Tag: SEC

Categories
Compliance Into the Weeds

Compliance Issues & Events We Are Looking at for 2023

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject. In this episode, Matt and I consider a list of compliance issues and events worth watching in the next 12 months, likely to happen in the coming year, that will be most consequential for corporate compliance and audit professionals.

For 2023 (at least at this point), it is the following:

·      SEC rules on greenhouse gases.

·      PCAOB enforcement.

·      The FTC and privacy enforcement.

·      Fallout from the Oracle FCPA enforcement action.

·      New DOJ corporate crime enforcement policies.

·      An ESG controller.

·      Crash and burn of Elon Musk-style corporate governance.

 Resources

Matt Kelly in Radical Compliance

Categories
Blog

Profit Sharing as Bribery: The Honeywell FCPA Enforcement Action: Part 3 – The Comeback

To close out 2022 in Foreign Corrupt Practices Act (FCPA) enforcement actions, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) announced settlements of FCPA enforcement actions with Honeywell UOP, a US-based subsidiary of Honeywell International Inc. For its actions, Honeywell agreed to a criminal penalty of about $79 million, with the DOJ crediting up to $39.6 million of the criminal penalty for Honeywell’s payments to authorities in Brazil in related proceedings. The company agreed to pay the SEC $81.5 million in disgorgement and prejudgment interest and the SEC provided for an offset of up to $38.7 million for payments to Brazilian authorities. Today, I want to conclude with some lessons learned.

Honeywell’s Comeback

  1. Overcoming a Failure of Culture

When the underlying facts of this enforcement action began, Honeywell had one of the most corrupt cultures you could have imagined. As I noted yesterday, the bribery scheme in Brazil began with the business unit outright lying to the compliance function about a corrupt agent. But do not absolve the company’s compliance function as apparently they performed no due diligence or did even the bare minimum for agents in a clear high-risk jurisdiction. Unfortunately, this outright corruption and/or malfeasance only went downhill from there. There was a profit-sharing agreement with the corrupt Petrobras agent which clearly showed malfeasance from Honeywell’s finance folks for paying such a scheme where there was no written agreement or any other evidence which warranted payments of over $10 million. The bribery scheme in Algeria involved the corrupt third-party Unaoil and once again bribe payments were approved all the way up the business and compliance line with Honeywell Belgium finance signing off as well.

Yet even with this clear culture of corruption, Honeywell received a 25% discount off the minimum fine and penalty under the US Sentencing Guidelines. They did this without self-disclosing. Once again since Unaoil was involved, it would be a logical assumption, the Unaoil executive brought to the US and given immunity proved the initial information on Honeywell’s corruption. Honeywell did turn things around so that in addition to the 25% discount, they were not required to sustain a monitor. All in all, quite a comeback.

2. Extraordinary Cooperation

According to the Deferred Prosecution Agreement (DPA), Honeywell received full credit for its cooperation with the DOJ through its “(i) proactively disclosing certain evidence of which the Fraud Section and the Office were previously unaware; (ii) providing information obtained through its internal investigation, which allowed the government to preserve and obtain evidence as part of its own independent investigation; (iii) making detailed presentations to the Fraud Section and the Office; (iv) voluntarily facilitating interviews of employees; (v) collecting and producing voluminous relevant documents and translations to the Fraud Section and the Office, including documents located outside the United States.” The SEC added in its Order, “Honeywell cooperated in the Commission’s investigation by identifying and timely producing key documents identified in the course of its own internal investigation, providing the facts developed in its internal investigation, and making current or former employees available to the Commission staff, including those who needed to travel to the United States.”

2. Extensive Remediation

Honeywell was given credit by both the SEC and DOJ for its remedial efforts. The SEC said, the “remediation included: (i) strengthening its ethics and compliance organization; (ii) terminating sales directors involved in the misconduct in Brazil and demoting an employee with significant supervisory responsibilities over the misconduct in Brazil; (iii) implementing a program to eliminate UOP’s use of sales agents altogether (as of 3Q 2021, UOP had reduced its sales agent force by two-thirds); (iv) enhancing Honeywell’s policies and procedures including with respect to due diligence of third parties (including consolidating the due diligence process into one automated system and requiring third parties to submit quarterly reports and FCPA certifications); (v) improving Honeywell’s financial controls over third parties (including implementing digital end-to-end controls over payments to third party sales agents and ensuring that payments to sales intermediaries are made by wire transfer to an account belonging to the same party and to a bank account where the sales intermediary resides); and (vi) enhancing training provided to Honeywell employees and sales intermediaries regarding anti-corruption, controls, and other compliance issues.”

The DOJ noted that Honeywell, “(i) commencing remedial measures based on internal investigations of the misconduct prior to the commencement of the Fraud Section’s and the Office’s investigation; (ii) disciplining certain employees involved in the relevant misconduct, including terminating one employee; (iii) strengthening its anti-corruption compliance program by investing in compliance resources, expanding its compliance function with experienced and qualified personnel, and taking steps to embed compliance and ethical values at all levels of its business organization; (iv) substantially reducing its anti-corruption risk profile by taking steps to eliminate the Company’s use of sales intermediaries and, in the interim, rolling out a single, automated sales intermediary due diligence tool that requires responsible managers to provide quarterly compliance certifications for all existing sales intermediaries; (v) establishing monitor and audit processes to regularly review and update the compliance program; and (vi) enhancing its internal reporting, investigations, and risk assessment processes.”

From the SEC Order, the two key changes were: “(iv) enhancing Honeywell’s policies and procedures including with respect to due diligence of third parties (including consolidating the due diligence process into one automated system and requiring third parties to submit quarterly reports and FCPA certifications); (v) improving Honeywell’s financial controls over third parties (including implementing digital end-to-end controls over payments to third party sales agents and ensuring that payments to sales intermediaries are made by wire transfer to an account belonging to the same party and to a bank account where the sales intermediary resides);”. Both of these remediations speak to the use of tech solutions to enhance compliance. Under Prong IV, the implementation of one automated system for third parties.

