Last week the Justice Department (DOJ) announced a resolution of the long standing Foreign Corrupt Practices Act (FCPA) enforcement action involving Telefonaktiebolaget LM Ericsson (Ericsson), a multinational networking and telecommunications equipment and services company headquartered in Sweden. The matter was stunning in the total amount of fines and penalties assessed, coming in at over $1 billion, consisting of a criminal fine assessed by the DOJ at just over $520 million. Separately, the Securities and Exchange Commission (SEC) assessed profit disgorgement of nearly $540 million. Over the next several blog posts, I am considering the Ericsson FCPA enforcement action. Today, I consider the criminal penalty sustained by Ericsson, its actions during the pendency of the enforcement action which led to a double whammy in its fine calculation and cost the company an additional $95 million above what it could have paid as a criminal penalty.

The documents reference herein consist of the following:

  1. DOJ Press Release (Press Release);
  2. SEC Complaint against Ericsson (SEC Compliant);
  3. DOJ Deferred Prosecution Agreement with Ericsson (DPA);
  4. Ericsson Egypt Ltd. Plea Agreement (Ericsson Egypt Plea Agreement);
  5. DOJ Superseding Information with Ericsson Egypt (Ericsson Egypt Information); and
  6. DOJ Information with Ericsson (Ericsson Information)

What Ericsson Failed To Do

Ericsson did not self-disclose its FCPA violations to either the DOJ or SEC. Even without this step, Ericsson was eligible for a considerable discount under the FCPA Corporate Enforcement Policy (the Policy). Under the Policy, “If a company did not voluntarily disclose its misconduct to the Department of Justice (the Department) in accordance with the standards set forth above, but later fully cooperated and timely and appropriately remediated in accordance with the standards set forth above, the company will receive, or the Department will recommend to a sentencing court, up to a 25% reduction off of the low end of the U.S.S.G. fine range.” This means there is significant monetary incentive to both fully cooperate and timely remediate. However Ericsson did not meet either of the requirements and therefore did not receive a full 25% discount to which they were eligible. It only received a credit of 15% discount. So what were Ericsson’s failures?

According to the DPA, Ericsson “did not receive full credit for cooperation and remediation pursuant to the FCPA Corporate Enforcement Policy, [citation omitted], because it did not disclose allegations of corruption with respect to two relevant matters, produced certain relevant materials in an untimely manner, and did not timely and fully remediate, including by failing to take adequate disciplinary measures with respect to certain executives and other employees involved in the misconduct”. Unpacked, there are two key areas of failure by Ericsson during the investigation.

First, apparently it did not disclose matters involving bribery and corruption that it either uncovered during the investigation or was otherwise aware of during this time frame. The DOJ was able to find out about these two other matters through other means. With the company’s illegal conduct extending into 2016 and even 2017, it may well have been the illegal conduct was ongoing while the internal investigation was ongoing. The next failure in the cooperation phase was in producing documents in an “untimely manner”. While we can leave the non-use of plain English in DPAs for another discussion; it is mandatory that any company under FCPA investigation not delay in its production documents for witnesses for interviews.

Ericsson also fell short in its remediation. Although the company’s compliance program was substandard at the times of the incidents in question, Ericsson did enhance “its compliance program and internal accounting controls, including ensuring that its compliance program satisfies the minimum elements set forth in Attachment C to this Agreement (“Corporate Compliance Program”)”. However the company fell short in its remediation and failed to receive full credit for its failure to take disciplinary actions against executives and employees involved in the bribery and corruption at issue.

What Ericsson Did to Obtain Credit Under the Policy

On the flip side of these failure, Ericsson obviously did some actions during the investigation which allowed it to receive the 15% discount available under the Policy. According to the DPA, these actions included “conducting a thorough internal investigation; making regular factual presentations to the Fraud Section and the Office; providing facts learned during witness interviews conducted by the Company; voluntarily making foreign-based employees available for interviews in the United States; producing extensive documentation, including documents located outside of the United States as well as translations of foreign language documents; and proactively disclosing some conduct of which the Fraud Section and the Office were previously unaware”.

Even with these actions, there were real costs to Ericsson for its failure to fully cooperate and extensively remediate. These costs are identified in two separate components of the penalty calculation. The first is under the calculation under the US Sentencing Guidelines. Please note this calculation under the US Sentencing Guidelines is separate and apart from the discounts available under the Policy. Under the US Sentencing Guidelines (U.S.S.G. § 8C2.5), a company can receive a reduction of its Culpability Score up to an amount of five if “The organization fully cooperated in the investigation and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct”.

