What is your compliance process? I thought about that question when I read an article in this month’s National Geographic Magazine entitled “Maxed Out on Everest” by Mark Jenkins. Jenkins wrote about the more raw numbers of persons who are challenged to climb the world’s tallest peak. This has led to more-than 200 person waiting lines to get through certain pinch points, two hour waits which can become deadly, and literally tons of trash left from climbing teams which now stand testament to the environmental effects of these expeditions. Jenkins gave his list of six prescriptions to address these and other issues. They were (1) fewer climbing permits, (2) small ascent teams, (3) require certification of outfitters, (4) require experience to climb the mountain, (5) leave no trace of human waste and garbage on the mountain and (6) remove dead bodies from the mountain.

I also thought about the process question when I read two articles in yesterday’s New York Times (NYT) which spoke about the process of how decisions were made in two very different areas.

Banks Behaving Badly

The first NYT article, entitled “Documents Show Obama Officials in Tension Over British Banks”, by Ben Protess offered “a rare behind-the-scenes glimpse into the Obama administration’s decision-making as it prepared to take actions against two big British banks”, HSBC and Standard Chartered. Both banks agreed to large fines, assessed by the US government for their money-laundering operations; Standard Chartered fined $327MM (in addition to a separate fine of $340MM by the state of New York) and HSBC, fined a whopping $875MM by the feds. Apparently there were tensions between the Department of Treasury (Treasury) with the Department of Justice (DOJ) over the federal law-violation fine and also tensions between Treasury and the state of New York Department of Financial Services (DFS) over its action to fine Standard Charted separately for its violations of New York state banking regulations.

Protess reported that there were tensions by the US Treasury Department and the state of New York over its separately fining Standard Charted “In a sign that the British cases pitted authorities against one another, the Treasury Department raised concerns last year that New York’s banking regulator acted against Standard Chartered without sufficiently notifying federal authorities, the documents show. Treasury officials explained the concerns in an internal memo to Mr. Geithner. The memo, internal e-mails show, was prepared for Mr. Geithner as “talking points” ahead of an October meeting with George Osborne, Britain’s chancellor of the Exchequer. In a September letter to Mr. Geithner, Mr. Osborne had expressed significant “concerns” about New York’s action, given that the United States and Britain typically collaborate closely on such cases.”

Protess reported that an internal Treasury memo said that the DFS “notified federal authorities “only hours before its public announcement.” But Protess went on to write “But people close to the case argue that federal authorities were aware that Mr. Lawsky was poised to act. Three months before filing the case, Mr. Lawsky’s office informed Treasury and other federal officials that it planned to soon take action against Standard Chartered for illegally funneling money for Iranian banks and corporations, the people close to the case said.”

Treasury’s disagreement with DFS apparently paled in its disagreement with the DOJ as Protess wrote that “some discussions have taken a more hostile tone as the Justice Department faces scrutiny for not indicting HSBC. The Justice Department has explained that it follows guidelines requiring prosecutors to weigh indictments of businesses with “collateral consequences” like job losses and, in the case of big banks, a threat to the economy. And in a recent letter to Congress, the department explained that it has “contacted relevant government agencies to discuss such issues,” including federal regulators.”

When Treasury joined the DOJ in announcing the settlement back in December 2012 of the federal matter, “a media outlet ran an overnight article in which a professor speculated that Mr. Geithner had not criminally prosecuted HSBC to avoid putting it out of business. By dawn that day, Treasury officials e-mailed one another about the article. Shortly after, National Public Radio retracted the quote and issued a statement saying that Treasury had not been involved in the decision not to indict HSBC.”

So was Treasury a part of the process or wasn’t it?

Rutgers Still Clueless?

For those of you following the saga of the Rutgers men’s basketball team, you might have thought that the New Jersey university could not do much worse than it did in the handling of the Mike Rice scandal. However, it appears that you would be wrong as Rutgers University continues to provide the compliance practitioner with lessons to be learned. To recap, Coach Rice was videotaped physically abusing players. He was initially disciplined but after the videotape was released by ESPN, he was fired. Almost immediately thereafter, Rutgers Athletic Director (AD) and General Counsel (GC) resigned over their roles in the matter.

