failures by the company across multiple business units in several other countries. The entire story painted a picture of a company that did not have adequate or easily overridden internal controls.

Vietnam. The Order noted, “Albemarle’s system of internal accounting controls was insufficient to prevent or detect these improper payments, which Albemarle Singapore falsely recorded as legitimate commissions in books and records consolidated into Albemarle’s financial statements.”

India. A backdated agreement increased an India agent’s commission multiple times without compliance oversight or approval. Commissions went from “extremely high” to “far from any possible realistic justification.” Finally, “the agreement called for payment of a three percent commission to India Agent, a rate three times higher than that paid to Albemarle’s existing agent for India.”

Indonesia. Albemarle’s system of internal accounting controls was insufficient to prevent or detect the improper payments made to and through Indonesia Agent, which Albemarle Singapore falsely recorded as legitimate commissions and business expenses in books and records consolidated into Albemarle’s financial statements.”

China.  When an Albemarle business director questioned China Agent’s compensation as “high,” an Albemarle Netherlands business director provided the business justification that he anticipated significant returns on the contract.

UAE.  No due diligence was conducted on an agent until after the agent agreement had been executed. The agent provided no discernible services other than conveying confidential tender evaluations and competitors’ bids obtained from the customer.

Each of these resolutions drives home the importance of internal controls, creation, and remediation as a key part of your overall compliance regime during any investigation. The sooner you can start on your internal controls, the better off you will be in your negotiations with the DOJ and SEC.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 8, Enhancing Your Compliance Program

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and providing insight for the compliance professional into what the DOJ expects in an ongoing best practices compliance program.

Over this series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 8, Enhancement of Compliance. The DOJ has clarified that any company undergoing an FCPA enforcement action must significantly enhance its compliance program with a budget, headcount, and expertise in reporting, investigations, and consequence management processes.

Albemarle

The Albemarle NPA cited several remedial actions by the company that helped Albemarle obtain superior results regarding the discounted fine and penalty. These steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out an effective compliance program and had tested it. The NPA provided that Albemarle

  • Strengthening its anti-corruption compliance program by investing in compliance resources, expanding its compliance function with experienced and qualified personnel, and taking steps to embed compliance and ethical values at all levels of its business organization;
  • Transformed its business model and risk management process to reduce corruption risk in its operation and to embed compliance in the business, including implementing a go-to-market strategy that resulted in eliminating the use of sales agents throughout the Company, terminating hundreds of other third-party sales representatives, such as distributors and resellers, and shifting to a direct sales business model;
  • Provided extensive training to its sales team, restructuring compensation and incentives so that compensation is no longer tied to sales amounts;
  • Used data analytics to monitor and measure the compliance program’s effectiveness and
  • It engaged in continuous testing, monitoring, and improvement of all aspects of its compliance program, beginning almost immediately after identifying misconduct.

The NPA noted that Albemarle engaged in holdbacks, as they did not pay bonuses to certain employees involved in the conduct or those with oversight. The NPA said, “During its internal investigation, the Company withheld bonuses totaling $763,453 from employees suspected of wrongdoing.” The illegal behavior involved people who “(a) had supervisory authority over the employee(s) or business area engaged in the misconduct; and (b) knew of, or were willfully blind to, the misconduct.” This effort was important because it allowed Albemarle to get an extra fine reduction of a dollar for every dollar they spent on the investigation.

Indeed, Deputy Attorney General Lisa Monaco cited the Albemarle FCPA resolution: “The company received a clawback credit for withholding bonuses for employees who engaged in misconduct. Not only did Albemarle keep the bonuses that would have gone to wrongdoers, but the company also received an offset against its penalty for the same amount. That’s money saved for Albemarle and its shareholders—and a concrete demonstration of the value of clawback programs.”

SAP

SAP did an excellent job in its remedial efforts to build out its compliance program. In addition to the prior discussions of SAP’s remedial efforts, the DOJ also pointed out the company’s Enhancement of Compliance. Here, the company significantly increased the budget, resources, and expertise devoted to compliance, restructuring its Offices of Ethics and Compliance to ensure adequate stature, independence, autonomy, and access to executive leadership; enhancing its code of conduct and policies and procedures regarding gifts, hospitality, and the use of third parties; and improving its reporting, investigations, and consequence management processes.

