While many companies here in the US complain about the enforcement of the Foreign Corrupt Practices Act (FCPA), and are actively seeking to soften its enforcement by lobbying Congress to amend the FCPA, just imagine how they might feel about paying a multi-million dollar fine for a situation in which no bribery was proven. That is the situation that UK insurance broker Willis Ltd., found itself in yesterday, in what reporter Sam Rubenfeld termed “the largest fine by the FSA (the UK Financial Services Authority) … ever imposed for failure to implement controls to prevent financial crimes”. The FSA announced on July 21 that it had assessed a penalty of £6.9MM to the insurance broker Willis Ltd., for failing to ensure payments it made to third parties were not used for corrupt purposes.

In an article in the Wall Street Journal’s Corruption Currents blog, entitled “FSA Fines Willis GBP6.9 Million For Anti-Corruption Failures”, Rubenfeld detailed that Willis had, from January 2005 through December 2009, made payments of over £27MM to foreign third party agents to assist in obtaining business of £60MM. Of this £27MM there were $227,000 (yes the FSA switched from GBP to USD in mid-Final Notice) identified in suspicious payments to counterparties in Egypt and Russia, which the FSA said were referred to the UK Serious Organized Crime Agency for further investigation.

Rubenfeld noted that the fine could have been significantly higher as the FSA recognized that Willis had “taken significant steps” to address failings identified by the FSA. These steps, together with Willis’ cooperation and willingness to settle, qualified the company for a 30% discount on its fine. He reported that without the discount, Willis would have had to pay £9.85 million. So for those of you keeping score at home, that is £60MM ($97MM) in business, generating £27MM ($44MM) in commissions, for which a ‘suspicious $227K’ was found. All of this resulted in a fine of £ 6.9MM ($11.2MM).

The FSA Final Notice detailed several clear guidelines which the UK Bribery Act or FCPA practitioner may find useful in establishing an adequate procedures or a best practices compliance program. The FSA stated that Willis had failed to:

  • Make and document a business case for the payments to overseas third parties;
  • No formal training was provided to Willis’ staff in analyzing requests for payments or third party billings;
  • There was no risk assessment of the third parties;
  • There was inadequate monitoring of the third parties;
  • There was inadequate due diligence performed on the third parties, particularly their relationships to foreign governmental officials; and
  • Willis ignored clear Red Flags that the third parties would make improper payments.

All of these factors led to an overall “weak control environment” regarding payments to foreign third parties. This gave rise to unacceptable risk that the payments made to these third parties could be used for the payments of bribes. The FSA noted that although Willis had introduced improved policies and guidance, aimed at reducing and better managing its compliance risks, the company failed to ensure that these new policies were followed. Additionally, although the Willis Board was involved in the new policy development, the Board did not receive adequate information from senior management to assess whether the risks of bribery and corruption “were effectively mitigated.

So while your company is complaining about the US enforcement regime, perhaps it might reflect on actual violations of the FCPA, or as our colleagues from thebriberyact.com, Barry Vitou and Richard Kovalevsky, QC, put it yesterday, “If your business is regulated by the FSA take note. This warning is directed to your business.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Today we have a guest post from our colleague, Mary Shaddock Jones.

Several weeks ago I wrote a series of articles entitled “Suggestions for Starting a Regulatory Compliance Risk Assessment”.   One article in the series was “Identifying Key Legal/Regulatory Compliance Risks” facing your company.  As we all know, laws and regulations can and do change on a regular basis.  Keeping up with the myriad of changes can be a difficult task for compliance and legal departments- especially at smaller firms or companies.  This is why we suggested that you need to “divide” the company into various “Risk Centers” and identify the “Risk Owners” within each Risk Center.  Responsibility for monitoring and notifying the Legal/Compliance departments of any change in the legal/regulatory requirements should remain with the “Risk Owner”.

The first element of an effective compliance program under the U.S. Sentencing Guidelines is to have Established Policies and Procedures to protect and detect non-compliance with regulations. While the U.S. Sentencing Guidelines specifically target “criminal conduct”, companies would be wise not to limit their “risk assessment” or “gap analysis” to only criminal conduct. Most, if not all, companies possess a number of corporate policies that govern employee behaviors.  The person in charge of the Compliance function should first identify the policies that exist across the company utilizing a gap analysis to catalog the existence of corporate policies across the company, noting policy gaps and inconsistent application of policies across various locations.  The Risk Centers and Risk Owners, perhaps with the assistance of the Compliance Department, will be tasked with filling the gaps and standardizing conflicting polices.