Now Rutgers is back in the news for its hiring of a new AD, Julie Hermann. In a NYT article, entitled “Members of Rutgers Panel See Flawed Hiring Process”, reporter Steve Eder discusses the process which led Rutgers to hire someone who had been sued successfully for gender discrimination and as detailed in an article in the New Jersey Star-Ledger that former University of Tennessee volleyball players had accused Hermann of verbally abusing them while she was their coach in the 1990s. In a letter  obtained by the Star-Ledger, players alleged that Hermann called them “whores, alcoholics, and learning disabled,” and that she coached “through humiliation, fear, and emotional abuse.”

Hermann was also sued in a second lawsuit where, Mary Banker “an assistant track and field coach, claimed she was fired as retaliation for complaining to Hermann and the university’s human resources department about sexual discrimination by the head coach. Lawyers for Louisville said that Banker was fired for underperformance, not in retaliation for her complaints. A judgment in favor of Banker was overturned this year, and the case is pending before the Kentucky Supreme Court.”

Eder reported that “the leaders of the search committee sent an e-mail to the group’s members assuring them that the process that led to Hermann’s hiring had been fair and transparent.” He wrote that “Kate Sweeney and Dick Edwards, the leaders of the Rutgers search panel, wrote an e-mail Tuesday to the other committee members to defuse growing criticism of Hermann’s selection.” He quoted from their email, “You all had the opportunity to examine Julie’s credentials, to spend some time with her when she was on campus, and to provide us with your thoughts regarding her candidacy as Rutgers’s next Director of Intercollegiate Athletics.”

However this statement was contradicted when “at least two committee members claimed that the leaders had whitewashed a process that felt secretive and rushed, leaving them uncomfortable with the university’s selection of Hermann. One member said that concerns over a lawsuit an employee had filed against Hermann were not fully addressed, and that he did not spend enough time with her to feel comfortable that she was the right person to lead an athletic department still reeling from a scandal involving an abusive coach.”

Eder quoted Ken Schmidt, one of the committee members, who wrote to the group, “At this time, please do not try to rewrite the facts. I suspect you will find others that share my opinion.” Schmidt was also quoted as saying, “There was very little information about the candidates disseminated to the larger committee.” A second committee member Ron Garutti, wrote: “Please, let’s not present this as any kind of exemplary process. Subsequent events have proven otherwise.” Garutti also added, ““Please, let us not at this late date attempt to convince ourselves and the public that there was sufficient time to delve deeply” into candidates’ documents.”

So what exactly was the hiring process that Rutgers used to fill its AD position?

The NYT articles and the National Geographic article drove home what my process-analyst wife reminds me about, that being that it is all about the process. Develop a process and then follow the process but also validate the process with additional information and the ‘second set of eyes’ principle.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Not many people realize that the US has elected one president who served as a prisoner of war. That man was Andrew Jackson, who was captured by the British during the Revolutionary War. Now, can you name the American President who killed another man in a duel? If you guessed Andrew Jackson you are right and if you knew that today is the anniversary you receive extra credit and can proceed directly to Final Jeopardy.

I thought about the somewhat surprising history on Jackson when I read the recently released the “2013 Anti-Bribery and Corruption Benchmarking Report-A joint effort between Kroll and Compliance Week” (the “Survey”). Much like Jackson himself, the Survey had some interesting and somewhat disturbing findings as well regarding companies and their third parties. The findings were troubling because I think that most compliance practitioners recognize that their highest compliance risks under the Foreign Corrupt Practices Act (FPCA) and UK Bribery Act revolve around third parties. Some of the highlights of the survey are as follows.

I.                   Risks

While 43% of respondents said their bribery and corruption risks have increased in the last two years, another 39% said those compliance risks have remained mostly the same and, finally, 7.7% reported that they believe their compliance risks have actually fallen. Regarding future corruption risks, the respondents were split with half saying they expect compliance risks to rise in the next 12 months, and half do not. The single most common reason given for increasing compliance risks was expansion into new markets, followed by more vigorous enforcement of current anti-bribery laws. The Survey reported the “good news is that 57% of respondents say they conduct an enterprise-wide assessment of bribery and corruption risk annually. The bad news: the other 43% conduct such an assessment less than once a year, and 16.9% say they’ve never conducted a corruption risk assessment at all. A solid majority of companies also say they have some sort of documented approach to managing bribery and corruption risks; 37.7 say they have a “well-defined, documented process dedicated solely to global bribery risks,” and another 42.7% say they treat corruption risks as part of a larger documented process to address all compliance risks.”