From the DOJ DPA, the key changes were “(iii) strengthening its anti-corruption compliance program by investing in compliance resources, expanding its compliance function with experienced and qualified personnel, and taking steps to embed compliance and ethical values at all levels of its business organization; (iv) substantially reducing its anti-corruption risk profile by taking steps to eliminate the Company’s use of sales intermediaries and, in the interim, rolling out a single, automated sales intermediary due diligence tool that requires responsible managers to provide quarterly compliance certifications for all existing sales intermediaries;”. Once again, the tech solution noted in Prong IV was critical but also note the language found in Prong III about have ‘experienced and qualified [compliance] personnel.

By putting these remedial actions in place, Honeywell was able to avoid a monitor. This means the company not only put the changes in place but have also tested them to the satisfaction of the DOJ and SEC. But more than setting out what Honeywell did to make its comeback; these  remedial efforts of Honeywell provide a clear set of guidelines for the compliance professional to review in looking at your own program. This enforcement actions seems a fitting end for the year 2022 in FCPA enforcement.

Categories
Blog

Profit Sharing as Bribery: The Honeywell FCPA Enforcement Action: Part 2 – The King and Bribery Schemes

To close out 2022 in Foreign Corrupt Practices Act (FCPA) enforcement actions, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) announced settlements of FCPA enforcement actions with Honeywell UOP, a US-based subsidiary of Honeywell International Inc. For its actions, Honeywell agreed to a criminal penalty of about $79 million, with the DOJ crediting up to $39.6 million of the criminal penalty for Honeywell’s payments to authorities in Brazil in related proceedings. The company agreed to pay the SEC $81.5 million in disgorgement and prejudgment interest and the SEC provided for an offset of up to $38.7 million for payments to Brazilian authorities. Yesterday we laid out the broad outlines of the enforcement action. Today, I want to take a deep dive into the bribery schemes.

Bribery Schemes

 1. Brazil and Petrobras

Honeywell’s culture was so corrupt in 2010, when the facts around this matter began, that the business unit dealing with Petrobras could openly lie to the corporate compliance function. As stated in the Deferred Prosecution Agreement (DPA), “On or about May 27, 2010, two Honeywell UOP employees submitted a form requesting that Honeywell’s compliance department approve Brazil Sales Company to serve as Honeywell UOP’s sales agent. To increase the likelihood of receiving internal approvals, the Honeywell UOP employees lied on the request form, stating that Brazil Sales Company had been “known to” Honeywell UOP and a Honeywell UOP employee for two years, when, in fact, the companies had no common history and the Honeywell UOP employee had no prior knowledge of Brazil Sales Company.”

Let’s unpack this for a minute. This is a statement in the DPA, and it speaks to not only how poorly the compliance function was thought of internally but a sales function that openly used lying, cheating and fraud as part of their business practices. But not all blame lies with the business unit as where was the corporate compliance function in their trust but verify role? Apparently non-existent. When you wed a business strategy based on corruption and fraud both internally and externally, you can see where this was headed. By 2010, the corruption rot in Petrobras was well-known literally across the globe and there is no way that the Honeywell compliance function did not know doing business with Petrobras was not high risk.

It was at this early junction that the profit-sharing focus as the basis for the bribe payment was structured, “Honeywell Employee 1 and Intermediary 2 offered to pay Petrobras Official 1 one percent of the expected revenue from the Premium Refinery Contract, or approximately $4 million, in exchange for Petrobras Official 1 using his influence to help Honeywell UOP win the contract. They agreed to use a portion of Brazil Sales Company’s expected three-percent sales commission (approximately $12 million) from Honeywell UOP to pay the $4 million bribe. They also agreed that the remaining $8 million from the sales commission paid to Brazil Sales Company would be divided equally between the Intermediary 1 and Intermediary 2.”

Profit sharing with a cap was the basis for the bribe payment. Capitalism at its finest, only topped by the code name given to the corrupt Petrobras employee, the King. The King provided inside information to Honeywell on pricing and terms which the company used to bring in their bid so it would be the winning bid and Honeywell’s profit sharing with the King could commence.

Just how corrupt (or even more charitably inept) was Honeywell during this time frame? Consider the payment mechanisms outlined in the SEC Order. From 2011 to 2014, the Honeywell “employee responsible for processing the Brazil Agent’s commission payments calculated the Brazil Agent’s commission using numbers from UOP’s invoice and neither asked for nor included an invoice from the Brazil Agent before forwarding the payment request to Honeywell’s accounting group. The payment requests lacked relevant information and when the Brazil Agent changed his company’s name and wanted the commission payments routed to a Swiss bank account in the new company’s name, she forwarded the payment requests without question.” Honeywell was paying from US to Swiss bank accounts to parties with no reported due diligence or even contracts with Honeywell. This was not the compliance function making the payments but corporate accounts payable. Just how big an internal controls failure was this?

3. Algeria and Sonatrach

 This bribery scheme involved Honeywell Belgium and the well-known corrupt third-party agent Unaoil. In 2011, Honeywell Belgium hired Unaoil to help facilitate its relationship with Sonatrach. According to the SEC Order, right out of the box, Unaoil officials received “a panicked phone call from the HPS [Honeywell Belgium] Regional GM asking him to make a pass-through payment to a group of people in Europe who purportedly had helped Honeywell Belgium secure a contract with Sonatrach.” Things only got worse from there for Honeywell Belgium. Unaoil, “on behalf of Honeywell Belgium, paid the Sonatrach official $50,000 from a Swiss bank account and an additional $25,000 from the same Swiss bank account on December 28, 2011.”