In order to be compliant, you have to know what you have to be compliant with!   So how do you work with the “Risk Centers” and the “Risk Owners” to structure the identification of legal and compliance risks in a way that can be managed and utilized with some degree of ease? The answer is, in my opinion, with a lot of hard work and persistence by working department by department!  Let’s start the process by focusing on the Human Resources Department (“HR”).

There are numerous labor and employment laws (International, Federal, State and Local) which govern the relationship between companies and their employees. Here are a few questions that the Compliance Officer may pose to the HR department in order to perform a gap analysis regarding policies and procedures:

  1. Does the HR department have an inventory of policies, procedures, laws and regulations covering employees and employment related matters applicable to the company’s business?
  2. If yes, do you have a specified person who is in charge of updating the inventory?
  3. If no, what system does the HR department utilize to ensure that it is aware of the various laws and regulations and has a process to comply with them?
  4. What evidence would the HR department be able to produce to the government to support a finding that the company has a solid compliance program for applicable labor and employment laws and regulations?
  5. What types of training are mandatory for all employees, which are optional and how does HR track and document completion?  How is the training performed? Is it provided in the native language of the employee or only in English?
  6. What types of enforcement actions are predominate in the labor and employment arena? How does the HR department track such actions? (i.e. I-9’s and Independent Contractor designations, to name two items which appear to currently be under the microscope)
  7. Are employees within the HR department specifically trained to understand compliance requirements applicable to the labor and employment arena?
  8. Does the HR department provide senior management with periodic updates on the monitoring of results, key risks, and compliance violations within HR?
  9. Has the HR department established some type of escalation criteria to ensure that high-risk issues are reviewed at the corporate level?
  10. Does the HR department have compliance monitoring standards in place?  Does the HR department perform periodic audits to ensure that the policies and procedures are being complied with?

These are only a few of the questions that you may want to ask to begin the process of assessing what labor and employment laws and regulations apply to your company.  In addition, I am always looking for good resources so that I don’t have to recreate the wheel.  Here are two few that I found searching the internet that may be of assistance in identifying legal and regulatory requirements applicable to HR department.

  1. “Getting The Deal Through Online”  http://www.gettingthedealthrough.com/  This website (free for in-house counsel according to the website) provides international guides to law and regulation in 45 practice areas and more than 100 jurisdictions.  One of the books published is entitled “Labour & Employment 2010”.  The book is written in a question and answer format addressing many common issues that arise in the employment setting. Each chapter focuses on one of the 41 jurisdictions highlighted- such as United States, Argentina, Australia, Brazil, China, Columbia, etc.
  2. Employment-Labor Law Audit (ELLA®). According to the website of The Institute of Internal Auditors- the ninth edition of ELLA® is the nation’s leading HR auditing and employment practices liability risk assessment tool and process.

My final suggestion is to work with the HR (and possibly the Audit) department to have a consolidated “Human Resources Compliance Audit Checklist” that can be used to audit (and document) the company’s HR Compliance Program.

When in doubt, contact a good labor and employment attorney both in the U.S. and locally in whatever foreign country you are operating, and have them review the HR Compliance Audit Checklist.  Enlist their help in keeping you advised of changes in the applicable labor and employment laws which apply to your company.

The key to compliance, in my opinion, is having the proper structure to identify the issues, implement policies and procedures to address the issues, audit for compliance and document, document, document.

Mary Shaddock Jones, Attorney at Law and former Assistant General Counsel and Director of Compliance at Global Industries, Ltd. can be reached via email at  msjones@msjllc.com or via phone at 337-515-8527 .

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. 

In the Process Section of the August issue of Wired Magazine is an article by Mike Olsen entitled, “How Con Ed averts blackouts during a heat wave”.  Being from Houston and living in one of the hottest summers on record, I was interested in how the electric company in New York City might handle a heat wave and attendant overloading of the Big Apple’s power grid. The article set out the procedures which Con Ed has in place. While noting they were “worthy of NORAD”; the article drove home to me, once again, how important to a process is a Foreign Corrupt Practices Act (FCPA) compliance program.

Con Ed has a five step process to save its electrical grid in an overload situation. These steps are: (1) Recruit, (2) Monitor, (3) Escalate, (4) Make the Call and (5) Shut it Down. These five steps can be critical in a FCPA compliance program. So if your company is in New York, New England or any other place in the United States where an overloaded power grid looms this summer (i.e.: the entire US) perhaps you might consider this process in the context of your FCPA compliance program.

