Tag: SEC

Categories
Blog

Data Driven Compliance: Current Trends and Innovations

Data-driven compliance strategies have become a game-changer in risk management and fraud prevention. I recently had the opportunity to participate in a KonaAi-sponsored webinar entitled “Data Driven Compliance: Current Trends and Innovations.” The event was hosted by Vince Walden and featured Rayne Towns, the Global Head of Risk and Monitoring at Nokia.

I view data-driven compliance strategies in risk management and fraud prevention as an evolution of the compliance profession. It can be seen in the importance of data analytics in improving the effectiveness of compliance programs. There is and will always be the need for human interpretation and utilization of the data. Towns see data-driven compliance strategies as a way to strengthen and improve the compliance program’s effectiveness, using data analytics to identify and address gaps in the compliance program. She also emphasizes the importance of prioritizing and starting with solving specific problems when implementing data analytics. Vince Walden joined in with his perspective on data-driven compliance strategies in risk management and fraud prevention.

Data driven compliance is one more in the evolution of the compliance profession, one more step. Fortunately, we have evolved from when compliance was very much legal driven by lawyers. And over time, most compliance professionals (and equally importantly, the DOJ and SEC) began to view compliance as a business process. As a business process, it can be measured, it can be studied, it can be monitored, and it can be approved based on that information.

We began with the importance of data analytics in compliance programs. The shift towards data-driven compliance has transformed the profession from solely legal-driven to a measurable and improvable business process. This shift has been recognized by the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC). The SEC first called out the use of data analytics, as it did in the Order concluding the Key Energy FCPA enforcement action. Most recently, the Albemarle FCPA resolution specifically called out the company’s use of data analytics in its remediation program, which occurred during the pendency of its FCPA resolution process.

In 2016, the Securities and Exchange Commission called out data analytics in an enforcement action for the first time. It was the Key Energy FCPA enforcement action, where they suggested data analytics would have shown or demonstrated a range of values outside the norm for certain gifts, travel, and entertainment for the company. This demonstrated that regulatory thinking evolved as well. Now, data analytics has become a critical element to improve the business process of compliance. Data driven compliance allows you to measure it, monitor it, and improve it all in a documented fashion so that if a regulator ever comes knocking, you can demonstrate to them not only the effectiveness of your compliance program but also how you are moving your compliance regime forward based on solid data and analysis.

AB InBev was one of the first companies to successfully implement data-driven compliance strategies, moving from detection to prevention of issues. This shift has resulted in cost savings and improved risk management for the company. Equally significant was the company’s public discussion of the BrewRight program and how it evolved into a broader business process tool.

The DOJ always telegraphs what is important to them. Starting 2020 with the 2020 Update to the Evaluation of Corporate Compliance Programs, they said the CCO must have access to all data across an organization. You may have data silos, but a CCO must be able to punch through all of those data silos. It is a natural progression from 2020 to this Albemarle FCPA enforcement action, where the DOJ clearly stated that the company’s data analytics program allowed them to move forward with the remediation.

Moreover, the critical part was that Albemarle was not required to have a monitor. To avoid having a monitor required under the resolution required two things. One, an effective compliance program, but two, testing of it. And the DOJ has made very clear those requirements. Albemarle had an effective compliance program, but more importantly, they have monitored it and tested it through their data analytics program. Their compliance function’s actions saved the company millions. And it tells the rest of us what the DOJ will look for in a compliance program going forward.

Data analytics plays a crucial role in various aspects of compliance, including M&A due diligence and risk assessment. By leveraging external data sources, compliance professionals can gain valuable insights into potential risks associated with vendors, customers, and employees. This information allows them to make informed decisions and mitigate risks effectively.

Compliance professionals must be aware of the importance of data-driven compliance strategies’ impact on decision-making. Using data analytics, compliance professionals can measure, monitor, and improve compliance programs in a documented fashion. This demonstrates the compliance program’s effectiveness and enables organizations to adjust and adapt more quickly to changing regulatory requirements.

However, implementing data-driven compliance strategies comes with its own challenges. Balancing the tradeoffs between automation and manual processes is one such challenge. While automation can streamline compliance processes and identify gaps, manual touches are sometimes necessary. Data analytics can help identify these gaps and drive accountability and training efforts.

There is great potential for new technologies like generative AI and machine learning to enhance compliance programs. These technologies can make compliance processes more efficient and enable better decision-making. For example, generative AI can guide users through dashboards and provide valuable insights, making compliance tasks easier and more effective.