The Penalty Calculation

Ericsson could have received a reduction of up to five but only received a reduction of two under this prong. This made the overall Culpability Score 8, which it could have been reduced to 5. Because of this Culpability Score of 8, the base fine multiplier was between 1.6 to 3.2 leading to a fine range of $612,529,920 to $1,225,059,840. From there the 15% discount was applied to the low end of the fine range. However if the Culpability Score had been 5, the base fine multiplier would be been between 1.0 to 2.0 and that would have led to a potential fine range of $382,831,200 to $765,662,400.

Now if Ericsson had received the full 25% credit available to it under the Policy, the low end of the fine range could have been reduced by over $95 million so that the final DOJ penalty could have been as low as approximately $287 million. For its recalcitrance in failing to fully cooperate and remediate; Ericsson paid an additional $95 million in criminal penalties.

The Double Whammy

What is equally important is double whammy Ericsson put on itself for its conduct during the investigation. First under the US Sentencing Guidelines, it did not receive the full reduction available to it under the Culpability Score so that the multiplier was increased. Second, Ericsson did not receive the full discount available to it under the FCPA Corporate Enforcement Policy so that it did not receive the full decrease which was potentially available under the Policy. All of this translated into an additional $95 million in criminal penalty. The Ericsson FCPA enforcement action demonstrates that there are real monetary benefits to fully cooperating and engaging in full remediation during an investigation.

Join me tomorrow for some concluding thoughts on lessons learned for the compliance practitioner.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2019

Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.

Today’s Great Women in Compliance podcast is a little different.  At the most recent SCCE Compliance and Ethics Institute held in September, Lisa and Mary asked the session attendees to provide examples of the best professional advice they received, and we had a lot of great information from women throughout the ethics and compliance community.  It was a unique opportunity for Mary and Lisa to be on the same episode, as most of the GWIC podcasts are with one of them interviewing ethics and compliance leaders.

We got exceptional insights from this community, and Lisa and Mary thought it would be the perfect way to end the 2019 podcasts.  Not only did Great Women in Compliance’s first full year brought lots of great discussions on the podcast, it brought out constant reminders of the fantastic individuals that make up the GWIC community.

We all hope you enjoy this advice from the GWIC Community and best wishes to you and yours in 2020. Join the Great Women in Compliance community on LinkedIn here.

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt Kelly and I go into the weeds about the Ericsson FCPA enforcement action from the internal controls perspective.

&nb

Some of the highlights include:

  • What does this enforcement action tell up about internal controls?
  • How were the business units able to evade internal controls for so long?
  • Was there control override?
  • What is the role of ERP systems such as Oracle and SAP in compliance?
  • If a company refuses to use standard ERP systems, is that a control failure under the FCPA?
  • What are the lessons learned for a corporate compliance program?
  • What does all this mean for compliance professionals going forward?

Resources

Tom’s blog posts, both the FCPA Compliance and Ethics Blog.

Part 1-Overview

Part 2-The Bribery Schemes

Last week the Justice Department (DOJ) announced a resolution of the long standing Foreign Corrupt Practices Act (FCPA) enforcement action involving Telefonaktiebolaget LM Ericsson (Ericsson), a multinational networking and telecommunications equipment and services company headquartered in Sweden. The matter was stunning in the total amount of fines and penalties assessed, coming in at over $1 billion, consisting of a criminal fine assessed by the DOJ at just over $520 million. Separately, the Securities and Exchange Commission (SEC) assessed profit disgorgement of nearly $540 million. Over the next several blog posts, I will be considering the Ericsson FCPA enforcement action. Today, I consider the internal controls failures.

The documents reference herein consist of the following:

  1. DOJ Press Release (Press Release);
  2. SEC Complaint against Ericsson (SEC Compliant);
  3. DOJ Deferred Prosecution Agreement with Ericsson (DPA);
  4. Ericsson Egypt Ltd. Plea Agreement (Ericsson Egypt Plea Agreement);
  5. DOJ Superseding Information with Ericsson Egypt (Ericsson Egypt Information); and
  6. DOJ Information with Ericsson (Ericsson Information)

Yesterday, I broke down the bribery schemes by country where Ericsson engaged in bribery and corruption. I want to use that same country-by-country format to consider the internal control issues involved.

