Show Notes for Episode 51, for the week ending May 5, the Cinco de Mayo Edition

Over some breakfast tacos and Mexican coffee, Jay and I have a wide-ranging discussion on some of the week’s top compliance related stories. We discuss:

  1. Uganda considers a demand side response to corruption. See Tom’s article in Compliance Week. What are the rationales for anti-corruption legislation? See Tom’s post on the rationales underlying the FCPA on the FCPA Compliance Report.
  2. Why due diligence investigations still need the human element. See Scott Shaffer’s article in FCPA Blog.
  3. Kara Brockmeyer joins Debevoise & Plimpton LLP. See Tom’s article in the FCPA Blog.
  4. What has been the fate of whistleblowers at Wells Fargo. See James Stewart considers in his Common Sense column in the New York Times.
  5. Federal jury convicts former Guinea mining minister of laundering bribes. See article in the FCPA Blog.
  6. Astros lead the AL with the second best record in baseball. What does Tony Parker’s injury mean for the Spurs/Rockets playoff series?
  7. The Financial Reporting Council (FRC) investigates KPMG on its audits of Rolls Royce for the firm’s failure to detect bribes paid by the company. See article in the FCPA Blog.
  8. Listeners to this podcast can received a discount to Compliance Week 2017. Go to registrationand enter discount code CW17TOMFOX.

In this episode I am joined by Ruth Steinholtz of AretéWork, Jonathan Armstrong of Cordery Compliance and Kristy Grant-Hart of Spark Compliance Consulting and author of How To Be a Wildly Effective Compliance Officer for a roundtable discussion of the recently concluded SCCE European Compliance and Ethics Institute. We discuss some of the highlights, the changes this group of compliance practitioners has seen and where compliance may be headed in 2017 and beyond.

In this episode I visit with Jonathan Armstrong on his views on the new DOJ Evaluation of Corporate Compliance Programs. Armstrong provides a detailed analysis of some of the key differences between how compliance is operationalized in the US as opposed to the UK and EU countries. He explains how the enhanced requirements for root cause analysis, risk assessments and investigations and the supplemented requirements to tie back into the ongoing compliance monitoring and updating, could run afoul of UK and EU data protection and data privacy requirements.  He also considers what a non-US company, subject to the FCPA what should look to as a best practices compliance program to best protect the organization. Finally explores just how far does all of this go? He provides on statistic that puts a huge bow on the difficulties going forward.

For the Cordery Compliance article see the following, US Department of Justice on Evaluation of Corporate Compliance : how does it compare to UK Bribery Act 2010?

This episode is dedicated to the Justice Department’s Evaluation of Corporate Compliance Programs, which was released in February. In this episode, Jay Rosen and Jonathan Armstrong provide next insight. Listen to last week’s Episode 8 for commentary from Matt Kelly and Mike Volkov.

  1. Jay Rosen, reporting from the ABA White Collar Conference in Miami, considers the view from the vendor perspective and whether the Evaluation changes a conversation about doing compliance. He reviews the requirements for ongoing monitoring, risk assessments and root cause analysis and the need for companies to explain how something might have fallen through the cracks, leading to a FCPA incident. He points out how CCOs can test a company’s compliance systems.

For Jay Rosen’s post see, Still in the Enforcement Business and Evaluation of Corporate Compliance Programs

  1. Jonathan Armstrong provides a detailed analysis of some of the key differences between how compliance is operationalized in the US as opposed to the UK and EU countries. He explains how the enhanced requirements for root cause analysis, risk assessments and investigations and the supplemented requirements to tie back into the ongoing compliance monitoring and updating, could run afoul of UK and EU data protection and data privacy requirements. He also considers what a non-US company, subject to the FCPA what should look to as a best practices compliance program to best protect the organization. Finally explores just how far does all of this go? He provides on statistic that puts a huge bow on the difficulties going forward.

For the Cordery Compliance article see the following, US Department of Justice on Evaluation of Corporate Compliance : how does it compare to UK Bribery Act 2010?

For Mike Volkov’s posts on the Evaluation see the following:

Under the Dark of Night, DOJ Moves the Compliance Ball;

            DOJ’s Compliance Program Evaluation: the Role of the CCO;

            DOJ’s Compliance Program Evaluation: Risk Assessment, Policies and       Procedures and Third-Party Risk Management; and

            DOJ Compliance Expectations Concerning Training, Internal Investigations and     Audits 

For Tom Fox’s posts on these topics see the following:

New DOJ Evaluation-Valuable Document for the Compliance Practitioner,             Part I; and

            New DOJ Evaluation-Valuable Document for the Compliance Practitioner,

            Part II

For Matt Kelly’s posts see the following:

            Fresh FCPA Guidance from the Justice Department; and

            Deeper Dive into new DoJ Compliance Guidance

The members of the Everything Compliance panel include:

  • Jay Rosen – Vice President of Business Development and Monitoring Specialist at Affiliated Monitors. Rosen can be reached at JRosen@AffiliatedMonitors.com.
  • Mike Volkov – One of the top FCPA commentators and practitioners around, Volkov is the Founder and Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance and former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com.
  • Jonathan Armstrong – Rounding out this distinguished panel is our UK colleague, a lawyer with Cordery Compliance in London. Armstrong can be reached at armstrong@corderycompliance.com.