Budget approvals are another crucial consideration for organizations when implementing data-driven compliance strategies. CFOs prioritize keeping the business out of legal risks and fines, fraud prevention and recoveries, and improved internal controls. Data analytics is not just a “nice-to-have” but a “must-have” for organizations. Those that do not embrace data analytics or fail to move towards it are at risk.

In conclusion, data-driven compliance strategies have revolutionized the compliance profession. Organizations can measure, monitor, and improve compliance programs by leveraging data analytics, resulting in cost savings, improved risk management, and better decision-making. While there are challenges associated with implementing data-driven compliance strategies, the benefits far outweigh the tradeoffs. Compliance professionals must embrace data analytics as a critical element of their compliance programs to stay ahead in an ever-evolving regulatory landscape.

Categories
Blog

The Importance of Tailored Policies for Compliance and Risk Management

In compliance and risk management, one size does not fit all. Generic policies and procedures may seem convenient but can lead to compliance risks and potential harm. This is why the Securities and Exchange Commission (SEC) stresses the need for well-designed, tailored policies and procedures in areas such as anti-money laundering (AML) and cybersecurity.

In a recent “Compliance into the Weeds episode,” Tom Fox and Matt Kelly highlighted the importance of tailored policies for compliance, and risk management was discussed in detail. They discussed the case of Deutsche Bank, where the SEC imposed sanctions due to faulty policies. The bank had taken generic policies not specific to their mutual fund obligations and declared them their AML program. This cut-and-paste approach led to compliance risks and inconsistencies that caught the attention of regulators.

The case also serves as a reminder of the potential consequences of misleading marketing practices without proper procedures. The SEC sanctioned DWS $25 million for failures around ESG disclosures and a poor AML program. In both instances, faulty policies and procedures were identified as the root cause of the compliance failures.

The key takeaway from this case is that companies should conduct risk assessments and gap analyses to identify their specific needs and design appropriate policies. A good risk assessment is the foundation for crafting effective policies and procedures. It helps organizations understand their risks, evaluate their controls, and determine the necessary steps to mitigate them.

The impact on employees when designing policies and procedures should be considered. Simply copying and pasting language from regulations without considering the organization’s unique structure, technology, and transactions can lead to confusion and compliance risks. Employees need clear guidance on their duties and responsibilities; generic policies do not provide that clarity.

Compliance officers should create policies and procedures tailored to their organization’s needs and risks to avoid compliance risks and potential harm. Considering the organization’s specific circumstances, resources, and capabilities requires a thoughtful approach. It also requires regular risk assessments, gap analyses, and monitoring of policy effectiveness.

How to do so? The 2020 FCPA Resource Guide, 2nd edition, provided guidance. It stated, “When assessing a compliance program, DOJ and SEC will review whether the company Guiding Principles of Enforcement has taken steps to ensure that the Code of Conduct remains current and effective and whether a company has periodically reviewed and updated its Code.” [emphasis supplied] Some of the questions you should consider are:

  • When was the last time your policies and procedures were released or revised?
  • Have there been changes to your company’s internal controls since the last revision?
  • Have there been changes to relevant laws relating to a topic covered in your company’s policies and procedures?
  • Are any of the policies and procedures outdated?
  • What is the budget to create/revise your policies and procedures?

After considering these issues, you should benchmark your current policies and procedures against other companies in your industry. If you decide to move forward, I suggest a process that can be fully documented to include revisions to your compliance policies and procedures.

Get buy-in from the senior leadership of your company. Your company’s highest level must mandate revising compliance policies and procedures. The CEO, GC, CCO, or all three should demand this effort. Whoever gives the order should be consulted at every step of the revision process of the policies and procedures if it involves a change in the direction of key policies.

Establish a core policies and procedures revision committee. It would be best if you had a cross-functional working group that would be ideal to advance your effort to revise your compliance policies and procedures. This group should include representatives from the following departments: legal, compliance, communications, and HR; there should also be other functions that represent the company’s domestic and international business units. Finally, there should be functions within the company described, such as finance and accounting, IT, marketing, and sales.

From this large group, the topics can be assigned for initial drafting to functions based on their relevance or necessity. These functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. You must establish a timetable for the revision process and hold representatives accountable for meeting their revisions.

Conduct a thorough technology assessment. The cornerstone of the revision process is how your company captures, collaborates, and preserves all the comments, notes, edits, and decisions during the entire project. In addition to using technology to revise your compliance policies and procedures, you should determine if they will be available in hard copy, online, or both. There must be a distribution plan, mainly if the Code and compliance policies and procedures are only available in hard copy.