II.                Due diligence

The Survey indicated that most companies have a good understanding of the need to, and performance of due diligence on third parties or acquisition targets. It found that 87% perform at least some sort of due diligence on third parties, and the criteria that help a compliance department decide how much diligence to perform generally seem risk-based. The top criteria were, in order, the nature of the work a third party would provide; the amount of contact the third party has with foreign officials; and where the third party is domiciled. A variety of tools were used to perform due diligence. These tools included: certifications from the third party that it has no corruption problems; reviews by your company’s legal or finance team; and data collected by your local business-unit leaders. Reference checks, on-site interviews, and research from professional investigators were some of the less-used techniques.

III.             Third parties

The Survey found that many companies are still struggling with ongoing anti-corruption monitoring and training for their third parties. Regarding training, 47% of the respondents said that they conduct no anti-corruption training with their third parties at all. The efforts companies do take to educate and monitor third parties are somewhat pro forma. More than 70% require certification from their third parties that they have completed anti-corruption training; 43% require in-person training and another 40% require online training. Large companies require training considerably more often than smaller ones, although when looking at all the common training methods, fully 100% of respondents say their company uses at least one method, if not more.

An astonishing 47% of all respondents said they conduct no anti-corruption training with their third parties at all. The numbers are even higher for companies based outside of North America (51%) and those with less than $1 billion in annual revenue (55%). Violet Ho, senior managing director for Kroll’s practice in greater China, was quoted as saying, “A lot of companies have very good intentions of doing a thorough job looking at their third parties,” Ho says. “But ultimately when you are a very large organization with more than 10,000 vendors, it’s not financially viable. You do not really have the time or resources to look deep into each and every one of them.” Another factor that Ho noted was significant is that companies often do not even know how many third parties they use, which makes training all of them impossible. Moreover, corporations typically have much less bargaining power with third parties, especially when they are located in far-flung jurisdictions. The result: if a company is using only one vendor to source an item and asks that vendor to promise to follow some anti-corruption code of conduct, the vendor feels emboldened to refuse.

Lastly, Ho stated “Trying to reach all third parties with a generic, headquarters-issued policy is a waste of time and money. Such policies tempt employees and third parties to find loopholes, and they ignore important regional differences. On-the-ground workers, are focused on revenue and profit, not compliance. Those goals aren’t mutually exclusive, but they do require coordination for a policy’s effective implementation—which adds all the more pressure on compliance officers to articulate why strong anti-corruption programs are good for business.” Clearly this Survey shows the challenges around third parties.

IV.              Effectiveness

For all a company’s efforts at risk assessment, due diligence, and monitoring third parties, the ultimate question for a compliance officer is simply does my system work? Questions about effectiveness, therefore, get to that core issue of whether all the compliance activities outlined above actually make the business less vulnerable to corruption risk. The Survey found that the responses in their anti-corruption procedures depended on how close to home the tasks actually are. 73% rated their training of domestic employees as “effective” or “very effective.” That figure dropped to 63.8% for foreign employees, and only 30% for third parties.

Melvin Glapion, Kroll managing director in EMEA, said that this phenomenon was the “downward and outward” problem. He explained that this meant that companies tend to overestimate how seriously messages sent from corporate headquarters are received elsewhere. Cultural differences abound, and many employees don’t see how anti-bribery policies apply to them in their daily jobs. Worse, the person doing compliance checks is often less senior than the executives he or she is monitoring.

Companies with less than $1 billion in revenue were actually more confident in their procedures’ effectiveness than larger businesses, the survey showed. Glapion was quoted as saying “that may be because smaller organizations have less bureaucracy and fewer third parties, or they may feel that they are not necessarily in the firing line.”