Next were the holdback actions SAP engaged in. The DPA noted SAP withheld bonuses totaling $109,141 during its internal investigation from employees who engaged in suspected wrongdoing in connection with the conduct under investigation or who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct, and further engaged in substantial litigation to defend its withholding from those employees, which qualified SAP for an additional fine reduction in the amount of the withheld bonuses under the DOJ’s Compensation Incentives and Clawbacks Pilot Program.

ABB

According to the ABB Plea Agreement, ABB “took a lot of corrective actions,” such as hiring experienced compliance staff and, after figuring out what caused the behavior described in the Statement of Facts, spending a lot more money on compliance testing and monitoring across the whole company; putting in place targeted training programs and extra case-study sessions on-site; and continuing to test and monitor to as This final point was expanded on in the SEC Order, which reported that all employees involved in the misconduct were terminated.

Additionally, ABB essentially created its monitoring program to test its compliance program and report to the DOJ. In a section entitled “Written Work Plans, Reviews, and Reports,” ABB agreed to conduct a first review and prepare a first report, followed by at least two follow-up reviews and reports. But more than simply reporting, ABB decided to create and submit for review a work plan for this ongoing testing of its compliance program, as the program was detailed in the DPA. The DPA specified, “No later than one (I) year from the date this Agreement is executed, the Company shall submit to the Offices a written report setting forth:

  • a complete description of its remediation efforts to date;
  • a complete description of the testing conducted to evaluate the effectiveness of the compliance program and the results of that testing; and
  • It proposes to ensure that its compliance program is reasonably designed, implemented, and enforced so that the program is effective in deterring and detecting violations of the FCPA and other applicable anti-corruption laws.”

The bottom line is that all these companies worked very hard to significantly enhance their compliance programs, with a budget, headcount, and expertise in their reporting, investigations, and consequence management processes. None of the actions by these companies were particularly new or even innovative, as with the innovations around data analytics programs. Indeed, these strategies have been available from the DOJ since at least the first edition of the FCPA Resource Guide in 2012. It was, however, the work of each company to understand the deficiencies in their compliance programs and their superior efforts to upgrade them.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 7, Changing Your Business Model

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 7, the Change in Sales Model. This is one of the more intriguing insights from these enforcement actions, as changing a sales model has not been previously called out by the DOJ in prior commentary, iterations of the Evaluations of Corporate Compliance Programs, either in the FCPA Resource Guide or in speeches. However, it is such a self-evident change that you might wonder why it has not been called out previously. One reason may be that it seems like a simple change but is challenging. Therefore, many companies may be reluctant to try to do so.

Albemarle

Albemarle changed its approach to sales and its sales teams. Corrupt third-party agents caused the company such FCPA grief. Many of the quotes in the NPA and Order make it clear that Albemarle executives had an aversion to paying bribes but greater moral flexibility when a third-party agent was involved. This led to the company moving away from third-party agents to a direct sales force.

 SAP

On the external sales side, SAP eliminated its third-party sales commission model globally and prohibited all sales commissions for public sector contracts in high-risk markets. It also enhanced compliance monitoring and audit programs, including creating a well-resourced team devoted to third-party partners and supplier audits. On the internal side, SAP adjusted internal compensation incentives to align with compliance objectives and reduce corruption risk.

Gunvor S.A.

The Gunvor FCPA enforcement action was announced in early March. According to the DOJ Press Release, the company has “pleaded guilty and will pay over $661 million to resolve an investigation by the U.S. Justice Department into violations of the Foreign Corrupt Practices Act (FCPA).” I have not included it in this discussion up to this point. However, the DOJ noted that Gunvor had done away with “eliminating the use of third-party business origination agents.” While this is not a complete change in its sales model, it certainly is a significant part of such an action. It also demonstrates that a company can partly change its overall sales model and sales method in a manner that will draw favor from the DOJ.

