Sometimes I get inspired when writing blog posts and sometimes I get on a roll. It is a bit of both this week and today, as previously this week, I have focused on Department of Justice (DOJ) pronouncements on their view of current standards in a best practices compliance program and the remarks and ideas of the DOJ Compliance Counsel, Hui Chen. Today, I build upon my earlier blog posts of this week which dealt with the remarks of Assistant Attorney General Leslie R. Caldwell and the public pronouncements of Chen, by reviewing remarks by noted Foreign Corrupt Practices Act (FCPA) thought leader and expert Mike Volkov made in a recent presentation to the Greater Houston Business and Ethics Roundtable (GHBER). Volkov presented some of his views regarding what he called “the evolving standard for compliance programs.”
Volkov believes with the hiring of Chen and the pronouncements in the FCPA Pilot Program, announced in April, 2016, the DOJ is slowly but surely raising the bar for corporate compliance programs. From the FCPA Pilot Program and remarks by Chen, Volkov identified that the key element is your company’s operationalization of its compliance program. This would lead Chen to make an inquiry into how far down your compliance program is burning into the fabric of your organization.
He went on to describe the increased importance of technology in any best practices compliance program. He believes that companies must look at automated systems because the government knows the vendors are making tools available. Another area Volkov believes that Chen is focusing on is consistency in your approach to contracting. He further explained this means consistency in the compliance terms and conditions of your contracts and purchase orders.
Borrowing from the arena of internal financial controls and Sarbanes-Oxley (SOX) 404 reporting, Volkov believes there is a new importance for invoicing, verification of accounts payable (AP) and segregation of duty (SOD) conflicts. He phrased it as “money should not go out the door unless legitimately provided and verified”. He went on to further explain that AP should have a deficient payment systems trigger for compliance red flags with the over-arching goal of invoice verification and justification. Volkov believes, “coordination strengthens internal controls and culture of compliance.”
Volkov noted an increased importance moving from the fact of performing due diligence to the quality of a company’s due diligence, risk management and review process. A company must ascertain beneficial ownership in any basic due diligence investigation. He cautioned you should never leave any red flags unresolved or even fail to act in the face of issues. Some of the key areas of inquiry he mentioned were: allegations or reputation of corruption or misconduct; large or unusual compensation arrangements; close ties to existing or former foreign official(s); lack of transparency of ownership structure; and no track record in industry – lack of qualification/business justification.
Chen has consistently talked about operationalizing your compliance program. He pointed to the PetroTiger declination and Qualcomm FCPA enforcement action as examples to show that stakeholders must work together and coordination among compliance, legal, audit, Human Resources (HR), finance – as well as senior management – is critically important.
In the area of oversight of foreign subsidiaries Volkov believes, “you should never operate on an island”. He pointed to the Johnson Controls FCPA enforcement action and the Nortek Non-prosecution agreement (NPA) for the proposition that corporate compliance programs must work to incorporate “tightly” foreign subsidiaries into their overall structure. This includes dedicated compliance resources in high-risk jurisdictions and placement of compliance personnel into the foreign subsidiaries. Simply put, one annual visit by compliance personnel responsible for China is insufficient. Similarly, with joint ventures (JVs) he pointed to the recent Hitachi and Och-Ziff enforcement actions which re-emphasized not only the importance of overall JV oversight but due diligence, training and monitoring of these entities during the pendency of the JV relationship.
Another area Volkov focused on was regarding high-risk third parties. Auditing, monitoring and training of third parties is also something he believes the government is focusing upon. He pointed with approval to the SAP enforcement action and the HMT LLC declination for the following insights; you should implement policies for risk-ranking third parties (vendors and suppliers, agents, and distributors); work to distinguish between agents and vendors/suppliers based on representation risk; consider in-person training for high-risk areas; and, finally, your compliance function should work with the accounting function to monitor expenditures and strengthen controls.
One area Volkov noted surprise on is the number of cases which turn on gifts, travel and entertainment issues. Somewhere there is still a disconnect between legitimate promotional activities vs. corrupt gifts, hospitality, and travel. He believes that companies must demonstrate updated training, awareness, and approval procedures around gifts, travel and entertainment and that a corporate compliance function must work with accounting to monitor and review expenditures.
Moving to the impact of the Yates Memo, Volkov believes that the DOJ has consistently called for more prompt and robust internal investigations in recent matters including Nortek, Akamai Technologies, and Johnson Controls. Cursory investigations, derailing internal investigations or internal audits and turning away from clear signs of FCPA violations are sure ways to invite regulatory sanction. Related to this is the requirement for companies to conduct regular internal audits including scheduling periodic audits, particularly for high-risk geographic regions, the timely investigate reports of improper activity and when warranted, broadening the scope of an investigation if signs of systematic misconduct are present.
Another area which both the DOJ and Chen have emphasized is the quality of your remediation. Volkov pointed to the recent Johnson Controls and HMT LLC declinations as examples of companies that engaged in proper remediation for their deficient compliance programs including disciplinary actions of recalcitrant employees. Johnson Controls terminated 16 employees, including high-level executives at a Chinese subsidiary, who were involved in misconduct. HMT LLC terminated 8 employees, including two regional managers and a director of business development and sanctioned ten employees through suspensions, pay freeze, bonus suspensions and reductions of responsibilities.
He contrasted these companies, which received the excellent result of a declination, with that of Embraer, which received only a 20% credit because of incomplete remediation. He said that the company disciplined employees and executives engaged in the misconduct, but “did not discipline a senior executive who was (at the very least) aware of bribery discussions in emails in 2004 and had oversight responsibility for the employees engaged in those discussions.”
In the area of cooperation and voluntary disclosure he noted that the “stakes remain high” on whether to do so. While companies can still receive some cooperation credit without voluntary disclosure, cooperation credit is a threshold requirement to significant benefits. These benefits include: a possible declination; potential for 50% reduction in fines; ability to secure Deferred Prosecution Agreement (DPA) or NPA and avoid guilty plea, and the absence of a corporate monitor.
Throughout his presentation, Volkov cited to the Compliance Evangelist mantra of Document, Document, and Document for all of the above. I would add you should test your compliance program against these evolving standards laid out by Volkov. The DOJ is becoming much more sophisticated in determining the difference between doing compliance and simply having a paper program. If you have not moved to some or all of these standards laid out in this post and those of the previous two days, you may well find yourself not only in the middle of a substantive FCPA investigation and enforcement action; but you may also be well behind the proverbial 8-ball if you have ignored these most public pronouncements by not evolving your compliance program.
How have the standards for a best practices compliance program evolved over the past year?Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2016