Thereafter, Honeywell Belgium and Unaoil agreed to a commission structure of 4.5% for contracts landed by Unaoil with Sonatrach with an amount not to exceed $500,000. While no such work was delivered by Unaoil, it billed Honeywell Belgium a lump sum of $300,000 which was approved internally and paid by finance and “falsely recorded as a sales commission. Through a series of intermediary transfers, the Monaco Agent used a portion of the money from Honeywell Belgium to repay the Consultant who had paid the $75,000 in bribe payments to the Sonatrach official. The series of intermediary transfers involved multiple U.S. correspondent banks located in New York. The Monaco Agent admitted that it recorded the payments with internal codes the Monaco Agent sometimes used for bribe payments.”

Join me tomorrow where I conclude with some lessons learned from this final FCPA enforcement action from 2022.

Categories
Blog

Profit Sharing as Bribery: The Honeywell FCPA Enforcement Action: Part 1 – Introduction

To close out 2022 in Foreign Corrupt Practices Act (FCPA) enforcement actions, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) both announced settlements of FCPA enforcement actions with Honeywell UOP, a US-based subsidiary of Honeywell International Inc. For its actions, Honeywell agreed to a criminal penalty of about $79 million, with the DOJ crediting up to $39.6 million of the criminal penalty for Honeywell’s payments to authorities in Brazil in related proceedings. The company agreed to pay the SEC $81.5 million in disgorgement and prejudgment interest and the SEC provided for an offset of up to $38.7 million for payments to Brazilian authorities.

US Attorney Alamdar S. Hamdani for the Southern District of Texas said in the DOJ Press Release,  “This case exemplifies corporate misconduct on a global level. Prosecuting and investigating this type of crime is an important role our office takes seriously in order to ensure fair and equal playing fields for U.S. companies and consumers. We will continue our efforts to aggressively investigate and prosecute those who violate the FCPA and combat corrupt practices in order to preserve the integrity of our nation’s business dealings here and abroad.”

According to the DOJ Press Release, “between 2010 and 2014, Honeywell UOP conspired to offer an approximately $4 million bribe to a then-high-ranking executive of Petróleo Brasileiro S.A (Petrobras) in Brazil. Specifically, Honeywell UOP offered the bribe to secure improper advantages in order to obtain and retain business from Petrobras in connection with Honeywell UOP’s efforts to win an approximately $425 million contract from Petrobras to design and build an oil refinery called Premium.” The company also ran into trouble in Algeria, as was noted in the SEC Press Release which stated, “in 2011, employees and agents of Honeywell’s Belgian subsidiary paid more than $75,000 in bribes to an Algerian government official to obtain and retain business with the Algerian state-owned entity Sonatrach.”

In Brazil, Honeywell entered into an agency agreement with a sales agent for the purpose of funding and paying the $4 million bribe to the high-ranking Petrobras executive. Interestingly, the corrupt Petrobras executive was paid a percentage of the contract value, which was funded with the full knowledge of Honeywell’s US corporate office. In exchange for the bribe payments and after obtaining business advantages, including inside information and secret assistance from the Petrobras executive, Honeywell won the contract. Honeywell earned approximately $105.5 million in profits from the corruptly obtained business. The Algerian bribes were paid by Honeywell Belgium through the well-known corrupt entity Unaoil and were made via a pass-through payment to a group of people in Europe who purportedly had helped Honeywell Belgium secure a contract with Sonatrach.

Honeywell was able to secure a Deferred Prosecution Agreement (DPA) from the DOJ and although the company did not self-disclose its conduct and therefore did not receive any discount for doing so, the company did receive a 25% discount through for its cooperation with the Fraud Section’s and the Office’s investigation “by, among other things, (i) proactively disclosing certain evidence of which the Fraud Section and the Office were previously unaware; (ii) providing information obtained through its internal investigation, which allowed the government to preserve and obtain evidence as part of its own independent investigation; (iii) making detailed presentations to the Fraud Section and the Office; (iv) voluntarily facilitating interviews of employees; (v) collecting and producing voluminous relevant documents and translations to the Fraud Section and the Office, including documents located outside the United States.” The SEC Order stated, “Honeywell cooperated in the Commission’s investigation by identifying and timely producing key documents identified in the course of its own internal investigation, providing the facts developed in its internal investigation, and making current or former employees available to the Commission staff, including those who needed to travel to the United States.”

Interestingly, while the DPA does require Chief Compliance Officer (CCO) certification, it does not mandate a monitor. According to Attachment F in the DPA, the Chief Executive Officer (CEO) and CCO are both aware of the compliance obligations of Honeywell as laid out in the DPA, and “based on a review of the Companies’ reports submitted to the Department of Justice, Criminal Division, Fraud Section and the United States Attorney’s Office for the Southern District of Texas pursuant to Paragraph 12 of the Agreement, the reports are true, accurate, and complete.” Moreover, both the CEO and CCO must certify that, based on their “review and understanding of Companies’ anti-corruption compliance programs, the Companies have implemented anti-corruption compliance programs that meet the requirements set forth in Attachment C to the Agreement. The undersigned certifies that such compliance programs are reasonably designed to detect and prevent violations of the anti-corruption laws throughout the company’s operations.”

Finally, as noted herein, the case was truly international both in the scope of the bribes paid and in the use of the well-known corrupt energy industry agent Unaoil by Honeywell. The Unaoil connection was most probably how the DOJ was first notified about Honeywell’s bribery and corruption. Enforcement was also international in scope with a part of both the DOJ and SEC fines and penalties credited to payments made by Honeywell based upon the investigation in Brazil by the Controladoria-Geral da União (CGU), the Ministério Público Federal (MPF), and the Advocacia-Geral de União (Attorney General’s Office).