Determine translations and localizations. The 2020 FCPA Resource Guide clarified that your compliance policies and procedures must be translated into the local language for your non-English speaking workforce. The key is that your employees have the same understanding of the compliance policies and procedures regardless of the language.

Develop a plan to communicate the revised policies and procedures. A rollout is always critical because the revised policies and procedures must be communicated to encourage employees to review and use the policies and procedures on an ongoing basis. Your company should use the whole armor of available tools to publicize the revised compliance policies and procedures. This can include a multi-media approach or handing out a copy to all employees at a designated time. You might consider having a company-wide compliance policies and procedures meeting where the new or revised documents are rolled out across the company all in one day. But remember, with all things compliance, the three most important aspects are “Document, Document, and Document.” However, when you deliver the new or revised policies and procedures, you must document that each employee received them.

Stay on target and budget. It would be best if you worked to set realistic expectations to stay on deadline and within your budget. This is equally applicable to your policies and procedures revision. Also, remember to keep a close watch on your budget so you do not exceed it.

These points are a valuable guide to not only thinking through how to determine if your policies and procedures need updating but also practical steps on how to tackle the problem. You should begin the process now if it has been more than five years since the last updates. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

There are tradeoffs involved in balancing different factors when designing policies and procedures. Compliance officers need to consider the organization’s staffing, technology, review processes, and the need for human intervention in automated systems. Insufficient resources and inconsistent procedures can lead to compliance gaps and backlogs, increasing the organization’s exposure to compliance risks.

In conclusion, the importance of tailored policies for compliance and risk management cannot be overstated. Generic policies may seem like a quick fix, but they can lead to significant compliance risks and harm. Compliance officers should conduct risk assessments, identify specific needs, and design policies and procedures that address those needs. Employee understanding and guidance are crucial, and policies should be regularly assessed, monitored, and updated as necessary. By taking a tailored approach to compliance and risk management, organizations can minimize their exposure to compliance risks and protect themselves from potential harm.

Categories
Compliance Into the Weeds

Compliance into the Weeds: A Deep Dive into Policies and Procedures

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Are you looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt deeply dive into the recent enforcement action against Deutsche Bank for AML violations and greenwashing to consider best practices for policies and procedures.

In the complex business world, the importance of tailored policies for compliance and risk management cannot be overstated. Tom Fox and Matt Kelly bring their unique perspectives to this topic, emphasizing the need for well-designed, specific policies and procedures to mitigate compliance risks and potential harm.

Drawing from his experience, Fox believes that generic policies are insufficient and stresses the need for policies specific to a company’s needs, risks, and operations. On the other hand, Kelly criticizes copying and pasting policies from regulations without considering the organization’s unique characteristics and needs. He underscores the importance of conducting risk assessments and gap analyses to design effective policies. Join Tom Fox and Matt Kelly as they delve deeper into this topic on this episode of the Compliance into the Weeds podcast.

 Key Highlights:

  • The Importance of Tailored Policies and Procedures
  • Risks and Consequences of Generic Policies
  • Tailoring Policies and Procedures for Compliance
  • Ongoing Monitoring of Policies and Procedures

Resources:

Matt in Radical Compliance

Tom 

Threads

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
FCPA Compliance Report

FCPA Compliance Report – Albemarle FCPA Enforcement Action – Internal Controls

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. Today, we begin a short podcast series on the Albemarle FCPA enforcement action. Today, we have Karen Moore on the internal controls failures and other areas identified in the SEC enforcement action.

The recent FCPA enforcement action against Albemarle has sparked a lively debate in the compliance community, particularly regarding the company’s internal controls, imposed penalties, and the lack of monitorship. While Karen is surprised at this development, Tom believes it is consistent with the new DOJ FCPA policy.

One of the key takeaways from the episode is the importance of thorough due diligence and stronger measures to prevent corruption. The case highlights the need for compliance officers to operate beyond their comfort zones and ensure that the right people receive the right training to spot issues. It also raises questions about the credibility of messages about risk tolerance from senior leadership and the effectiveness of deal reviews. Join us as we dive deeply into these issues in this FCPA Compliance Report podcast episode.

 Key Highlights:

  • Albemarle’s Penalties
  • Identifying Red Flags in Due Diligence
  • Including Monitors in Plea Deals for Compliance

Resources:

Tom Fox blog post series on the Albemarle FCPA Enforcement Action.

Tom Fox

Threads

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
FCPA Compliance Report

FCPA Compliance Report – Albemarle FCPA Enforcement Action – Overview

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. Today, we begin a short podcast series on the Albemarle FCPA enforcement action. Today, we open with Matt Kelly, providing an overview.