Moving to a direct sales force does have its risks that must be managed. Still, those risks can certainly be managed with an appropriate risk management strategy, strategy monitoring, and improvement. Yet there is another reason, and more importantly, a significant business reason, to move towards a direct sales business model. Whenever you have a third-party agent or anyone else between you and your customer, you risk losing that customer because your organization does not have a direct relationship with the customer. By having a direct sales business model, your organization will have a direct relationship with your customers and, therefore, the ability to develop it further.

If your organization is under FCPA investigation, you should examine its sales model to determine its maintenance risks. Suppose your model is fully commission-based or highly commission-dependent. In that case, you may consider moving to a direct sales model to help remediate and manage your risks more effectively.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 6, Clawbacks and Holdbacks

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study each of these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation: using extensive remediation to avoid a monitor. They also provide insight for the compliance professional into what the DOJ expects in an ongoing best practices compliance program.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today we continue  with Number 6, Clawbacks and Holdbacks. These strategies are relatively new to the DOJ’s arsenal, and they want companies to employ them in enforcement actions. While the DOJ and SEC have long made clear that they view monetary structure for incentive compensation, as far back as the FCPA Resource Guide, 1st edition (2012), they did not focus as intensely on the disincentive side of the equation. Prior to the Monaco Memo, clawbacks had not been generally seen as a necessary part of a compliance program.

This began to change in the Monaco Memo. It is now unequivocally required by the DOJ and listed as a crucial area of DOJ inquiry in the 2023 Evaluation of Corporate Compliance Programs. Moreover, having such a penalty in place is also seen as part of an excellent corporate culture, which not only penalizes those who engage in unethical behavior in violation of a company’s policies and procedures but will also “promote compliant behavior and emphasize the corporation’s commitment to its compliance programs and its culture.”

The DOJ was told to look into whether companies have “clawback” clauses in their pay agreements and whether “as soon as the company found out about the misconduct, the company has, as much as possible, taken affirmative steps to carry out such agreements and clawback compensation previously paid to current or former executives whose actions or omissions led to or contributed to the criminal conduct at issue.”

The Monaco Memo directed “to develop further guidance by the end of the year on how to reward corporations that develop and apply compensation clawback policies, including how to shift the burden of corporate financial penalties away from shareholders—who in many cases do not have a role in misconduct—onto those more directly responsible.” This clause is an effort by the DOJ to keep companies from shielding recalcitrant executives from the consequences of their own illegal and unethical conduct.

However, the Monaco Memo clarified that it is not simply having a written policy and procedure. If warranted, there must be corporate action under the clawback policy and procedure. In the Albemarle and SAP enforcement actions, the DOJ evaluated the companies’ actions, “Following the corporation’s discovery of misconduct, a corporation has, to the extent possible, taken affirmative steps to execute on such agreements and clawback compensation previously paid to current or former executives whose actions or omissions resulted in or contributed to the criminal conduct at issue.”

Albemarle

Albemarle went in a different direction—not clawbacks, but holdbacks. While the DOJ has made much noise about clawbacks from recalcitrant executives, Albemarle engaged in holdbacks, where they did not pay bonuses to certain employees involved in the conduct or those who had oversight. The NPA stated, “The company withheld bonuses totaling $763,453 during the course of its internal investigation from employees who engaged in suspected wrongdoing.” The illegal conduct involved those who “(a) had supervisory authority over the employee(s) or business area engaged in the misconduct; and (b) knew of, or were willfully blind to, the misconduct.” The significance of this effort was vital as it qualified Albemarle for an additional fine reduction of a dollar-for-dollar credit of the amount of the withheld bonuses under the Criminal Division’s March 2023 Compensation Incentives and Clawbacks Pilot Program. 

SAP

SAP had extensive holdbacks as well. The DPA noted SAP withheld bonuses totaling $109,141 during the course of its internal investigation from employees who engaged in suspected wrongdoing in connection with the conduct under investigation, or who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct, and further engaged in substantial litigation to defend its withholding from those employees, which qualified SAP for an additional fine reduction in the amount of the withheld bonuses under the DOJ’s Compensation Incentives and Clawbacks Pilot Program.

