I have been exploring the PTC Inc. Foreign Corrupt Practices Act (FCPA) settlement this week. It included a Non-Prosecution Agreement (NPA) from the Department of Justice (DOJ) with two Chinese subsidiaries and a Cease and Desist Order (Order) from the Securities and Exchange Commission (SEC). Today I want to review some of the lessons a Chief Compliance Officer (CCO) or compliance practitioner might apply to a FCPA compliance program.
PTC sustained both books and records and internal controls violations. The books and records violations occurred because the Chinese subsidiaries improperly recorded bribes on their books and records disguised as legitimate commissions and business expenses. These were then rolled up into the corporate parent’s books and records.
Further, PTC either did not have appropriate internal controls or if they did have them they were clearly inadequate. While a CCO should expect (or at least hope) that internal controls at locations outside the US are of the same effectiveness as internal controls within US business units and at the US corporate office; unfortunately, that might not always be the case. It is often the case that corporate level internal controls are stronger than those in foreign business units. That would certainly appear to be the case with PTC.
For each of the bribery schemes in place there was a failure of internal controls. In the scheme where the commission was decided after the sales was concluded, so as to know how much money to bake into the commission rate for the bribe payment, the Chinese subsidiary “sales staff reported to a PTC employee who had authority over the commission approval process.” So there was at least a control in place, yet that control was not effective because the PTC oversight did not work at all.
This also speaks to an internal control weakness that allows one corporate employee to have oversight over an approval process. This is simply not a sufficient control. First, and foremost, there should be multiple levels of controls for the commissions of third party representatives as they are the highest risk under the FCPA. Compound that with the known high risk of doing business in China and you can immediately spot the internal controls failure.
The breadth and scope of the Chinese subsidiaries bribery schemes also points up to an issue that Scott Lane, Executive Chairman of the Red Flag Group, has articulated. Lane talked about the line of sight for a CCO or compliance practitioner into the life cycle of a transaction to review it from the compliance perspective. Lane simply drew an imaginary line from his eyes forward to demonstrate the straightforward nature of his concept.
Why is such straight-line visibility lacking in the PTC case? It was because the ongoing nature of the transactions, literally across several years. As noted in the Order, “PTC-China employees spread the overseas travel payments over several contracts, each with its own COD budget. Because many deals with SOEs involved long term contracts that took several years to complete, the actual sightseeing trip sometimes occurred up to two to three years after the deal was negotiated.” Without such a line of sight, there may well be no manner for the CCO to ascertain if bribe payments were made later or somehow charged to different contracts.
One anomalous fact about this case was how long it seemed to linger around. Some of the conduct at issue began as far back as 2005. Apparently the corporate office in the US did discover the illegal conduct until, according to the Order, “PTC only discovered the improper payments to or for the benefit of Chinese government officials, while investigating complaints concerning a senior PTC-China salesperson.” It would certainly appear that multiple parties were asleep at the wheel for such corruption to go on for so long, even if PTC-China was actively working to hide and disguise its illegal acts.
Yet, it is the next part that is really a head scratcher. The Order notes, “PTC voluntarily self-reported the results of its internal investigation to the Commission and responded to information requests from the Commission staff. PTC did not, however, uncover or disclose the full scope and extent of PTC-China’s FCPA issues until 2014.” The NPA was even more detailed about the company’s lack of full disclosure when it said, “the Companies did not receive voluntary credit disclosure because, although the Companies, through their parent corporation PTC Inc., reported to the Office [DOJ] in 2011 certain misconduct identified through a then-ongoing internal investigation, they did not voluntarily disclose relevant facts known to PTC Inc. at the time of the initial disclosure until the Office uncovered salient facts regarding the companies responsibility for improper travel and entertainment expenses at issue independently and brought them to the Companies attention, after which the Companies disclosed information that they had learned as part of an earlier investigation.”
It cannot be determined from the resolution documents whether PTC got some incredibly bad legal advice or made a costly decision. However, for any CCO the clear message is that if you do self-disclose, you must not hide back any facts. This does not mean you have to waive privilege and turn over your entire investigation file, including opinions from your outside counsel. But you do have to turn over facts you uncover. For this lack of forthrightness, it cost the company in the range of seven figures in its settlement with the DOJ.
Yet, PTC did receive a partial credit of 15% “off the bottom of the Sentencing Guidelines fine range for their cooperation in “collecting, analyzing and organizing voluminous evidence and information for”” the DOJ. Moreover, the company also took significant remedial steps during the pendency of the investigation. According to the Order, PTC, “also revised its pre-existing compliance program, updated and enhanced its financial accounting controls and its compliance protocols and policies worldwide, and implemented additional specific enhancements in China. These steps included: (1) reviewing and enhancing its anti-bribery policy, code of ethics, and gifts and entertainment policies to correct previous deficiencies; (2) establishing a dedicated compliance team, including a chief compliance officer and a new compliance director in China; (3) expanding its other compliance resources in China, including hiring a new vice president of finance for Asia and adding additional legal staff in China; (4) hiring a new management team in China, including a new China President; (5) enhancing its FCPA training for employees; (6) severing its relationships with the business partners that were implicated in the FCPA violations and discontinuing the use of COD partners or business referral partners generally; (7) implementing a comprehensive due diligence program for all other business partners that includes a risk-scoring system operated by a third party vendor and that includes FCPA training as part of the onboarding process; (8) obtaining quarterly anti-corruption certifications from sales staff; and (9) undertaking periodic compliance audits.”
I wanted to highlight three of these remedial steps that stand out. The first was the clean sweep of management form PTC-China and bringing in dedicated legal and compliance staff for the Chinese subsidiaries. The second was a risk-based scoring system for evaluating third parties and FCPA training as a part of the third party onboarding process. Many companies perform due diligence on third parties but this solution points to using that information to risk rank third parties for evaluation and management purposes. Finally, there were the quarterly anti-corruption certifications from the sales staff. This last point might be a very powerful and cost effective ‘stop and think’ control, particularly if they have to make the certification for any third parties which have assisted them in their sales efforts.
The PTC-FCPA enforcement action had much material for consideration by the CCO or compliance professional. Even if the events at issue are over 10 years old, it is an important reminder that everything old is new again and that revisiting your gifts, travel and entertainment, policies, procedures and internal controls would be a good exercise to engage in from time-to-time. It also reminds us all that having a compliance program, including appropriate internal controls, is only the starting point. A company must also do compliance for those policies, procedures and internal controls to be effective. As a final note, a company cannot hide facts from the government after they self-disclose. If you are not prepared to present all facts, you will only put yourself and your company in a worse position.
having a compliance program, including appropriate internal controls, is only the starting point. You must do compliance.Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2016