The intriguing case of Albemarle, a chemicals company embroiled in a bribery scheme, is a stark reminder of the importance of compliance and timely remediation measures. Albemarle faced hefty fines and penalties, totaling over $218 million, for using intermediaries to sell chemicals to state-owned oil companies and funnel bribes to government officials. However, the company’s swift action in withholding bonuses during their internal investigation and implementing remedial measures, such as eliminating sales agents and adopting a direct sales approach, was recognized and credited.

We underscore the significance of Albemarle’s transformation of its business model as a positive remediation measure that effectively reduces corruption risk. We also emphasize the importance of timely self-disclosure and the benefits of initiating remediation measures before an investigation is complete. The fines and penalties imposed on Albemarle are among the largest FCPA settlements in 2023. Join us in this FCPA Compliance Report podcast episode as we dive deeply into the regulatory outcome, remediation efforts, and compliance lessons from Albemarle’s case.

Key Highlights:

  • Bribery Scheme with “Friend” Emails
  • Identifying and Addressing Control Gaps for Ethical Business Practices
  • FCPA Settlement and Corruption Risk Reduction

Resources:

Tom Fox blog post series on the Albemarle FCPA Enforcement Action.

Tom Fox

Threads

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Messaging App Compliance in Regulated Industries: Lessons from Recent Enforcement Actions

In recent years, regulated industries, particularly broker-dealer firms like Wells Fargo and Morgan Stanley, have faced increased scrutiny from regulatory bodies due to their lack of compliance in policing messaging apps. The Securities and Exchange Commission (SEC) recently announced charges against 10 firms in their capacity as broker-dealers and one dually registered broker-dealer and investment adviser for widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications. The firms admitted the facts outlined in their respective SEC orders. These firms collectively “agreed to pay combined penalties of $289 million and have begun implementing improvements to their compliance policies and procedures to address these violations.” Additionally, the Commodity Futures Trading Commission (CFTC) ordered four financial institutions to pay $260 million for recordkeeping and supervision failures due to the widespread use of unapproved communication methods.

Even more troubling is the involvement of senior managers in these misconducts, leading the SEC to require an independent compliance consultant in multiple settlements. This highlights the significance of overall corporate culture and the need for stricter compliance measures. Matt Kelly and I recently explored these enforcement actions, the reforms that companies must implement, the role of consultants in reviewing these reforms, and the potential risks and consequences of using messaging apps for business purposes in a Compliance into the Weeds podcast.

Reforms in regulated industries focus on policies and procedures, messaging policies, and employee training. Companies must establish clear messaging policies that outline the acceptable use of communication channels and the importance of recordkeeping obligations. Training employees on these policies and ensuring their understanding is equally vital. Additionally, companies must track training records and allegations of policy violations, making them readily available for review. Next, both ongoing monitoring and continuous improvement must be utilized. Finally, do not forget the need for disciplinary frameworks, with repeat offenders and senior employees potentially facing more severe discipline.

The enforcement crackdown by the SEC and CFTC has already resulted in significant penalties, with fines totaling a staggering $550 million. J.P. Morgan was the first bank to face such a settlement decree, setting a precedent for other banks. This raises speculation about whether the misconduct will continue and if there will be additional enforcement actions. While some large securities firms have yet to be targeted, all regulated industries must take note and proactively address compliance issues.

As noted above, using improper messaging apps for business communication is a significant concern for regulators. Moreover, these violations of securities laws occurred due to employees using ephemeral messaging apps like WhatsApp and Snapchat, which turn off record preservation. Once again, the involvement of supervisory employees and managers in using these apps is even more alarming, further angering the regulators. The SEC’s requirement for an independent compliance consultant in multiple settlements indicates a focus on corporate culture and the need to address senior managers’ involvement.

While these enforcement actions focused on regulated industries, it raises an important question about whether non-regulated industries could also face similar exposure to the SEC. The Justice Department has emphasized taking messaging and communication app risks seriously for all companies. Therefore, even if a company operates outside the purview of specific regulations, it is crucial to consider the potential risks and consequences of using improper messaging apps for business purposes. In a Radical Compliance blog post, Kelly noted, “That is a terrible look for a company. It paints the picture of a management team not interested in good ethical conduct, and we all know how that goes over with the Justice Department when evaluating the state of your compliance program.”