Join me tomorrow where I take a deep dive into the bribery schemes, or profit sharing with a King.

Categories
Blog

Danske Bank: Part 5 – Final Thoughts

Over the past several blog posts, we have been exploring the Danske Bank A/S (Danske Bank), AML enforcement action in which Danske Bank pled guilty and agreed to forfeit $2 billion to resolve the US investigation into its fraud on US banks. Danske Bank also settled with the Securities and Exchange Commission (SEC) for misleading US investors about the bank’s anti-money laundering (AML) compliance program in its Estonian branch and failed to disclose the risks posed by the program’s significant deficiencies.

Banks Still Behaving Badly

According to Violation Tracker, the top 10 banks for fines and penalties for this century are as follows:

TOP 10 CURRENT PARENT COMPANIES TOTAL PENALTY $ NUMBER OF RECORDS
Bank of America $83,354,221,356 271
JPMorgan Chase $36,129,286,132 223
Citigroup $25,740,655,365 159
Wells Fargo $22,081,458,643 229
Deutsche Bank $18,541,562,802 79
UBS $17,082,743,334 106
Goldman Sachs $16,603,475,848 90
NatWest Group PLC $13,515,546,857 31
Credit Suisse $11,427,400,126 52
Morgan Stanley $10,167,765,234 190

In 2022, the top fines involving banks are:

  • Danske Bank: $2.4 billion
  • Bank of America: $225 million
  • Citigroup: $200 million
  • Goldman Sachs: $200 million
  • Morgan Stanley: $200 million
  • Credit Suisse: $200 million
  • Barclays: $200 million
  • Deutsche Bank: $200 million
  • Nomura: $100 million

For whatever reason, banks cannot seem to get it anything near right. Willie Sutton is alleged to have said the reason he robbed banks was because “that’s where the money was.” Now it seems the banks are the bad guys, and the regulators continually have to lay out what seems massive fines and penalties to banks. Yet banks seem oblivious to playing within the bounds of the law. Perhaps, and to broaden out Consumer Financial Protection Bureau (CFPB) head Rohit Chopra’s statement announcing the latest fine against a bank, Wells Fargo at $3.7 billion “Wells Fargo’s rinse-repeat cycle of violating the law” needs to be updated to banks “rinse-repeat cycle of violating the law.”

M&A Double Trouble

Purchasing a corrupt entity is certainly one thing but allowing it to stay corrupt is quite another. As I often say, if an acquisition target engaged in bribery and corruption, or indeed money-laundering, before you acquired them and continue to do so after said purchase; it is not them but you who are now breaking the law. When Danske Bank purchased the branch that became Danske Estonia, it was aware that a substantial portion of the Estonian branch’s customers were “non-residents of Estonia, a group of accounts known as the Non-Resident Portfolio or “NRP” and that many of the NRP customers were from Russia and other former Soviet-bloc countries. These NRP customers’ practices included well-known red flags for potential money laundering: for example, frequent use of offshore LLPs and nominee directors to obscure or conceal beneficial ownership information, use of unregulated intermediaries to carry out transactions on behalf of unknown clients, and ties to jurisdictions with enhanced money laundering risks. Some of these practices were known to Danske in 2007.”

But here is where Danske Bank sealed its fate. As detailed by Matt Kelly in Radical Compliance, calling it the “fatal mistake by bank leadership”; and as laid out in the Plea Agreement, “Danske Bank canceled the migration to the central technology system because the executive board, consisting of Danske Bank senior executives, concluded it would “simply be too expensive” and could cause irregularities.” This allowed Danske Estonia to “maintain its own antiquated IT systems, with no automated customer due diligence or transaction monitoring — simply because bringing the Estonia branch up to acceptable compliance standards would be too expensive. Danske leaders didn’t have the requisite commitment to effective compliance, and from there its AML troubles flowed.”

Money, Money, Money

Perhaps the biggest problem for Danske Bank was the one in the mirror and its addiction to the filthy lucre generated by its Estonia Branch. Both Danske Bank itself and the regulatory authorities made clear the actual AML failures which were ongoing. According to the SEC Order, in “February 2014, Danske hired an external, independent third party to conduct a limited review of Danske Estonia’s AML practices” who concluded into only two months that there were “numerous AML deficiencies that left Danske Estonia highly susceptible to money laundering, including 17 identified as “critical or significant” control deficiencies. Danske’s legal department recommended and retained a third party to conduct a comprehensive internal investigation of Danske Estonia’s customers and transactions and to investigate allegations of employee misconduct. However, Danske senior management canceled the contract and decided to conduct the investigation internally. An internal Danske working group conducted only limited additional investigation of Danske Estonia at that time.”

The regulators identified the illegal issues as well. The Estonia FSA conducted a series of examinations at Danske Estonia and provided a draft report to Danske Estonia which detailed extensive facts concerning willful violations of Estonian AML law by Danske Estonia employees. The report stated, “Danske systematically establishes business relationships with persons in whose activities it is possible to see the simplest and most common suspicious circumstances” and concluded that Danske Estonia systematically ignored Estonian AML law. Danske acknowledged the severity of the Estonian FSA’s findings in communications, including one in which a Danske manager stated, “It is a total and fundamental failure in doing what we should do and doing what we claim to do. This just even more underline[s] the need of full clean up now.” [Emphasis added.] Another manager stated, “The executive summary of the . . . letter is brutal to say the least and is as close to the worst I have ever read within the AML/CTF area. . . . [I]f just half of the executive summary is correct, then this is much more about shutting all non-domestic business down than it is about KYC procedures . . . .” Nonetheless, instead of terminating the NRP business, Danske management opted to continue it because of the profits it generated.” [emphasis in original]

So, we leave this sordid saga of the US DOJ and SEC bringing an AML enforcement action against a Danish bank. At least the US is willing to bring such an enforcement action.