Recruit

Con Ed uses this step to recruit New Yorkers to put technology in place to allow it switch off central air conditioning units at the Utility’s discretion. In the compliance arena it would mean not only having the right technology in place but to recruiting personnel which will conduct business in a compliant manner. While this would point to a background due diligence and HR department interviews, it would also point to greater involvement by the Compliance Department. For high risk or senior management positions, it should also include some type of compliance interview with questions specifically designed to elicit responses of compliance, ethics and anti-corruption issues.

Monitor

Con Ed uses this step to monitor other media and information to predict when a heat wave might come through the city. For a company, it could mean to have the compliance nimbleness to react to changes in business circumstances to reassess it risks. If your business model changes or your company moves into a new geographic territory, the company should use the tools available to it to manage any new or additional risks which might arise.

For company personnel, an ongoing key is to monitor such personnel. You can do this through annual performance reviews, ongoing training and other mechanism. One of the keys is incentivizing such behavior in your company. This means not only in pay and benefits but through the promotion of persons who conduct business ethically and in accordance with  your company’s Code of Conduct. You should publicize compliance wins and successes throughout the company and make sure that other employees see that it is not simply a matter of hitting your numbers each quarter.

Escalate

When a massive heat wave hits or is predicted Con Ed sets up a situation room to monitor and coordinate responses. In the compliance arena, this means that your company needs to put the tools in place to allow company employees to escalate a compliance concern, issue or problem. Part of this is to put a reporting system, such as a hotline or reporting line, in place. However, there should also be training as to what an employee can do if “something in his or her guts” tells them that something is wrong. This also means there must a clear and concise NO RETALIATION policy for any such reports made in good faith. These reports need to be triaged as soon as possible.

Make the Call

Con Ed has specially trained personnel who are authorized to activate direct load controls on individual thermostats across the city to reduce power in emergency situation. Similarly, after triage of any escalated compliance issues, they need to be sent to the appropriate group within the company for further investigation. There needs to be a careful consideration of the steps forward. Companies do not want to be in the position of Renault but reacting decisively is equally important. What may be a key is that evidence needs to be secured and reviewed as soon as possible. But the key is to have processes in place to react to such escalated concerns and follow that plan based upon the circumstances presented.

Shut Down

For Con Ed, this may mean the rolling shut down of wattage across the company. For a company it could mean a full shut down, such as we saw recently with News of the World. However, the key is to have a plan and process in place. If there is such a plan and process in place News Corp may not have reacted in crisis mode but through pre-thought out leadership. If a shut down or suspension, due to compliance concerns, is warranted, this process can aid in a crisis situation.

Con Ed has a huge responsibility in New York City and its surrounding environs. Your Compliance Department has an equally large responsibility in your company in times of crisis. Is your process ready?

=======================================================

This Week in the FCPA, Episode 12, Part II is up. In the second half of Episode 12, Howard and I discuss:

1.  More on News Corp.
2.  Haiti Telecom case
3.  Armor Holdings
4.  Letter to the SEC from Sen. Crapo
5.  Opening up a whistleblower practice
6.  Is AML coming to Private Equity, and what does that mean.

To view it, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

The evaluation of C-Suite leadership can be problematic in the best of times. In the compliance world, if a company has a serious violation of the Foreign Corrupt Practices Act (FCPA), it may be due to tone-deafness at the top. Worse than simple tone-deafness, the C-Suite can be an active part of the problem. While not FCPA violations, the criminal prosecutions at the highest echelon at Enron, WorldCom and Adelphia certainly speak to ethical lapses at the top. But the question remains, how can a Board evaluate a company’s top leadership for compliance and ethics?

In a posting on the HBR Blog Network, entitled, News Corp and Questions Boards Need to Ask” author Rob Kaplan poses an interesting solution to this conundrum. Kaplan phrases the question as “how does a board really know the leadership style of its senior operating management and the culture of the company for which it has fiduciary responsibility?” He acknowledges that Boards often have very little process or procedure in place to judge the leadership style, daily behaviors, and cultural norms being established by their senior operating leadership. This can deprive Boards of sufficient information to make an informed decision and “by the time directors realize there is a culture or leadership style problem at the company, it is too late to have prevented real damage to the business, reputation, and careers of senior executives.”

While Kaplan discusses this in the context of the ongoing News Corp scandal, he sets forth an interesting mechanism by which a Board can fulfill its duty to make competent compliance and ethics evaluations; he calls it a “360-Review”. In a 360-Review, an outside professional firm is brought into the company to conduct discreet interviews with a number of company employees who interact with the senior executives under review. The key is that the interviews are discreet and “not for attribution.”