We desired to shed some light on the recent enforcement actions against regulated industries for their lack of compliance in policing messaging apps. The fines and penalties imposed by the SEC and CFTC highlight the seriousness of these violations. Companies must implement reforms, establish robust policies and procedures, and prioritize employee training to ensure compliance. The conversation also underscores the potential risks and consequences of using improper messaging apps for business communication. All companies must prioritize compliance and take proactive measures to address these concerns regardless of industry. By doing so, companies can foster a culture of integrity and avoid the hefty fines and reputational damage associated with non-compliance.

Categories
Everything Compliance

Everything Compliance – The Albemarle Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quartet of Jay Rosen, Jonathan Armstrong, Matt Kelly, and special guests Karen Moore and Kristy Grant-Hart, with Tom Fox hosting. Our topic today (with the exception of Mr. Armstrong) is the recently announced Albemarle FCPA enforcement action with both the DOJ and SEC. We conclude with our always popular and fan-favor Shout Outs and Rants.

1. Matt Kelly provides an overview of the enforcement action. He rants about former House Speaker Kevin McCarthy and the GOP’s desire for chaos rather than governing.

2. Guest Karen Moore takes a deep dive into the SEC FCPA enforcement action involving Albemarle. She rants about lawyer fees over $2000+ per hour.

3. Tom Fox shouts out to the MLB playoffs and pays tribute to Dick Butkus.

4. Guest Kristy Grant-Hart takes a deep dive into the holdback provision noted in the DOJ enforcement action.

5. Jonathan Armstrong reviews CEOs misbehaving and the corporate response. He shouts out Kortney Nordrum for her presentation on what it is like to go through a data breach.

The members of the Everything Compliance are:

•       Jay Rosen– Jay is Vice President of Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

•       Jonathan Marks can be reached at jtmarks@gmail.com.

•       Special Guest Kristy Grant-Hart is the founder of Spark Consulting.

•       Special Guest Karen Moore is an Adjunct Professor at Fordham University School of Law

The host and producer, ranter (and sometimes panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Blog

Albemarle FCPA Enforcement Action: Part 5 – Lessons Learned

Over the past several blog posts, I have been exploring the Albemarle FCPA enforcement action.  We have explored in some detail the DOJ Non-Prosecution Agreement (NPA) and the SEC Administrative Order(Order). In this final blog post on the series, I want to suss out some lessons for the compliance professional.

Consequence Management

When Kenneth Polite announced the Pilot Program in conjunction with the 2023 Evaluation of Corporate Compliance Programs (ECCP), the focus was largely on clawbacks. However, the relevant section in the ECCP was entitled “Consequence Management,” indicating a broader focus on both incentives to do business ethically and in compliance as well as disincentives. The ECCP asked a series of questions:

  • Has the company considered the impact of its financial rewards and other incentives on compliance?
  • Has the company evaluated whether commercial targets are achievable if the business operates in a compliant and ethical manner?
  • What role does the compliance function have in designing and awarding financial incentives at senior levels of the organization?
  • How does the company incentivize compliance and ethical behavior? What percentage of executive compensation is structured to encourage enduring ethical business objectives?
  • Are the terms of bonus and deferred compensation subject to cancellation or recoupment, to the extent available under applicable law, in the event that non-compliant or unethical behavior is exposed before or after the award was issued?
  • Does the company have a policy for recouping compensation that has been paid where there has been misconduct?
  • Have there been specific examples of actions taken (e.g., promotions or awards denied, compensation recouped, or deferred compensation canceled) as a result of compliance and ethics considerations?

The NPA noted that Albemarle engaged in holdbacks, as they did not pay bonuses to certain employees involved in the conduct or those who had oversight. The NPA stated, “The Company withheld bonuses totaling $763,453 during its internal investigation from employees who engaged in suspected wrongdoing.” The illegal conduct involved those who “(a) had supervisory authority over the employee(s) or business area engaged in the misconduct; and (b) knew of, or were willfully blind to, the misconduct.” The significance of this effort was vital as it qualified Albemarle for an additional fine reduction of a dollar-for-dollar credit of the amount of the withheld bonuses under the Criminal Division’s March 2023 Compensation Incentives and Clawbacks Pilot Program.

Indeed, Deputy Attorney General Lisa Monaco, in a recent speech, said, “The pilot program also rewards companies that claw back or withhold incentive compensation from executives responsible for misconduct – or attempt to do so in good faith. For every dollar that a company claws back or withholds from an employee who engaged in misconduct – or a supervisor that knew of or turned a blind eye to it – the Department will deduct a dollar from the otherwise applicable penalty that the resolving company would pay.”

