Categories
Blog

The Gunvor FCPA Enforcement Action: Part 3 – The Discounted Fine

We continue our exploration of the resolution of the FCPA enforcement action involving the Swiss trading firm Gunvor S.A. The enforcement action came in with a $661 million penalty against the company, which has pleaded guilty to bribing Ecuadorian government officials through the 2010s in exchange for intelligence about upcoming business contracts with the state-owned oil company of Ecuador. The matter was resolved via a Plea Agreement. Information detailing the company’s conduct was also issued.

Given the multi-year nature of the bribery scheme, how high it went up in the organization, and the lack of self-disclosure, one might charitably wonder how Gunvor was able to garner a fine that was so low. According to the Plea Agreement,  Gunvor paid over $97 million to corrupt third-party agents, who then made bribes to Ecuadorian officials. Gunvor earned over $384 million in profits from the business obtained through the corrupt scheme. Yet Gunvor received a 25% discount off the 30th percentile of the applicable US Sentencing Guidelines fine range. How did Gunvor achieve this discount?

Extensive Cooperation

The starting point for this analysis is the Plea Agreement. It noted several factors, including, among others, the nature and seriousness of the offense. Gunvor received credit for its cooperation with the department’s investigation, which included: (i) producing documents to the department from multiple foreign countries expeditiously while navigating foreign data privacy and criminal laws; (ii) providing information obtained through its own internal investigation to the department, which allowed the department to preserve and obtain evidence as part of the department’s investigation; (iii) making detailed, factual presentations to the department; (iv) arranging for the interview of an employee based outside the United States; (v) promptly collecting, analyzing, and organizing voluminous information, including complex financial information, at the request of the department, and producing an analysis of trading activity conducted by multiple outside forensic accounting firms retained by Gunvor; (vi) translating foreign language documents to facilitate and expedite review by the department; and (vii) imaging the phones of relevant custodians at the beginning of Gunvor’s internal investigation, thus preserving business communications sent on mobile messaging applications.

The Remediation

The Plea Agreement also included information on the remediation that Gunvor carried out. Gunvor also engaged in timely and appropriate remedial measures, including: (i) eliminating the use of third-party business origination agents; (ii) enhancing its third party due-diligence process; (iii) developing and implementing a control framework for internal business developers and additional layers of review and approval for counterparty payments; (iv) enhancing the independent compliance committee with responsibility for reviewing high-risk transactions; (v) engaging resources to review its compliance program and test the effectiveness of its overall reporting process, its reporting hotline and the effectiveness of the investigation of reports made through the hotline; (vi) evaluating and updating its compensation policy to better incentivize compliance with the law and corporate policies; (vii) hiring additional compliance personnel; (viii) testing and enhancing its compliance program, including by conducting compliance culture reviews, testing new third party due diligence process and payment controls, and evaluating controls around business development activities; and (ix) developing and implementing a risk-based business communications policy that addresses the use of ephemeral and encrypted messaging applications.

Prior Misconduct

The department also considered Gunvor’s history of misconduct. In October 2019, Gunvor resolved with the Office of the Attorney General of Switzerland concerning a corrupt scheme to bribe officials in Congo-Brazzaville and Côte d’Ivoire to secure oil contracts obtained between 2009 and 2012. As part of the 2019 Swiss resolution, Gunvor admitted that it lacked sufficient controls to prevent the underlying misconduct and failed to take “all the reasonable organizational measures” required to prevent Gunvor’s employees and agents from engaging in bribery.

Fine Calculation

The explanation from the DOJ answered an open question in the minds of many compliance professionals about recent FCPA enforcement. That question was about how culture and prior misconduct were factored into the fine determination. This case follows the recent SAP enforcement action, where there was a similar analysis. The DOJ is not discounting fines off the low end of a fine range but instead on some point above that low end. In Gunvor’s case, the high end of the fine range (after the full calculation under the Sentencing Guidelines) was $768,328,352, and the low end of the fine range was $384,164,176. With the uplift to the 30th percentile, the final fine was $374,560,071, with an additional forfeiture of $287,138,444. In the SAP enforcement action, the company received a 40% discount off the 10th percentile of the Sentencing Guidelines fine range.

Failure to Self-Disclose

We need to emphasize, once again, that under the Corporate Enforcement Policy, Gunvor’s failure to self-disclose cost it an opportunity of at least 50% and up to a 75% reduction off the low end of the U.S. Sentencing Guidelines: fine range. Moreover, its actions resulted in the company not receiving a reduction of at least 50% and up to 75% from the low end of the U.S.S.G. fine range but rather at the 30th percentile noted above. Gunvor’s failure to self-disclose cost it an estimated $50 million under the Sentencing Guidelines. Its inability to self-disclose and recidivism cost it a potential $150 million in total discounts available under the Corporate Enforcement Policy.