The Survey appears to indicate that companies still have a long way to go in certain areas, particularly third parties. The Survey provides the compliance practitioner with a good benchmark to look at the overall company program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Today we celebrate that noted British comedian who made his fame in America – Bob Hope.  He had a successful film career largely thanks to the series of seven “Road” movies he made with Bing Crosby and Dorothy Lamour, including Road to Singapore (1940), Road to Morocco (1942), Road to Utopia (1946) and Road to Rio (1947). Hope is also known for his entertainment of US military forces overseas. In 1941, after America’s entrance into World War II, Hope began performing for US troops abroad; he would play shows for more than a million American servicemen by 1953. Some 65 million people watched him perform for troops in Vietnam on Christmas Eve in 1966, in his largest broadcast. Hope also became a legend for his countless TV specials, which he would perform over the course of some five decades. He hosted the Academy Awards ceremony a total of 18 times, more than any other Oscars’ host.

What does Bob Hope have to do with compliance? First he was a comedian and second he reinvented himself several times. The anniversary of his birthday reminded me of an article written by Carole Switzer, the co-founder and President of the Open Compliance and Ethics Group (OCEG), for Compliance Week Magazine entitled “Analyze This: The Value of Business Risk Assessments.” In her article, one in a continuing of her series of GRC Illustrated articles, Switzer says that anti-money laundering (AML) compliance programs, like therapy are “difficult to define and relatively easy to avoid.” She quoted Larry David, co-creator of Seinfeld and creator of “Curb Your Enthusiasm” for the following thought on therapy, “I know enough about myself now to know that I really don’t need to know anymore.” Unfortunately, as Switzer notes, many companies have the same problem when it comes to their AML programs.

Switzer discusses a recent report by the UK Financial Services Authority (FSA) which highlighted four general reasons that UK banks failed to have effective AML programs. The same four reasons hold true for non-banking sector US companies in the area of AML.

(a) Denial. The FSA reported that one-third of the banks “failed to review their business-risk assessment program on a regular basis. Additionally, about one-third of the companies scrutinized also failed to alter their risk assessments in response to new developments and insights, such as when allegations of major corruption were levied against a customer or when a country’s risk profile spiked due to regime change.”

(b) Grandiose delusions (imagine a bank with grandiose delusions!). The FSA found that too many “customer-facing “relationship managers” could override customer risk scores produced by the risk-assessment program—without sufficient evidence to support the decision to disregard the score.”

(c) Borderline suspicious. Bank personnel did not understand how the AML risk assessment was generated and indicated that they were “confused” regarding what score indicated that a customer was a high risk.

(d) Avoidance coping. The FSA noted that institutions “inappropriately low risk weightings for high-risk factors, “sometimes overtly”; while “other banks chose to ignore well-known high-risk indicators and other adverse information from a variety of sources, “such as links to certain business activities commonly associated with higher levels of corruption.”

Fortunately Switzer laid out her thoughts on what an effective business risk assessment program should contain. From this risk assessment, you can identify where your company should focus its AML resources, determine how changes might affect your company, and where your program may need enhancement. She is quite clear that without an effective risk assessment, “your AML program will be inefficient as well as ineffective.” She sets our five steps to take.