She specifically cited the Albemarle FCPA resolution, where “the company received a clawback credit for withholding bonuses of employees who engaged in misconduct. Not only did Albemarle keep the bonuses that would have gone to wrongdoers, but the company also received an offset against its penalty for the same amount. That’s money saved for Albemarle and its shareholders – and a concrete demonstration of the value of clawback programs.”

 Remediation During Investigation

The NPA cited several remedial actions by the company that helped Albemarle obtain the superior result in terms of the discounted fine and penalty. These steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out an effective compliance program and had tested it. The NPA provided that Albemarle:

  • Strengthening its anti-corruption compliance program by investing in compliance resources, expanding its compliance function with experienced and qualified personnel, and taking steps to embed compliance and ethical values at all levels of its business organization;
  • Transformed its business model and risk management process to reduce corruption risk in its operation and to embed compliance in the business, including implementing a go-to-market strategy that resulted in eliminating the use of sales agents throughout the Company, terminating hundreds of other third-party sales representatives, such as distributors and resellers, and shifting to a direct sales business model;
  • Provided extensive training to its sales team and restructured compensation and incentives so that compensation is no longer tied to sales amounts;
  • Used data analytics to monitor and measure the compliance program’s effectiveness and
  • We are engaged in continuous testing, monitoring, and improvement of all aspects of its compliance program, beginning almost immediately following the identification of misconduct.

Two of the factors are relatively new and certainly are noteworthy for the compliance professional. The first is the change in the company’s approach to sales and their sales teams. Obviously, it was corrupt third-party agents that brought the company to such FCPA grief. Many of the quotes in the NPA and Order make it clear that Albemarle executives had an aversion to paying bribes but had greater moral flexibility when a third-party agent was involved. This led to the company moving away from third-party agents to a direct sales force.

Moving to a direct sales force does have its risks, which must be managed, but those risks can certainly be managed with an appropriate risk management strategy, monitoring of the strategy, and improvement; those risks can be managed. Yet there is another reason, and more importantly, a significant business reason, to move towards a direct sales business model. Every time you have a third-party agent or anyone else between you and your customer, you risk losing that customer because your organization does not have a direct relationship with the customer. By having a direct sales business model, your organization will have a direct relationship with your customer and, therefor, the ability to develop it further.

The NPA also specifically called out the Company’s use of data analytics in two ways. The first was to monitor the Company’s compliance program, and the second was to measure the compliance program’s effectiveness. While this language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance functions’ access to all company data, this is the first time it has been called out in a settlement agreement in this manner. Moreover, although not specifically tied to the lack of a required corporate Monitor, it would appear that by using data analytics, Albemarle was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation.

Internal Controls Over Commission Increases

According to the SEC Order, the Company failed to devise and maintain a sufficient system of internal accounting controls with respect to commission rates and deviations from contracted rates. In other words, even though there were internal controls in place for the setting of third-party agents’ commissions, they could be overridden at will. The Order concluded by noting, “As a result, sales personnel were able to increase agents’ commission rates in multiple countries – including Vietnam, India, China, and UAE – despite certain Albemarle personnel having knowledge of red flags indicating the agents would use a portion of the commission to make bribe payments to obtain contracts, influence tender specifications, or obtain nonpublic information concerning competitors’ bids.”

Every compliance professional should review their company’s controls over agents’ commission rates to make sure the business unit personnel alone cannot raise commission rates. While business units can always make the business case, this enforcement action drives home the message that the compliance function is not ‘one and done’ when an agent is approved but must be monitored throughout the third-party relationship lifecycle. Any requested change to a commission rate must go through the same analysis and approval process as the original approval.

Timely Self-Disclosure

There was a significant discussion in the NPA around Albemarle’s voluntary self-disclosure to the DOJ. However, NPA noted that “the disclosure was not “reasonably prompt” as defined in the Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy and the U.S. Sentencing Guidelines.” The NPA reported that Albemarle learned of allegations regarding possible misconduct in Vietnam approximately 16 months before disclosing it to the DOJ. Interestingly, the SEC Order only stated, “Albemarle made an initial self-disclosure to the Commission of potential FCPA violations in Vietnam following its completion of an internal investigation of such conduct and, at the same time, self-reported potential violations it was investigating in India, Indonesia, and China. Albemarle later self-disclosed to the Commission potential violations in other jurisdictions as part of an expanded internal investigation.”

This meant the self-disclosure “was not within a reasonably prompt time after becoming aware of the misconduct in Vietnam,” and it means that Albemarle did not meet the standard for voluntary self-disclosure under the Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy. While the DOJ “gave significant weight” to the Company’s voluntary, even if untimely, disclosure of the misconduct, it is undoubtedly cautionary.