While noting that the 360-Review is “not without controversy”; Kaplan, nonetheless, posits that with improved insights Boards can “clear the air” with a Chief Executive Officer (CEO), or other C-Suite inhabitant. The 360-Review also can reduce general employee speculation about senior management deficiencies and can provide to the Board a better ability to coach the CEO and flag emerging cultural problems. He concludes by noting “This and similar types of constructive steps taken by the board can serve to preempt issues before they become a threat to the company and the CEO’s career.”

The UK Bribery Act Six Principles of Adequate Procedures; OECD Good Practices and the Department of Justice (DOJ) Best Practices released with recent Deferred Prosecution Agreements and Non-Prosecution Agreements (DPA/NPA) all speak to a system of disciplines AND incentives for behaviors in accordance with good compliance and ethics. Most companies which follow such best practices have policies, programs and procedures in place to punish those who violate compliance policies and reward those who conduct business in accordance with these compliance policies. However, the Board may be overlooking an evaluation of those at the highest level of the company’s management. If the inherent message of the C-Suite is to make quarterly or other numbers, and the pressure is solely on that issue, the Board needs to understand that a train wreck may be coming. Kaplan’s suggestion of a 360-Review, focused on compliance and ethical behavior, could be a mechanism which assists a Board in slowing down such an oncoming derailment.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2011

As most of the readers of this blog will recall, I recently discussed the substance of Opinion Release 11-01 and had some additional comments regarding the relative ease by which a lawyer or compliance office should have been able to research the question posed. I also opined that the issue posed in Opinion Release 11-01 was not a question which needed to be submitted to the Department of Justice (DOJ) for comment upon, as it was a waste of the DOJ’s resources and no doubt had a high cost in time and/or dollars for either an in-house lawyer or outside counsel to formulate and submit.

However my “This Week in the FCPA” colleague, Howard Sklar, speaking in our Episode 12, suggested that there might be another aspect to this specific Opinion Release that I had not considered. While I had discussed the above points from the perspective of an outside counsel, in-house lawyer or compliance office who specialized in FCPA compliance work; the Opinion Release Procedure is designed so that any person or company may submit a query to the DOJ. Howard suggested that the Opinion Release Procedure could be utilized by a company which does not have either an in-house compliance practitioner or even a General Counsel. A question can be submitted to the DOJ as straight forwardly as with a one page document setting forth the information required under the Opinion Release Procedure.

In his testimony before the House Judiciary Committee, DOJ Representative Greg Andres spoke about the Opinion Release Procedure as one of the mechanisms by which the DOJ can not only bring transparency to the area of information relating to Foreign Corrupt Practices Act (FCPA) but also can allow businesses with substantive questions seek and receive specific answers to queries regarding factual scenarios which they may face. So what are the requirements under the Opinion Release Procedure? Initially I would note that DOJ has posted on its website, the Foreign Corrupt Procedures Opinion Procedure, (28 C.F.R. part 8).

The stated purpose of the Opinion Procedures is “These procedures enable issuers and domestic concerns to obtain an opinion of the Attorney General as to whether certain specified, prospective–not hypothetical–conduct conforms with the Department’s present enforcement policy regarding the antibribery provisions of the [FPCA]” (§80.1). The requirements of the Opinion Release Procedure are (1) the submission must be in writing; (2) an original and copies must be provided; and (3) must be sent to address provided. (§80.2) In addition to these specific requirements there are certain general requirements listed. (§80.6) They include that complete copies of all operative documents and detailed statements of all collateral or oral understandings. The request must be signed by an appropriate senior officer.

While there is additional language in the Opinion Release Procedure that it only relates to the query submitted to the DOJ, does not bind any other agency or department and can change if different facts occur or that the DOJ can ask for additional information from the party making the request, it is required under the terms of the Opinion Request Procedure “within 30 days after receiving a request that complies with the foregoing procedure, respond to the request by issuing an opinion that states whether the prospective conduct, would, for purposes of the DOJ’s present enforcement policy, [violate the FCPA].” (§80.8)

So there may be an addition Lesson Learned from Opinion 11-01. This lesson is that the Opinion Release Procedure can be straight forward. The DOJ can be available to assist in interpreting the FCPA based upon the facts and circumstances which a company faces in the real world. I have argued for greater transparency by the DOJ in providing information for companies and the compliance practitioner and the Opinion Release Procedure is one of the mechanisms by the DOJ does provide transparency and information.

————————————————————————————————–

Vive le RESIST. The ToolKit RESIST is now available in Spanish and French, see here.

Episode 12 of This Week in the FCPA, Part I, is now up and available here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011