Categories
Daily Compliance News

December 21, 2022 – The Another Billion Wells Fargo Fine Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you four compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Stories we are following in today’s edition of Daily Compliance News:

  • Largest SEC whistleblower award of the year announced. (WSJ)
  • EU trade union chief resigns as a result of Qatar-EU bribery scandal. (FT)
  • Canada sanctions former Haitian ministers. (Reuters)
  • Another Tuesday, another Billion+ Wells Fargo fine. (NYT)
Categories
Blog

Danske Bank: Part 2 – Jurisdiction

We finally have the big one in money laundering. That, of course, is Danske Bank A/S (Danske Bank), a global financial institution headquartered in Denmark, which pled guilty this week and agreed to forfeit $2 billion to resolve the US investigation into its fraud on US banks. According to the Department of Justice (DOJ) Press Release, “Danske Bank defrauded U.S. banks regarding Danske Bank Estonia’s customers and anti-money laundering controls to facilitate access to the U.S. financial system for Danske Bank Estonia’s high-risk customers, who resided outside of Estonia – including in Russia.” Danske Bank also settled with the Securities and Exchange Commission (SEC) who said, in their Press Release, the Bank misled investors about its anti-money laundering (AML) compliance program in its Estonian branch and failed to disclose the risks posed by the program’s significant deficiencies.

One might reasonably ask why the US government is bringing this action. I think there are two key reasons. First, only the US has the cache to bring such a massive enforcement action against any bank, wherever they are domiciled, which threatens the world’s financial integrity through multiple years of facilitating money laundering. The second is that as the world’s principal financial leader, the US government sees itself as the protector and enforcer of that system. While many outside the US may decry these realities, it is clear that only the US can lead such an action. There certainly were other countries which participated, as both the DOJ and SEC Press Releases noted the cooperation of Denmark and Estonia in this enforcement action but at the end of the day, it had to be led by the US.

Jurisdiction

Even if the US feels that it should lead an enforcement effort in this affront to international law, there still must be jurisdiction to bring these enforcement actions. According to the SEC Complaint, “Danske is a Danish multinational banking and financial services corporation headquartered in Copenhagen, Denmark. At all relevant times, Danske was the largest bank in Denmark and a major retail bank in Northern Europe, with offices in countries outside Denmark.” However, I was somewhat surprised to learn that “Danske’s shares traded in Denmark on the OMX Copenhagen and in the United States over-the- counter (“OTC”) as American Depositary Receipts (“ADRs”) listed in U.S. dollars, and U.S. investors constituted a significant portion of Danske’s shareholders. Between 2009 and 2018, U.S. shareholders held as much as 18% of Danske’s stock.”

This stock sold in the US warranted regulatory protection of US investors. The SEC Complaint went on to note that Danske Bank “engaged in deceptive acts, including misleading Danish regulators and U.S. correspondent banks, to conceal its AML and KYC deficiencies. Danske stopped providing services to its high risk customers by April 2016 but failed to timely disclose to investors known misconduct and widespread AML failures.” These failures to inform investors took the form of “a variety of reports, including annual, interim, corporate governance, and risk management reports, in English on its corporate website for the benefit of and made available to, inter alia, actual and prospective U.S. investors. Certain of these reports contained representations to investors about Danske’s risk management processes and disciplines related to the banks systems and controls. Such systems and controls would include Danske’s policies and procedures to detect, prevent and mitigate risks to the bank from financial crime, including money laundering.” Finally, the harm from the illegal conduct hit US investors as “between September 2017 and November 1, 2018, Danske’s share price dropped by approximately 49% as the full extent of Danske’s misconduct became apparent.”

The only reference to US jurisdiction from the DOJ came in the Plea Agreement which obliquely noted Danske Bank “engaged in suspicious transactions through U.S. banks.”

We rarely take a deep dive into the jurisdiction which allows a Foreign Corrupt Practices Act (FCPA) or other similar action to be brought in the US. However, the Danske Bank AML enforcement action makes clear that simply because a company is domiciled outside the US, if it does business internationally, there may be multiple US jurisdiction points which could allow US authorities to bring an enforcement action.

Tomorrow, where did it all start and what were the AML compliance program failures?

Categories
Blog

Danske Bank: Part 1 – Introduction

We finally have the big one in money laundering. That, of course, is Danske Bank A/S (Danske Bank), a global financial institution headquartered in Denmark, which pled guilty this week and agreed to forfeit $2 billion to resolve the US investigation into its fraud on US banks. According to the Department of Justice (DOJ) Press Release, “Danske Bank defrauded U.S. banks regarding Danske Bank Estonia’s customers and anti-money laundering controls to facilitate access to the U.S. financial system for Danske Bank Estonia’s high-risk customers, who resided outside of Estonia – including in Russia.” Danske Bank also settled with the Securities and Exchange Commission (SEC) who said, in their Press Release, the Bank misled investors about its anti-money laundering (AML) compliance program in its Estonian branch and failed to disclose the risks posed by the program’s significant deficiencies.

On the criminal side of things, Danske Bank pled guilty to one count of conspiracy to commit bank fraud. Under the terms of the plea agreement, the company has agreed to criminal forfeiture of $2.059 billion. Danske Bank will also enter into separate criminal or civil resolutions with domestic and foreign authorities. As a part of the overall fine and penalty, the DOJ will credit nearly $850 million in payments that Danske Bank makes to resolve related parallel investigations. Danske Bank agreed to pay $413 million to settle the SEC’s charges related to other domestic and foreign authorities.