What the DOJ wants is self-disclosure as soon as possible. One only needs to recall the case of Cognizant Technologies, where the company received a complete Declination where there were allegations of C-Suite involvement in the bribery schemes. This Declination was provided in large part because the company made its self-disclosure only two weeks after the information filtered up to the Board of Directors. While Cognizant Technologies may be the gold standard, it shows that if a company timely self-discloses, it can be considered for a full Declination.

The Albemarle FCPA resolution documents are chocked full of solid information that every compliance professional can use in the future. They are well worth a deep dive—finally, a kudos to Albemarle for obtaining this superior result.

Categories
Daily Compliance News

Daily Compliance News: October 10, 2023 – The CEOs Misbehaving Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition:

  • Claudia Goldin won a Nobel in Economics. (WaPo)
  • Misbehaving CEOs hurt the entire company. (FT)
  • Will Elon Musk lose to the SEC this time? (Reuters)
  • The US is trying to crack down on sanctions evaders. (WSJ)
Categories
Blog

Albemarle FCPA Enforcement Action: Part 4 – Internal Control Failures

Albemarle Corporation (Albemarle) recently agreed to pay more than $218 million to resolve investigations by the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) into violations of the Foreign Corrupt Practices Act (FCPA) stemming from Albemarle’s participation in corrupt schemes to pay bribes to government officials in multiple foreign countries. We have explored in some detail the DOJ Non-Prosecution Agreement (NPA). Today, I wanted to consider specifically some of the company’s failures, which were detailed in the SEC Administrative Order (Order).

Corporate Structure

At the time of the violations, Albemarle had three business units “corresponding to its primary product markets: catalysts (which contained the Refining Solutions business), lithium, and bromine. The Refining Solutions business developed and sold catalysts to oil refineries through sales offices and intermediaries around the world. The President of the Refining Solutions GBU reported directly to Albemarle’s Chief Executive Officer. Albemarle centrally coordinated its compliance, legal, finance, contracting, and internal audit functions.”

The Refining Solutions business was further broken down into four operating units. It included “Albemarle Catalysts Company B.V. in the Netherlands (“Albemarle Netherlands”); Albemarle Singapore Pte. Ltd in Singapore (“Albemarle Singapore”); Albemarle Chemicals (Shanghai) Co. Ltd. in China (“Albemarle China”); and Albemarle Middle East FZE in the UAE (“Albemarle Middle East”) (each, an “Albemarle Subsidiary,” and together, the “Albemarle Subsidiaries”). Albemarle also used sales agents to sell refinery catalysts in Vietnam, India, Indonesia, China, and the UAE.” A most exciting nugget detained in the Order revealed that “the sales agents in Indonesia and China were also retained as distributors.”

Finally, the Company “exercised control over the sales activities of the Albemarle Subsidiaries, which acted as agents for Albemarle when retaining agents to sell catalysts globally. Albemarle officers served on the Albemarle Subsidiaries’ boards of directors and held signatory authority over bank accounts at local branches of both U.S. and non-U.S. banks, used to pay sales intermediaries in the relevant countries. Albemarle sold refinery catalysts globally through agents and distributors approved by Albemarle sales, business, legal, compliance, and finance personnel and management.” 

Internal Audit-Reporting Deficiencies

In perhaps the most damning phase of the Order, the SEC detailed how the Company’s internal audit function had raised the issue of insufficient controls multiple times, stating “Despite the known risks posed by Albemarle’s reliance on third-party sales agents and distributors in the sale of catalyst products to state-owned and -controlled oil refineries, Albemarle failed for many years to institute sufficient compliance systems and devise and maintain a sufficient system of internal accounting controls concerning the retention, payment, and oversight of these intermediaries.”

These included a series of internal audit reports in 2013, 2015, and 2016, all of which identified multiple gaps in Albemarle’s internal accounting controls with respect to the Refining Solutions business’s use of intermediaries. These reports set out a series of internal control deficiencies and failures, including that sales agents and distributors were paid:

  1. With incomplete due diligence,
  2. With a lack of executed contracts,
  3. With contracts that lacked required anti-corruption provisions;
  4. At not simply higher than market rates but at rates higher than those provided for by contract.

All of this was done in contravention of Albemarle’s policies and procedures.