 Once again, the significance is that the DOJ is sending the message that self-disclosure is the single most important thing a company can do in any FCPA investigation or enforcement action. Kenneth Polite said that when announcing the updated Corporate Enforcement Policy in January 2023, the new Monitor Selection Policy was the number one reason for a company not having a monitor required. The DOJ’s message could not be more explicit: self-disclose, self-disclose, self-disclose, self-disclose.

Join us tomorrow as we consider the lessons learned from the Gunvor FCPA enforcement action.

Categories
Daily Compliance News

March 11, 2023 – The Settlement Ditched Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition of Daily Compliance News:

  • JPMorgan sues former exec Jes Staley for Epstein connections. (WSJ)
  • DOJ against USSG changes. (Reuters)
  • Whistleblowers ditch settlement with Texas AG. (Houston Chronicle)
  • Swiss bankers indicted for AML violations. (ICIJ)
Categories
Blog

The World Has Changed: McDonald’s and the Oversight Duty of Officers-Part 3

This week, we are exploring a shift in the duties of care owed by corporate officers to the corporation. This shift is coming through the Chancery Court of Delaware in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst and his part in the creation of an absolute toxic atmosphere of sexual harassment at the very highest levels of the organization. The case is styled In re McDonald’s Corporation Stockholder Derivative Litigation, and in it, the court formally recognizes the oversight duties of officers of Delaware corporations. Today we discuss the role of the Chief Compliance Officer (CCO) in both the reasoning for the decision and what it means for CCOs going forward.

Perhaps one of the most interesting parts of the court’s opinion is that it draws from the US Sentencing Guidelines and their creation of the Chief Compliance Officer position as both reasons for the decision and as a guide to how the CCO position will be impacted by this ruling. The judge pointed to the US Sentencing Guidelines as a key basis for the creation of the original Caremark Doctrine. The court stated that a key reason for “recognizing the board’s duty of oversight was the importance of having compliance systems in place so the corporation could receive credit under the federal Organizational Sentencing Guidelines.” However, the Guidelines did not stop at the board level. The US Sentencing Guidelines mandated the creation of the CCO position.

Specifically, the “Guidelines state that “[h]igh- level personnel of the organization shall ensure that the organization has an effective compliance and ethics program” and such senior person(s) “be assigned overall responsibility for the compliance and ethics program.” The Guidelines went on to define an organization’s “high-level personnel” as “individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization,” which includes “a director; an executive officer; an individual in charge of a major business or functional unit of the organization, such as sales, administration, or finance; and an individual with a substantial ownership interest.”

The court somewhat dryly concluded “It would seem hard to argue that, simply by virtue of being an officer, the Chief Compliance Officer could not owe a duty of oversight. That, however, is the logical implication of Fairhurst’s position that only directors can owe a duty of oversight.”

The responsibilities of the CCO are wide and sometimes varied. Here the court stated, ““[s]pecific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program.” But the Delaware court also provided CCOs with some additional ammunition in their quest for true influence in a corporation by stating that “to carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.”

Finally, the CCO has a broad scope within an organization. Indeed the court noted, that only the Chief Executive Officer (CEO) has as broad a remit, stating “Although the CEO and Chief Compliance Officer likely will have company-wide oversight portfolios, other officers generally have a more constrained area of authority. With a constrained area of responsibility comes a constrained version of the duty that supports an Information-Systems Claim.”

Yet the breadth of this portfolio does not mean a CCO can be liable for every corporate failure, even those directly in culture or compliance. Here the standard of liability for the CCO is critical and standard is breach of the duty of loyalty through bad faith. The court noted, that in the decision of Stone v. Ritter, upholding the original Caremark decision, “the Delaware Supreme Court adopted the Guttman formulation and stated that a breach of the duty of loyalty, such as acting in bad faith, was a “necessary condition to liability.” After Stone, then-Vice Chancellor Strine acknowledged that Caremark duties carried overtones of care, but explained that “to hold directors liable for a failure in monitoring, the directors have to have acted with a state of mind consistent with a conscious decision to breach their duty of care.”

Rarely, if ever do you see a CCO engage in bad faith. There have been some instances but I can think or only one or two that rise to the level of bad faith. The good news for CCOs is that while there may be a new cause of action against them for a duty of oversight; if there is a compliance program in place and if that compliance program detects wrongdoing which is reported up to the Board; a CCO has most probably met their duty under this decision.

Please join me tomorrow as I explore how this court decision, together with the CCO certification mandate by the Department of Justice, the Monaco Memo and the new Corporate Enforcement Policy will all change the relationships and dynamics of Chief Compliance Officers in the corporate world.