What The Said

Deputy Attorney General Lisa Monaco said, “Today’s guilty plea by Danske Bank and two-billion-dollar penalty demonstrate that the Department of Justice will fiercely guard the integrity of the U.S. financial system from tainted foreign money – Russian or otherwise. Whether you are a U.S. or foreign bank, if you use the U.S. financial system, you must comply with our laws. We expect companies to invest in robust compliance programs – including at newly acquired or far-flung subsidiaries – and to step up and own up to misconduct when it occurs. Failure to do so may well be a one-way ticket to a multi-billion-dollar guilty plea.”

Assistant Attorney General Kenneth A. Polite added “Danske Bank lied to U.S. banks about its deficient anti-money laundering systems, inadequate transaction monitoring capabilities, and its high-risk, offshore customer base in order to gain unlawful access to the U.S. financial system. Danske Bank accepted responsibility for defrauding U.S. financial institutions and funneling billions of dollars in suspicious and criminal transactions through the United States. As part of its guilty plea, Danske Bank will forfeit over $2 billion and implement significant changes to its compliance program and AML controls. This coordinated resolution with the Securities and Exchange Commission (SEC) and Danish authorities sends a clear message that the Department of Justice stands ready to work with our partners around the world to investigate corporate wrongdoing and hold bad actors accountable for their criminal conduct.”

Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, said in the SEC Press Release, “Corporations that raise money from the public must disclose information that is material to investors, who then get to decide what risks they want to take. That’s the basic bargain of our securities laws and it extends to foreign issuers like Danske Bank, which sought to access our capital markets, even though its securities were not registered with the Commission. But as alleged in our complaint, Danske Bank repeatedly broke that bargain by misrepresenting to its shareholders, including U.S. investors, that it had strong anti-money laundering controls while hiding its significant control deficiencies and compliance failures.”

The Illegal Conduct

According to the DOJ, between “2008 and 2016, Danske Bank offered banking services through its branch in Estonia, Danske Bank Estonia. Danske Bank Estonia had a lucrative business line serving non-resident customers known as the NRP. Danske Bank Estonia attracted NRP customers by ensuring that they could transfer large amounts of money through Danske Bank Estonia with little, if any, oversight. Danske Bank Estonia employees conspired with NRP customers to shield the true nature of their transactions, including by using shell companies that obscured actual ownership of the funds. Access to the U.S. financial system via the U.S. banks was critical to Danske Bank and its NRP customers, who relied on access to U.S. banks to process U.S. dollar transactions. Danske Bank Estonia processed $160 billion through U.S. banks on behalf of the NRP.”

According to the SEC, “when Danske Bank acquired its Estonian branch in 2007, it knew or should have known that a substantial portion of the branch’s customers were engaging in transactions that had a high risk of involving money laundering; that its internal risk management procedures were inadequate to prevent such activity; and that its AML and Know-Your-Customer procedures were not being followed and did not comply with applicable laws and rules. The SEC alleges that, from 2009 to 2016, these high-risk customers, none of whom were residents of Estonia, utilized Danske Bank’s services to transact billions of dollars in suspicious transactions through the U.S. and other countries, generating as much as 99 percent of the Estonian branch’s profits. The complaint further alleges that, although Danske Bank knew of these high-risk transactions, it made materially misleading statements and omissions in its publicly available reports stating that it complied with its AML obligations and that it had effectively managed its AML risks. As the full extent of Danske Bank’s AML failures became apparent, its share price dropped precipitously.”

What Does it Mean for Compliance

The Danske Bank enforcement action presents multiple lessons learned for the compliance professional, both in AML compliance and anti-corruption compliance. Over the next several blog posts, we will be looking at the illegal schemes and internal control failures in some detail. I hope you will join me for the exploration.

Tomorrow, where did it all start to go wrong?

Categories
Blog

ABB FCPA Resolution: Part 5 – A Win for Compliance

We conclude our exploration of the latest resolution of a Foreign Corruption Practices Act (FCPA) violation involving the Swiss construction giant, ABB Ltd. There have been several reference documents used this week and they include the Securities and Exchange Commission Complaint (SEC Order); the Department of Justice (DOJ) Press Release. Plea Agreement (ABB Plea Agreement) and Deferred Prosecution Agreement(DPA), the ABB South Africa Plea Agreement and Criminal Information, the ABB Management Services Plea Agreement and Criminal Information.

Over this blog post series, we have been exploring these key questions: How did ABB obtain such a superior resolution? And, as a three-time FCPA violator, how did the company avoid a monitor? Today, we celebrate how this most unusual FCPA enforcement action is a huge victory for compliance.

How did ABB obtain such a superior resolution?

There appears to be three components to ABB’s avoidance of a monitor. It all began with ABB’s attempt to self-disclose. Please note this attempt was not successful as the South African press broke the story of ABB’s bribery and corruption between the time ABB called to set up meeting and actually sat down with the DOJ. Yet the DOJ was impressed enough with ABB’s intent or at least desire to self-disclose that it spent a considerable amount of ink in the resolution documents detailing how ABB got close but missed timely self-disclosing.

Yet this putative failure at self-disclosure laid the groundwork for everything that followed, eventually leading to the stunning result. As the DOJ stated in the DPA, “in evaluating the appropriate disposition of this matter-including the appropriate form of the resolution-considered evidence that, within a very short time of leaning of the misconduct, the Company contacted the Fraud Section and scheduled a meeting to discuss matters under investigation by the Fraud Section and the Company. The Company did not specifically identify the South Africa misconduct in that meeting request, but it disclosed the South Africa misconduct during the scheduled meeting, subsequently presented evidence to the Offices that it intended to disclose the misconduct related to South Africa during the scheduled meeting and did not know of any imminent media reports when the meeting was scheduled.”