  1. Define the Risk. Switzer says that “At the forefront of any good business risk assessment program is an executive vision. The executive sponsorship must ask themselves diffi­cult, critical questions.” This is largely because while there are certainly known risks to a business there are also risks you and your company may not be aware of so it is important to define what you know but leave it flexible enough to cover the unknown when it becomes known to you. Switzer lists some of the questions that you might begin with, which include: What are the inherent risks in our current business? What controls do we have in place? How much risk, after the business risk assessment process is instituted, remains? Should we close business locations? Should we add additional controls? Should we put spending restrictions in place? Are other industries at the same level of risk?
  2. Gather Intelligence. In this step, after executive sponsorship has set the strategy in motion, you must gather intelligence to truly understand the exposure across the organization’s products, services, and customer base. The AML team should consult local business and compliance leaders to gain key insight. The specific steps include: (1) Develop the business risk assessment questionnaire. (2) Determine what controls are currently in place. (3) Review the external risk. (4) Understand the magnitude of each risk factor. (5) Gather and normalize all data for review.
  3. Review the Findings. Once a full business assessment has been conducted and all the data collected, a full analysis of the data is performed at multiple levels. The overall picture of risk is reported to business line, regional leaders, and enterprise leaders. Switzer’s specific steps include (1) Creation of full evaluation reports of all measured data. (2) Involve AML staff, regulators, and critical business leaders in your review. (3) Utilize external, unbiased consultation to determine product and service risk for remediation.
  4. Decide How to Proceed. Switzer advises that after you come to an understanding of your exposure and risk, your vision has been set, and you have gathered data and reviewed it, you can set a course to move ahead. However, she cautions that “continual review of the plan’s impact on the business, even at this stage, is critical.”
  5. Implement the Plan. At this final step, after your company has defined its strategy, determined, by measurement, the exposure to AML risk, understood and evaluated the areas of potential risk and then “determined a path to accept, resolve and eliminate, it’s time to go to work setting the plan into motion—however, just because you are now implementing doesn’t mean you can relax. Constant scrutiny, learned best practices, and ongoing monitoring are critical.”

Switzer concludes by stating that “Risk assessment programs must evolve quickly as risks and crimes do. Building in a good system of correction and monitoring that can flex with your organization is critical.” So just as Bob Hope reinvented himself as the tastes of society changed, your risk assessment should be a “living, breathing process.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

The nightmare of every corporate director is to wake up to find out that the company of the Board he or she sits on is on the front page of a national newspaper for alleged illegal conduct. This nightmare came true for the Directors of Wal-Mart when the New York Times (NYT), in an article entitled “Vast Mexico Bribery Case Hushed Up by Wal-Mart After Top-Level Struggle”, alleged that Wal-Mart’s Mexican subsidiary had engaged in bribery of Mexican governmental officials and that the corporate headquarters in Bentonville, Arkansas, had covered up any investigations into these allegations.

I.                   Legal Standard

What are the obligations of a Board member regarding the US Foreign Corrupt Practices Act (FCPA)? Are the obligations of the Audit Committee under the FCPA at odds with a director’s “prudent discharge of duties to shareholders”? Do the words prudent discharge even appear anywhere in the FCPA? Under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The US Department of Justice (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program?; and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?

As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of Stone v. Ritter holds for the proposition that “a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate exists.” From the case of In re Walt Disney Company Derivative Litigation, there is the principle that directors should follow the best practices in the area of ethics and compliance.

Board failure to heed this warning can lead to serious consequences. David Stuart, a senior attorney with Cravath, Swaine & Moore LLP, noted that FCPA compliance issues can lead to personal liability for directors, as both the Securities and Exchange Commission (SEC) and DOJ have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption”. He added that based upon the SEC’s enforcement action against two senior executives at Nature’s Sunshine, “Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery”.

II.                When Things Get Bad

While generally the role of a Board should be to keep really bad things from happening to a Company, once really bad things have occurred the Board needs to take charge and lead the effort to rectify the situation or perhaps even save the company. While giving oversight to risk management through an Audit Committee or a Compliance Committee is a good first step, such a committee needs to have sufficient independence from the management which got the company into such hot water.

In a recent White Paper entitled “Risk Intelligence Governance – A Practical Guide for Boards the firm of Deloitte & Touche laid out six general principles to help guide Boards in the area of risk governance. These six areas can be summarized as follows:

  • Define the Board’s Role – There must be a mutual understanding between the Board, Chief Executive Officer (CEO) and senior management of the Board’s responsibilities.
  • Foster a culture of risk management – All stakeholders should understand the risks involved and manage such risks accordingly.
  • Incorporate risk management directly into a strategy – Oversee the design and implementation of risk evaluation and analysis.
  • Help define the company’s appetite for risk – All stakeholders need to understand the company’s appetite, or lack thereof, for risk.
  • How to execute the risk management process – The risk management process must maintain an approach that is continually monitored and had continuing accountability.
  • How to benchmark and evaluate the process – Systems need to be installed which allow for evaluation and modifying the risk management process as more information becomes available or facts or assumptions change.