Djibouti

Here the internal control failure broke down into three key categories. First, there was an internal control failure due to no due diligence on the corrupt consulting company involved. If there had been due diligence, it would have revealed that the consulting company was registered to the spouse of a corrupt foreign official and that same corrupt foreign official acted as the representative of Consulting Company A. When this failure was pointed out, there was management override of an internal control as an Ericsson employee completed a draft due diligence report that failed to disclose the spousal relationship between the owner of Consulting Company A and the corrupt foreign official. The final internal control failure was lack of contract review as there was a sham contract with Consulting Company A for services that were never intended to be performed. Finally, there was internal control override as the same Ericsson employee who forged the due diligence approved an invoice requesting payment of €1,000,000 for 5,000 hours of work that was never performed.

China

In China, there was not the due diligence failures present but rather China business unit employees entered into False Service Agreements with pre-existing approved service providers. This was an internal control failure as there was no requirement for either due diligence for subagents of previously approved service providers. Moreover, as the services contemplated in the False Service Agreements were never intended to be provided this internal control failure was compounded. Next there was an internal control override as fraudulent invoices were approved and those funds generated the pot of money which was used to pay bribes. This internal set of control failures were further compounded by a second internal control failure that came with the False Service Development Agreements. Again, these contracts were used as the basis to sign purchase requests and approve invoices with newly established third-party service provider companies, none of whom had passed due diligence. These False Service Development Agreements entered into were in violation of Ericsson policy.

Vietnam

In Vietnam, there was control override, control failure and control fraud. The first was an internal control failure where good old-fashioned cash was actually delivered to a corrupt consulting company to create a slush fund out of which the consulting company would pay bribes under the direction of Ericsson employees. We are not talking about petty cash to pay parking but millions of dollars. (Didn’t someone ask where the petty cash was going or for receipt?) The control override was that the slush fund accounts were used to make payments to other third parties who Ericsson employees knew would not be able to pass Ericsson’s due diligence control processes. The management control override was that payments to the corrupt consulting company were made pursuant to sham contracts for services that were never performed. Finally, certain Ericsson employees mischaracterized these payments and improperly recorded them in Ericsson’s books and records.

Indonesia

In Indonesia, the internal control failures were basically the same as those in Vietnam but on a much grander scale.  The control failures were that sham contracts for services, which were never performed, were used to create a fund for bribe payments of approximately $45,000,000. There was control override as Ericsson employees involved took active steps to conceal these payments on Ericsson’s books and records. Finally, toward the end of the Indonesia bribery scheme, Ericsson made termination payments to the corrupt consulting company but “improperly recorded these payments in a “Customer Service” account connected with a “Cost of Sales” account.”

Kuwait

In Kuwait the control failures started with a bribe payment, funded by a corrupt agent and paid to a corrupt foreign official. This led to an after-the-fact Consultancy Frame Agreement under which $450,000 was paid to the corrupt consulting company. There was then an internal control failure as local employees approved a fake invoice for services that were never performed in order to paper over the payment.

Saudi Arabia

Here there were internal control failures, ineffective internal controls and management override of internal controls. Management entered into sham consulting agreements. The ineffective internal controls were the authorization of payments to the consultants while knowing or recklessly ignoring red flags which indicated a high probability that at least a portion of these commissions were bribe payments. It also included payments made to the Channel Islands for services allegedly delivered in Saudi Arabia. Finally, the internal controls failures included that due diligence performed on the corrupt Saudi consultants was completed almost one year after the contracts were signed. The due diligence was a sham and was conducted only because it was necessary to begin making payments.

I have listed out all of these internal control failures to emphasize the purpose that each step of due diligence, contracting and payment processes are compliance controls. Ericsson subjected itself to both criminal and civil liability through its actions and this double liability led directly to its $1.06 billion fine.

Join me tomorrow where I look at actions of Ericsson before, during and after the investigation and how those actions cost it millions of dollars in additional penalties.

Welcome to a special five-part podcast series from the Compliance Podcast Network. In this series I am taking a look at the Hughes Hubbard & Reed 2019 FCPA and Anti-Bribery Alert. I visit with five firm lawyers involved in the preparation of the report, each of whom is a subject matter expert in an area of the FCPA and anti-corruption. In this Part 5, I visit with Salim Saud, Partner at Saud Advogados, in cooperation with Hughes, Hubbard & Reed LLP, on developments in anti-bribery enforcement from Brazil from over the past year.

Some of the highlights include:

  • What is the key role the CGU has taken over the past year?
  • How is the CGU currently assessing compliance programs?
  • What were some of the setbacks in Brazil over the year?
  • How can a company obtain a Leniency Agreement?
  • What are some key lessons for the compliance practitioner?

Resources

Hughes Hubbard 2019 FCPA and Anti-Bribery Alert, click here.