The second component is the above-noted discussion about ABB’s near self-disclosure. While it could have amounted to an own goal, given the lengthy DOJ discussion in the settlement documents, it appears the DOJ received ABB’s near miss more favorably. The second point is something every Chief Compliance Officer (CCO) and outside counsel need to understand; that being truly extraordinary.

Matt Kelly identified the one piece of information which took what is now this standard recitation of extraordinary cooperation to a truly high level of ‘extraordinary’. In a blog post, Kelly pointed out that in the SEC Order, it stated, “ABB’s cooperation included real-time sharing of facts learned during its own internal investigation.” This meant “ABB was sharing information with regulators as quickly as it found those facts, without necessarily knowing how such admissions might affect its overall case and settlement chances.” He then opined, “When you don’t know the full extent of your sins and the punishment to follow, but you cooperate with regulators anyway — that’s an impressive commitment to the culture of compliance that the Justice Department wants to see.”

Next were the actions by ABB in their remediation. The Plea Agreement reported that ABB “engaged in extensive remedial measures, including hiring experienced compliance personnel and, following a root-cause analysis of the conduct described in the Statement of Facts, investing significant additional resources in compliance testing and monitoring throughout the organization; implementing targeted training programs, as well as on-site supplementary case-study sessions; conducting continuing monitoring and testing to assess engagement with new training measures; restructuring of reporting by internal project teams to ensure compliance oversight; and promptly disciplining employees involved in the misconduct.” This final point was expanded on in the SEC Order which reported that all employees involved in the misconduct were terminated.

As a three-time FCPA violator, how did the company avoid a monitor?

ABB essentially created its own monitorship around testing its compliance program and reporting to the DOJ. In a section entitled “Written Work Plans, Reviews and Reports”, ABB agreed to conduct a first review and prepare a first report, followed by at least two follow-up reviews and reports. But more than simply reporting, ABB agreed to create and submit for review a workplan for this ongoing testing of its compliance program, as the program was detailed in the DPA. The DPA specified, “No later than one (I) year from the date this Agreement is executed, the Company shall submit to the Offices a written report setting forth:

  • a complete description of its remediation efforts to date;
  • a complete description of the testing conducted to evaluate the effectiveness of the compliance program and the results of that testing; and
  • its proposals to ensure that its compliance program is reasonably designed, implemented, and enforced so that the program is effective in deterring and detecting violations of the FCPA and other applicable anti-corruption laws.”

ABB also agreed to meet with the DOJ quarterly to submit and discuss the results of its ongoing testing. While I am sure many other companies have made a similar proposal to the DOJ, through its actions during the pendency of the investigation, ABB convinced the DOJ it could be trusted to follow through with its commitment.

How does all of this work into the DOJ decision not to require a monitor? There is now a 10-factor test that was laid out in the Monaco Memo. Factor 1 is whether the company self-disclosed the incident at issue. Factors 4-6 all relate to conduct and actions when the illegal activity occurred, not after discovery and self-disclosure. Factor 4 relates to the length or pervasiveness of the conduct and whether senior management was involved. Factor 5 reviews “the exploitation of an inadequate compliance program or system of internal controls.” Factor 6 asks if compliance personnel were involved or were basically negligent in failing to “appropriately escalate or respond to red flags.” Factors 7-10 considered ABB’s actions post-reporting, how the company became aware of the matter, its root cause analysis, its remedial actions and overall reduction in the company’s risk profile. While there was no substantive discussion of these factors in the any of the resolution documents, it appears the DOJ criteria for a monitor was not met.

The ABB FCPA resolution represents one of the biggest wins for corporate compliance that we have seen in recent memory. A now thrice-recidivist received a discount on its overall fine and penalty and avoided a monitor through truly exception work after the bribery and corruption was uncovered. Every compliance officer should thoroughly study this matter to see the specific steps ABB engaged in, starting with their first phone call to the DOJ. During your investigation, embrace the DOJ’s need for speed in communicating new and salient facts as they are uncovered, perform a root cause analysis and then remediate, remediate, and remediate. ABB is to be commended and indeed celebrated for its success in this matter.

Categories
Blog

ABB FCPA Resolution: Part 4 – ABB Shines

We continue our exploration of the latest resolution of a Foreign Corruption Practices Act (FCPA) violation involving the Swiss construction giant, ABB Ltd. The most obvious significance is from the fact that ABB is now the first three-time convicted violator of the FCPA, having prior FCPA resolutions in 2004 and 2010. The moniker of a three-time FCPA violator is certainly not one that any corporation wants to claim, yet here we are. The total fine and penalty for the violation was $315 million, with credited amounts going to South Africa, Switzerland, and Germany for ABB’s violations of those country’s anti-corruption laws. There was also a $75 million fine credited to the Securities and Exchange Commission (SEC). In addition to the SEC Order, the DOJ Press Release and Plea Agreement are also available. Conspicuously missing at this point are resolution documents from South Africa, Switzerland, and Germany.

We are exploring this FCPA enforcement action to see what lessons might be garnered from it. While we are doing so, please keep three key questions in mind: (1) How did ABB obtain such a superior resolution? (2) As a three-time FCPA violator, how did the company avoid a monitor? (3) Why was there no requirement for Chief Compliance Officer (CCO) certification? Today, we consider how ABB was able to obtain such a superior result.

Initially, I should note that question 3 which I have posed all week was answered in the Deferred Prosecution Agreement (DPA), released Wednesday. There is a CCO certification. It was not referenced in the DOJ Press Release or the ABB Plea Agreement.