The DOJ has given significant credit to both Albemarle and SAP for their holdbacks, and we would expect them to continue to do so. If your organization has not instituted a Clawback/Holdback Policy, now is the time to do so rather than wait until you are in the middle of an investigation or enforcement action. Also, remember that the DOJ gives a dollar-for-dollar credit on any settlement where the company engaged in either clawbacks or holdbacks.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 5, Data Analytics

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring, and provide insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 5, Data Analytics. Data analytics was previously seen as cutting-edge in compliance. Now, they are recognized as part of a best practices compliance program. By this time next year, they will be table stakes for every compliance program. However, the DOJ specifically called out the use of data analytics in these three enforcement actions and the incorporation of data analytics into their compliance regimes in the future.

Albemarle

Albemarle’s NPA specifically called out the Company’s use of data analytics in two ways. The first was to monitor the Company’s compliance program, and the second was to measure the compliance program’s effectiveness. While this language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance functions’ access to all company data, this is the first time it has been called out in a settlement agreement in this manner. Moreover, although not explicitly tied to the lack of a required corporate monitor, it would appear that by using data analytics, Albemarle was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation.

Andrew McBride, Chief Risk & Compliance Officer at Albemarle. He noted that if you think about each element of a compliance program—policies and procedures, training, due diligence, and pre-approvals—and your investigation process, a recurring theme throughout is the role of data to test that those program elements are working as you intend. McBride believes there are four critical purposes for using data and data analytics to support the ethics and compliance program, which he listed as follows:

  1. Risk Identification Issues. It can be used as a part of transaction testing and auditing to identify problematic behavior, support investigations, and highlight areas of residual risk.
  2. Risk Response. Data analytics can be used as a form of internal control. Albemarle uses data analytics as a form of gatekeeper.
  3. Compliance Program Testing. Data analytics can be used to determine the effectiveness of your ethics and compliance program.
  4. Finally, and perhaps most significantly for the DOJ’s purposes in FCPA enforcement actions, are the reporting requirements to demonstrate that the company meets its requirements as laid out in the resolution documents, whether a DPA, NPA, or other.

SAP

The SAP resolution made several references to data analytics and data-driven compliance. SAP did so around its third-party program and expanded its data analytics capabilities to cover over 150 countries, including all high-risk countries globally. The SEC Order also noted that SAP had implemented data analytics to identify and review high-risk transactions and third-party controls. The SAP DPA follows the Albemarle FCPA settlement by stating that SAP now uses data analytics to measure the compliance program’s effectiveness. This language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance function’s access to all company data; this is the second time it has been called out in a settlement agreement in this manner. Additionally, it appears that by using data analytics, SAP was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation, thereby avoiding monitoring.

ABB

While not explicitly called out in its DPA, ABB has instituted a significant and company-wide data analytics program as a part of its overall remediation effort. Tapan Debnath, Head of Integrity, Regulatory Affairs, & Data Privacy—Process Automation at ABB, spoke about some of the challenges ABB faced and overcame to institute its data analytics program. He said, “The way data is hosted for us and probably for a lot of organizations is in lots of different places, and there needs to be a lot of data cleanup before we can utilize and use data.” He related that another challenge “for us has also been getting hold of data in different jurisdictions. There may be data privacy laws around data transfer, and there may be blocking statutes around this same thing. So navigating the local law requirements around data transfer, getting a hold of the data, and all of those things have been key challenges, as well as resourcing internally how to do this and getting the external stakeholders to support. I think These key fundamental steps need to be ironed out and looked at early on in the process.”

In November, Nicole Argentieri, Acting Assistant Attorney General for the Criminal Division, speaking at the ACI National FCPA, reported that the DOJ is stepping up its use of data analytics to identify instances of corporate misconduct and will boost its cooperation with overseas law enforcement to bring more anti-corruption cases as well. The DOJ and SEC increasingly focus on data analytics for corporate compliance, signaling higher expectations for larger companies.

Data-driven analytics have become a significant part of any best practices compliance program. The DOJ sees it as a critical remedial step for any company in an FCPA enforcement action. The actions taken by ABB, Albemarle, and SAP demonstrate that the DOJ also wants to impress this upon the greater compliance community.