In an article in the Wall Street Journal (WSJ), dated September 17, 2011, entitled “Rogue Trading Lasted 3 Years”, reporters Carrick Mollenkamp, Paul Sonne and Deborah Ball contributed to an article which detailed “an early picture” of some of the “lapses inside one of the world’s largest banks” which allowed the alleged trading losses by Kweku Adoboli to take place. Adoboli’s alleged fraudulent activities “began as early as 2008” according to David Levy, a UK Fraud Prosecutor. The article went on to report that “UBS may paint a fuller picture of how its risk controls failed to prevent this big loss.” However, the WSJ Law Blog reported, on September 19, 2011, that in its second quarter earnings call in June, UBS Chief Executive Officer (CEO) Oswald Gruebel said “We have to continue to manage risk tightly to make sure that the risk-reward balance is positive for our shareholders.” So perhaps their risk management was not run so tightly after all?
The management of risk is as important in the Foreign Corrupt Practices Act (FCPA) arena. (Well maybe not $2.3bn in alleged losses but still it is important.) Number Two in McNulty’s maxims is “What did you do to detect it?” meaning what systems did your company put in place to detect violations of your compliance program. Obviously appropriate internal controls are critical to such detection. As pointed out by the ‘Explainer’ column, in the September 16 edition of the online magazine Slate, in the context of a trading company such as UBS, “Every trader is allowed to take on a certain amount of risk, and if he wants to exceed that value he must get the permission of his supervisors.” However, a best practices compliance program should employ more than simply a books and records based internal controls and front line approval request.
In a best practices compliance program there should be frontline review and oversight by the Compliance Department. This would include the review of requests to engage agents and other foreign business representatives as well as management through the contracting process. It also includes management after the contract is signed. My colleague, and frequent contributor, Mary Shaddock Jones often uses her former experience as Chief Compliance Officer (CCO) at Global Industries as an example of post-contract execution management. She would routinely review agent’s requests for payment to test whether proper procedures were being followed.
However, I believe that best practices would suggest that there be more than frontline review of requests for payments from either agents or reimbursements from employees. There should be some type of oversight committee which can review on a quarterly, semi-annually or annual basis a company’s management of risk.
As far back as January, 2005, the Deferred Prosecution Agreement (DPA) entered into between the Department of Justice (DOJ) and the Monsanto Company provided for “the establishment and maintenance of a committee to supervise the review of (I) the retention of any agent, consultant, or other representative for purposes of business development or lobbying in a foreign jurisdiction”, or an Oversight Committee. The scope of this Oversight Committee is not fleshed out in the DPA. While many have focused on the Oversight Committee to monitor agents and other third party business representatives, the role of the Oversight Committee can be broader than simply agents and representatives. A major purpose of an Oversight Committee is to act as redundant backup to the books and records internal controls systems which are designed to detect violations of a company’s compliance program.
Who should be on an Oversight Committee?
The Monsanto DPA provides guidance on this point by stating “The majority of the committee shall be comprised of persons who are not subordinate to the most senior officer of the department or unit responsible for the relevant transaction;” this would indicate that senior management should be involved in the Oversight Committee. It would also indicate that more than one department should be represented on the Oversight Committee. This would include senior representatives from the Accounting (or Finance) Department, Compliance & Legal Departments and Business Unit Operations.
What Should the Oversight Committee Review?
There are a variety of approaches that an Oversight Committee can assume. It can dive down deeply ‘into the weeds’ for transactions which the company has identified as high risk. This can be the review of agents or other representatives in high risk areas or transactions in high risk countries. The Oversight Committee can use techniques such as continuous controls monitoring to identify any outliers of payments or other indicia of financial information which would warrant additional investigations. In addition to the above remedial review, the Oversight Committee should review all payments requested by agents and representatives to assure such payment is within the company guidelines and is warranted by the contractual relationship with the company. Lastly, the Oversight Committee should review company sales or business development requests to provide compensation and, as appropriate, reimbursement for gifts, travel and entertainment of foreign governmental officials.
The oversight of Foreign Business Partners is one of the key mechanisms that a company can use to prevent and detect any violation of its own Code of Ethics and Compliance and the FCPA. The proper structure of the Oversight Committee and its full engagement with all aspects of a company’s relationship with a Foreign Business Partner is one of the areas that the DOJ will look for in a successful FCPA compliance program.
An Oversight Committee is a key tool which can be utilized by a company to manage its relationships its risk. The books and records component of internal controls is one level of prevention and detection. The review by a Compliance Department for requests for travel for and gifts and entertainment to foreign governmental officials is also an important step in the detection process. However, a compliance Oversight Committee is another step which I believe is a best practice and should be employed by US companies as an additional protection against any type of FCPA compliance and ethics violation “slipping through the cracks” to become a much larger problem down the road. Companies should use the rather unfortunate lesson of UBS and review the systems they have in place to detect risky conduct.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2011