The (almost) Self-Disclosure

The FCPA Corporate Enforcement Policy discounts up to and including a full declination on self-disclosure. But now, it is about  a ‘timely’ self-disclosure. When announcing the Monaco Memo, Deputy Attorney General Lisa Monaco emphasized not only the requirement for self-disclosure but the need for speed in self-disclosure. The DOJ wants speed as well because, “If disclosures come too long after the misconduct in question, they reduce the likelihood that the government may be able to adequately investigate the matter in time to seek appropriate criminal charges against individuals. The expiration of statutes of limitations, the dissipation of corroborating evidence, and other factors can inhibit individual accountability when the disclosure of facts about individual misconduct is delayed.” Additionally, the first factor the DOJ uses in making a determination of whether a monitor will be assigned is “Whether the corporation voluntarily self-disclosed the underlying misconduct in a manner that satisfies the particular DOJ unit or sections component’s self-disclosure policy.”

The sequence around this issue of self-disclosure is every company’s nightmare, a press report comes out and blindsides an organization (think the New York Times (NYT) breaking the Walmart FCPA story.) The detail provided in the Plea Agreement is as insightful as it is instructive. It details that although “within a very short time of learning of the misconduct, the Parent Company [ABB] contacted the Fraud Section and scheduled a meeting to discuss matters under investigation by the Fraud Section and the Parent Company. The Company did not specifically identify the South Africa misconduct in that meeting request, but it disclosed the South Africa misconduct during the scheduled meeting, subsequently presented evidence to the Offices that it intended to disclose the misconduct related to South Africa during the scheduled meeting and did not know of any imminent media reports when the meeting was scheduled. However, before the scheduled meeting occurred and prior to making any such disclosure to the Fraud Section, a media report was published related to the misconduct.”

While I doubt ABB would have been given a full declination if they had timely self-disclosed, this lengthy discussion in the Plea Agreement clearly focuses on the DOJ’s desire for a timely self-disclose. It was also equally probable that it was a factor in the lack of assignment of a monitor. We do not know the length of time between initial notice of the bribery and corruption to the corporate headquarters of the Board, we do know the gold standard for self-reporting which was Cognizant Technology Solutions, who self-disclosed two weeks after the initial report to the company’s Board of Directors. (Also recall that Cognizant had C-Suite involvement in the bribery scheme.)

This fact pattern also demonstrates why the need for speed in self-disclosure is so critical. A company can never know in what forum, who or how information about bribery and corruption will be made public. In Walmart’s case it was above the fold, on the front page of the Sunday NYT. In addition to the DOJ’s prescription for timely reporting, this matter demonstrates the public relations disaster which will befall a company which sits on a self-disclosure. Imaginably the answer is the one suggested by Matt Kelly, writing in Radical Compliance, who said, “So perhaps the lesson here is that when you have an FCPA issue, just announce it on Twitter and [hash] tag the Criminal Division.”

Extensive Cooperation

This component of the FCPA Corporate Enforcement Policy is a bit harder to suss out as the Plea Agreement stated that ABB received credit for extraordinary cooperation based on the following: “(i) promptly providing information obtained through its internal investigation, which allowed the Offices to preserve and obtain evidence as part of their own independent investigation; (ii) making regular and detailed factual presentations to the Offices; (iii) voluntarily making foreign-based employees available for interviews in the United States; (iv) producing relevant documents located outside the United States to the Offices in ways that did not implicate foreign data privacy laws; and (v) collecting, analyzing, and organizing voluminous evidence and information that it provided to the Offices, including the translation of certain foreign language documents.”

However, once again, it was Kelly who identified the one piece of information which took what is now this standard recitation of extraordinary cooperation to a truly high level of ‘extraordinary’. He pointed out that in the SEC Order, it stated, “ABB’s cooperation included real-time sharing of facts learned during its own internal investigation.”  This meant “ABB was sharing information with regulators as quickly as it found those facts, without necessarily knowing how such admissions might affect its overall case and settlement chances.” He then opined, “When you don’t know the full extent of your sins and the punishment to follow, but you cooperate with regulators anyway — that’s an impressive commitment to the culture of compliance that the Justice Department wants to see.”

It also ties directly into what DAG Monaco said in the Monaco Doctrine, which noted, “it is imperative that Department prosecutors gain access to all relevant, non­ privileged facts about individual misconduct swiftly and without delay.” [emphasis supplied] This now means, “to receive full cooperation credit, corporations must produce on a timely basis all relevant, non-privileged facts and evidence about individual misconduct such that prosecutors have the opportunity to effectively investigate and seek criminal charges against culpable individuals.” If a company fails to meet this burden, it will “place in jeopardy their eligibility for cooperation credit.” The DOJ goes the next step by placing the burden on companies to demonstrate timeliness, stating they “bear the burden of ensuring that documents are produced in a timely manner to prosecutors.”

Extensively Remediate

Finally, were the actions by ABB in their remediation. The Plea Agreement reported that ABB “engaged in extensive remedial measures, including hiring experienced compliance personnel and, following a root-cause analysis of the conduct described in the Statement of Facts, investing significant additional resources in compliance testing and monitoring throughout the organization; implementing targeted training programs, as well as on-site supplementary case-study sessions; conducting continuing monitoring and testing to assess engagement with new training measures; restructuring of reporting by internal project teams to ensure compliance oversight; and promptly disciplining employees involved in the misconduct.” This final point was expanded on in the SEC Order which reported that all employees involved in the misconduct were terminated.

At this point, there are not many specific components of the ABB remediation available, but we do know that ABB was given credit for hiring “experienced compliance personnel,” starting with the hiring of Natalia Shehadeh, SVP and Chief Integrity Officer, and then allowing Shehadeh to hire a dream team of compliance professionals to work with her. I would go so far as to say Shehadeh and her team are Compliance Dream Team II as the first (which Shehadeh was a part of) was the Compliance Dream Team created by Billy Jacobson at Weatherford to get that company through its FCPA and Oil-For-Food enforcement actions.

Join us tomorrow where we conclude our look at the ABB FCPA resolution and posit why it is a complete win for compliance.