Today’s headline is inspired by two recent notices; the first is from a January 25 ENI Press Release crowing that “Eni is the first Italian company to receive that certification”. The second came from an article in the Financial Times (FT) entitled “Eni chief Claudio Descalzi charged with international corruption” by James Politi, where he began his piece with the opening, “Claudio Descalzi, chief executive of Eni, has suffered a setback after Italian prosecutors charged him with international corruption following a lengthy investigation into the Italian energy group’s 2011 purchase of a Nigerian exploration licence. Mr Descalzi was asked to stand trial along with Paolo Scaroni, the former chief executive of Eni, as well as nine other individuals who were involved in the $1.3bn transaction, according to Fabio De Pasquale, the lead prosecutor on the case.”

The international corruption, also involving Royal Dutch Shell, involved questions regarding “an offshore exploration bloc called OPL 245, which is estimated to contain up to 9bn barrels of oil and is considered one of Nigeria’s most highly-prized energy prospects.” It was further noted that “The main accusation is that Eni and Shell knew the money paid to the government for OPL 245 would then be funnelled to other Nigerian individuals, essentially as bribes.” In what can only be said is a non-denial denial, both “Eni and Shell have said that they simply transferred money to the Nigerian government, without making any arrangements with third parties or the ultimate beneficiaries.”

The problem I see with one headline is that it brings up the uselessness of the ISO certification process. One might reasonably ask how a company could receive a certification for its “AntiBribery Management Systems” when both its current and former chief executives are under indictment for ‘international corruption’? The ISO certification issue is separate and stands apart from the ISO 37001 standards themselves. When I sat down to read the more than 100 pages of what might constitute good compliance practices, I, for the most part, did not have too many disagreements with the articulation. However, in the global world of anti-bribery/anti-corruption enforcement there were multiple standards for an effective compliance program, including, but not limited to the Ten Hallmarks of an Effective Compliance Program, Six Principles of Adequate Procedures, the OECD 13 Good Practices and multiple others. Indeed, I published an entire book some 2 1/2 years ago to laying out what constitutes an effective compliance program. So while it is mildly interesting from an intellectual perspective, the reality is that it is not anything new, different or innovative.

Yet the title of this blog post makes clear that any ISO 37001 certification is much worse, for it can lead an unsuspecting person to conclude that because a company has the ISO 37001 certification, it is actually doing compliance. From the ENI Press Release it stated, “quality of the system of rules and controls aimed at preventing corruption”. If that does not sound like a paper compliance program I do not know what does. I should also note the same Press Release goes on to state that since 2009, Eni has enshrined the principle of “zero tolerance” as “expressed in its Code of Ethics.” I wonder if either the current or former ENI chief executive under indictment read or even knew about this robust ENI Code of Ethics. Interestingly, the Press Release also stated that Stage 2 of the ISO 37001 certification process involved “interviews with people on the ground” to assure compliance with the program. It is safe to assume these interviews did not include the current or former ENI chief executive.

What is a counter-party to ENI to conclude about the robustness of its anti-corruption compliance program? How about any other company which has an ISO 37001 certification? This is where the worse than useless part comes into play. People might actually think that this certification affirms the company which holds it is committed to doing compliance and will continue to do so going forward. The counter-party who does business with such an ISO 37001 certificate holder may well assume this certification forms some basis of protection against a Foreign Corrupt Practices Act (FCPA), UK Bribery Act or (you name the law) investigation for bribery and corruption. Nothing could be further from the truth.

The Department of Justice (DOJ), Securities and Exchange Commission (SEC) and Serious Fraud Office (SFO) continually make abundantly clear that a company is responsible for its counter-parties not violating applicable anti-corruption laws. Put another way, a third-party, with an ISO 37001 certification who violates the FCPA, UK Bribery Act or any other similar law puts your company at just as much risk as a third-party with no ISO 37001 certification. Putting it as simply as I can, an ISO 37001 certification from a counter-party is of less than zero worth to your company, your compliance program or indeed any defense against a FCPA enforcement action.

What about a company which thinks it needs an ISO 37001 certification? This is equally problematic but for different reasons. The DOJ and SEC jointly issued FCPA Guidance made clear that an effective compliance program is based upon a company assessing its own risks and then setting up a program to manage those risks going forward through training, incentives and discipline and ongoing monitoring. The Ten Hallmarks were designed to be flexible to allow each company to assess and then manage its risks. Moreover, this flexibility allows a Chief Compliance Officer (CCO) or compliance practitioner to put forward clear evidence of compliance with this approach if the government comes knocking in a FCPA investigation. The evidence from the Pilot Program is that the DOJ is taking this approach into account and has doled out multiple declinations and Non-Prosecution Agreements (NPAs) since its inception in April 2016.

So which headline is right: that ENI received an ISO 37001 certification or that the chief executive of ENI will stand trial for corruption? Unfortunately, they are both right and that simple answer communicates to every CCO and compliance practitioner across the globe that the ISO 37001 certification process is worse than useless. This is both for the company assessing the effect of such a certification from a potential third-party and a company considering whether it should obtain the certification to prove it is actually doing compliance.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017