Internal Audit-Recommendations

Yet, the internal audit did more than report deficiencies; it also made recommendations. As far back as 2013, the internal audit team recommended that Albemarle establish a comprehensive program specifically to manage and monitor the entire life cycle for intermediaries. The Order noted that “While Albemarle hired compliance personnel, reduced the number of sales agents and distributors without contracts, and implemented software to assist in third-party onboarding and contracting,” it failed to devise and maintain a sufficient system of internal accounting controls with respect to commission rates and deviations from contracted rates. In other words, even though there were internal controls in place, apparently, they could be overridden at will.

The Order concluded by noting, “As a result, sales personnel were able to increase agents’ commission rates in multiple countries – including Vietnam, India, China, and UAE – despite certain Albemarle personnel having knowledge of red flags indicating the agents would use a portion of the commission to make bribe payments to obtain contracts, influence tender specifications, or obtain nonpublic information concerning competitors’ bids.”

Internal Control Failures

The Order detailed a series of internal control failures by the Company across multiple business units in several different countries. The entire story paints a picture of a company that certainly did not have a culture of doing business ethically and in compliance.

In Vietnam, the Company “Agent was hired in 2012 at a 4.25 percent commission rate that Albemarle’s sales representative viewed as high for the region, and Albemarle approved an increase to Vietnam Agent’s commission to 6.5 percent in 2015 despite emails reflecting a high probability additional funds would be used to bribe Vietnamese government officials.” The Order went on to note, “Albemarle’s system of internal accounting controls was insufficient to prevent or detect these improper payments, which Albemarle Singapore falsely recorded as legitimate commissions in books and records that were consolidated into Albemarle’s financial statements.”

In India, multiple red flags emerged during Albemarle’s due diligence process. The India Agent claimed that its board of directors included two former senior India State-Owned Customer officials and Albemarle already had a sales agent in India. An Albemarle Subsidiary regional director alerted an Albemarle sales executive who was employed directly by Albemarle and based in the United States, of his understanding, based on a July 2009 call with an India Agent, that the agent would make corrupt payments to keep Albemarle in the bidding process. Additionally, “Albemarle increased India Agent’s commission in 2010 (via a backdated agreement) and again in 2012. A July 2014 email from an Albemarle Europe sales executive to India Agent described the commissions as “extremely high” and “far from any possible realistic justification.” Finally, “The agreement called for payment of a three percent commission to India Agent, a rate three times higher than that paid to Albemarle’s existing agent for India.”

In Indonesia, the Agent requested a commission increase expressly to fund bribes to Indonesia State-Owned Customer officials. Moreover, “Although Albemarle sales personnel declined to increase the commission and reportedly told Indonesia Agent that Albemarle did not conduct business via bribery, they did not report concerns to their supervisors, Legal, or Compliance personnel or take any steps to terminate the agency relationship. Instead, Albemarle made contractual commission payments and certain extra-contractual expense reimbursements to Indonesia Agent throughout 2013 in connection with a contract Indonesia State-Owned Customer awarded to Albemarle in April 2013. A portion of these funds was used to pay bribes.  Albemarle’s system of internal accounting controls was insufficient to prevent or detect the improper payments made to and through Indonesia Agent, which Albemarle Singapore falsely recorded as legitimate commissions and business expenses in books and records that were consolidated into Albemarle’s financial statements.”

In China, although business unit employees knew of the proposed agent’s familial relationship with the relevant government official, they failed to report it internally. Then, the Company’s compliance department’s due diligence revealed that China Agent had no website and was authorized to do business only a few weeks before China Agent’s Principal first met with Albemarle personnel. Despite these red flags, Albemarle retained the China Agent. When an Albemarle business director questioned China Agent’s compensation as “high,” an Albemarle Netherlands business director replied that he anticipated large returns on the contract. In February 2014, Albemarle agreed to increase the China Agent’s commission if it obtained higher prices from the customer. In August 2016, Albemarle China further increased the commission rate.

Finally, in the UAE, the Company did not conduct due diligence on the agent until after the agent agreement had been executed. After this initial contract was executed, a second agent was also contracted for illicit purposes. The deal with the original Agent was amended in 2013 to increase its commission by one percent — the same amount the Agent agreed to pay to the second agent, “UAE Consultant.” The UAE Consultant provided no discernable services other than conveying confidential tender evaluations and competitors’ bids obtained from the refinery and the EPC firm. In addition to commissions that Albemarle paid to the agent, Albemarle paid the agent undefined “administrative charges” equal to ten percent of its invoices for customs clearance and other non-sales services.

The SEC Order lays out in greater detail how the Company’s internal controls were circumvented. It also detailed some of the specific language in emails, which cleared denoted coded language around the payment of bribes.

Join us tomorrow to review some of the key lessons learned.