All of these factors can be easily adapted to FCPA compliance and ethics risk management oversight. Initially, it must be important that the Board receives direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s Chief Compliance Officer (CCO) to either the Audit Committee or the Compliance Committee. This commentator recommends that a Board create a Compliance Committee as an Audit Committee may be more appropriate to deal with financial audit issues. A Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information the Board can give oversight to any modifications to managing FCPA risk that should be implemented.

There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the SEC desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.

III.             What the Board wants to know from compliance

In an article in the May issue of Compliance Week Magazine, entitled “What the Board Wants to Know from Compliance”, author Joe Mont explored some of the issues he believes that a Board will want to know about their company’s compliance program. Mont quoted Michael Bramnick, senior knowledge leader for LRN, who said, “Boards really only want an answer to the question: ‘How do we know it is working?’ In other words, is a company’s compliance program living “up to the hallmarks of an effective compliance program in the eyes of the government.”

A.     Questions About Process

Mont believes that Boards should “want more information on the processes to carry out the compliance function, rather than details on specific compliance issues”. He quotes Dennis Beresford, professor of accounting at the University of Georgia’s Terry College of Business, for the following “Boards want to know that there is a single individual or project management office keeping track of all this stuff and making sure that it is being handled properly. They want the comfort of knowing that there is a system in place that keeps track of compliance requirements.”

B. Questions About Internal Reporting

Another area of Board interest is compliance hotlines. In this area, Mont believes that Boards desire “to know details about who answers the calls or e-mails that come in, how they are trained, if the process is outsourced, and assurances that the hotline is truly anonymous, with no use of caller-ID or GPS tracking. Other common questions from the board include: How are calls classified and routed? Who gets notified for what types of calls? How is the investigative process divided among various functions?” If the company hotline is used, this may show that “employees are comfortable enough to speak up and that, when they do, about good things or bad, they are listened to, there is follow-up, and trends are evaluated and reported back to them.”

C. Questions About Accountability

Responsibility is yet another topic that Mont believes Boards need to stay abreast on as “directors want more details on who’s responsible for what. Boards want assurance that the compliance function has developed a charter that makes it clear to them where obligations fall across management so it can assess accountability.” He quotes Bramnick who stated that “Effective boards let management do their job running the business on a day-to-day basis, and they understand that their job is to set long-term strategy,” he says. “It is not for them to be looking at every contract.”

D.  Questions About Strategic Planning

Jaclyn Jaeger, writing in the December 2011 issue of Compliance Week Magazine, in an article entitled Board Checklist: What Every Director Should Know, wrote about a panel discussion at the Association of Corporate Counsel’s 2011 Annual Meeting. In the article she quoted panel participant Amy Hutchens, General Counsel and Vice President of Compliance and Ethics at Watermark Risk Management International, on the need for strategic planning by the Board. Hutchens believes that “a truly effective and informed board knows where the company stands not only at the present moment, but also has the strategic plan for how the compliance and ethics program can continue to grow.” Similarly, Stephen Martin, a partner at Baker and McKenzie, suggests that such knowledge is encapsulated in a 1-3-5 year compliance game plan. However, a compliance program should be nimble enough to respond to new information or actions, such as mergers or acquisitions, divestitures or other external events. If a dynamic changes, “you want to get your board’s attention on the changes which may need to happen with the [compliance] program.”  Hutchens believes that such agility is best accomplished by obtaining buy-in from the Board through it understanding the role of forecasting the compliance program going forward.

Mont quoted Bramnick that “Boards have really a Herculean task in today’s regulatory climate.” But more than simply the regulatory climate, shareholders are taking a much more active role in asserting their rights against Board members. It is incumbent that Boards seek out and obtain sufficient information to fulfill their legal obligations and keep their company off the front page of the New York Times, Wall Street Journal or Financial Times, just to name a few, to prevent serious reputational damage.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Ed. Note-today we post an article which was up on the site, thebriberyact.com. It discusses some recent remarks by SFO Director David Green. We are thankful to our colleagues Barry Vitou and Richard Kovalevsky QC for allowing us to post it. As always, the guys continue to ‘Shine a Light’.

News reaches us of a private small round table session put together by Transparency International and attended by some from the US FCPA white collar community (we understand Mark Mendelsohn attended) and our very own David Green CB QC, Director of the Serious Fraud Office.

Here’s the skinny based on our source.

The headline message promulgated by David Green will be not be news to those who have been following Mr. Green’s hard hitting public pronouncements in the UK (or reading this website) though as ever, it’s always important to be able to read between the lines.

The clue’s in the name

Mr. Green emphasized that the SFO is reverting to type and will focus on prosecution of Serious Fraud.

The advisory and guidance role of the SFO, something Mr. Green’s predecessor branched out into, was shuttered on the (not so) new Director’s arrival at the SFO over a year ago.  We understand that this was something that some hapless souls learnt the hard way when they stumbled into the SFO looking for some help!

Nevertheless, while we understand the rationale we think it’s a shame the SFO is no longer extending the olive branch of advice and guidance.

It seemed to us that there was something to be gained from a channel of communication between corporations and the SFO outside of the usual dynamic of prosecutor and prosecuted.  The DoJ engage in something along these lines with their Opinion Release procedure (which to be fair the SFO has never offered).  However, we digress…

Facilitation payment Guidance tossed in the garbage

Mr. Green also publicized his junking of the facilitation payment guidance and the presumption against prosecution for Self Reporting companies.

It’s fair to say that many have, in our view, misconstrued this to mean that Civil Recovery Orders are off the table and that we are now back to ‘cat and mouse’ and the binary decision of whether to prosecute or not.  This is silly, in particular when one of the first things Mr. Green did on arrival at the SFO was to approve a civil recovery order in respect of Oxford University Press.

Listen carefully.  Mr Green says that a true Self Report (namely a corporate telling the SFO something that it does not already know or would not find out about, but for the Self Report) will weigh very heavily in the balance when weighing the public interest about whether or not to prosecute.

In our view Civil Recovery Orders (which Oxford University Press should demonstrate anyway) are not dead and buried – though that does not fit the narrative of those whose marketing relies on scaring potential customers.

As we recently reported the publication of the guidance around Civil Recovery Orders was not for nothing.  Cue, Civil Recovery Orders still very firmly on the menu – but only in the right circumstances.

In a hurry but not going to rush

At the US meeting Mr. Green signaled a desire to bring headline cases and as soon as possible.  The truth is that this is not just a desire but a political reality.  Mr. Green is on a 4 year contract at the SFO and is already a quarter of the way through his tenure.

An extra credit line from Whitehall of nearly £4 million last year to deal with LIBOR (and no doubt the same again this year) means that, like it or not (and regardless of what might be said publicly), the political paymasters will be looking for some crowd pleasing banker bashing headline prosecutions in short order.

This will be easier said than done in a legal system where, unlike the US, there is (thank goodness at least for the forseeable future) NO concept of Respondent Superior.


In other news we understand Mr. Green conveyed that he is attracted to sector sweeps with customs duties (in other words what many would understand to be facilitation payments) a possible area of attention.

Frankly sector sweeps MUST be the way to go in any sensible SFO strategy.  Otherwise known as ‘pulling the thread’ the chances are that a corruption investigation will open new lines of enquiry.  As to the issue of facilitation payments, they are a thorny topic but under UK law they are illegal.

London listed? Mind your backs…

Finally we understand David Green explained, broadly speaking, that companies listed in London in his view fall under the regulatory purview of the Serious Fraud Office.  Given the importance of the London markets to the UK economy this is hardly a surprise.

While, some may express consternation by this given the Ministry of Justice guidance (which said that broadly speaking a London listing on its own would not be enough to trigger the jurisdiction of the Bribery Act) we know that privately it has ALWAYS been the SFO view that there WILL almost ALWAYS be additional connections with the UK which give it jurisdiction.  Ultimately this will be a question for the courts if and when it is tested.

The proof of the pudding

Of course the proof of the pudding will be in the eating.  Something David Green QC is only too well aware of.  Expect Mr. Green to act.

The SFO story has now moved on.  Today the real question in the wake of the numerous recently kicked off investigations is:

Has the SFO bitten off more than it can chew?

The answer remains the same, the proof of the pudding will be in the eating.