In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. It becomes effective for public entities for annual reporting periods beginning after December 15, 2017. In addition to changing things dramatically in the accounting and financial realms, this new revenue recognition standard which may significantly impact the compliance profession, compliance programs and compliance practitioners going forward. In this episode, we consider how the new revenue recognition standard could shake up the software industry.

Matt Kelly and I have put together a five-part podcast series where we explore implications of this new revenue recognition standard. Each podcast is short, 11-13 minutes and deals with one topic on the new revenue recognition standard. The schedule for this week is:

Part 1: Introduction

Part 2: What the logic of your transaction price?

Part 3: Shaking up software revenue recognition.

Part 4: Auditors need to pay attention.

Part 5: What does it all mean for compliance (and everyone else)?

One of the industries which may greatly feel the impact of the new revenue recognition standards is the software industry. Kelly noted, the new revenue recognition rule will ultimately allow some portion of the software sector to recognize more of their long-term contract revenue immediately. He believes they initially may think something along the lines of “Hey that’s sounds good right. We can hit our quarterly numbers. However, that then brings about bigger strategic questions.” So the reality may be somewhat different as a software company might need to think about this might well drive much more volatile revenue patterns over a multi-year period.

Kelly provide an example of the volatility from one of the companies he has studied, Microsoft. He stated that “when Microsoft adopted the revenue recognition standard earlier this summer, it actually pushed its revenues up because all those liabilities that would have been deferred revenue on the balance sheet recognized them all at once. Microsoft’s total revenue for 2017 went from $8.9bn to $26.5bn.” All that just because of a change in revenue recognition.

He then gave a more tangible example of a specific contract, where a company entered into a contract for five years, paying $500,000 and receiving 1000 seat licenses and four years of updates. Under the prior revenue recognition standards, the software company recognized a $100,000 in that first year when they signed the deal and then they had $400,000 of deferred revenue, which they recognized in chunks of $100,000 per year. Now a software company under the same scenario could recognized the entire $500,000 in the first year. While this may look great, it has serious implications. First and foremost, it will impact the software company’s balance sheet for the final four years of the five-year contract. It will seem most bare, with no deferred revenue. Kelly concluded “that’s the sort of thing that the software companies sector is going to go through a bit of a blender in early 2018 as people start to realize what all this means.”

Another obvious area of change will be in commission payments for sales persons and third parties. Previously they may have been paid when the revenue was recognized over the life of a contract. Now it may be all up front in the first year. This could cause a commission payment to be made in Year 1 of a 5-year contract. This would present the same cash flow issue for a sales person. Now consider this in a FCPA context. The five-year split of a commission payment has acted as an internal compliance control to keep such payments low enough so as not to create a fund for bribery. Now that type of internal control may not be available to the Chief Compliance Officer.

In a white paper for CalcBench, Kelly and Pranav Ghai found several themes emerging for software companies under the new revenue recognition standard.

First, software companies expect the new standard to accelerate revenue recognition for some long-term software contracts, where previously the revenue would have been recognized in increments across the life of the contract. This is because the new standard eliminates the need for “vendor-specific objective evidence” (VSOE). With the VSOE requirement gone, the new standard will allow firms to recognize more of the revenue from a long-term contract immediately.

Second, numerous firms said the new standard will change how they account for sales commissions, which qualify as costs of obtaining contracts. Under the new standard, sales commissions can be capitalized over the term of a contract, rather than expensed immediately. That means deferred commissions will increase as an asset on the balance sheet, and the amortization costs will be expensed over the term of the contract.

Finally, the data does raise questions about how well-prepared some software firms are for the new standard. While numerous firms say they plan to implement the standard by Jan. 1, 2018— but still report that they are uncertain about its possible effect, or even what adoption method they will use.

Perhaps one of the most unintended consequences will be for software companies looking for some sort of a merger, exit or those looking for an investment round from private equity or venture capital. The difficulty for PE or VC will be to determine what a software company’s value might be over a period of time. This may end up being one of the most critical questions facing software companies and those who invest in them.

I hope you will continue to join us for our exploration this week. Tomorrow in Part IV, we will consider how and why auditors need to pay attention.

Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories of the week, in this week’s fire and ice edition:

  1. Former VW Engineer Oliver Schmidt sentenced to 7 years in jail for his role in the VW emssions-testing scandal. See article by Dick Cassin in the FCPA Blog.
  2. U.K.’s Financial Regulatory Council is proposing changes to the governance code in the areas of corporate culture, diversity and sustainable long-term growth. Mara Lamos Stein reports in the WSJ Risk and Compliance Journal.
  3. Transparency International criticizes uses of it Corruption Perceptions Index. Henry Cutter reports in the WSJ Risk and Compliance Journal.
  4. Caterpillar Unit Cheated Customers, Tossed Evidence Into Ocean to Hide It. See article by James Hagerty and James Tita in the WSJ.
  5. Matthew Stephenson asks if it is time to amend US domestic bribery statutes, in light of the US Supreme Court decision in McDonnell in the Global Anti-corruption Blog.
  6. Adam Turteltaub visits with Andy Hinton the CCO at Google on the SCCE podcast, Compliance Perspectives.
  7. Roy Snell and Kristy Grant-Hart share 10 ways to get involved with the SCCE, on the SCCE blog.
  8. The SEC’s Whistleblower’s program is alive and well with three awards in the past week. See articles in the Anti-Corruption Digest and the FCPA Blog.
  9. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program. In December, I consider discuss the use of written standards in a best practices compliance program. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.

Over the past few posts I have been exploring the Department of Justice’s (DOJ) new policy regarding Foreign Corrupt Practices Act (FCPA) enforcement. Deputy Attorney General Rod Rosenstein, in a speech, called it the FCPA Corporate Enforcement Policy and stated that it is now “incorporated into the United States Attorneys’ Manual.” I have considered what it means for the compliance practitioner and compliance profession going forward. Today, I want to conclude this series with some final thoughts.

The first observation is the process the DOJ went through to come up with this new Policy. The impetus would seem to have been the expiration of the one year FCPA Pilot Program in April 2017. At the conclusion of this one year experiment, the DOJ announced it would assess the Pilot Program. It not only assessed the Pilot Program but made changes which I think make the new Policy even more effective than the Pilot Program. In addition to the enforcement aspects of increasing the discount available to companies which met the requirements of the Pilot Program down to a 100% discount, from a Pilot Program high of a 50% discount; the DOJ made the presumption companies would receive a full declination as the default response to meeting the prescripts of the new Policy. Nowhere else under federal law is there such a presumption when there is a violation of federal criminal law.

Yet beyond the presumption of a full declination, there are additional benefits to companies which fail to disclose or have aggravating factors. Mike Volkov noted these additional benefits consisted of “a guarantee of a 50 percent discount and the probable avoidance of a corporate monitor.” Further, “In the event that a company does not qualify for a voluntary disclosure but cooperates and remediates its compliance program, the company can still earn up to a 25 percent discount from the bottom of the Sentencing Guidelines range.”

As a part of its review of the Pilot Program, the DOJ brought forward language on the expectation of a best practices compliance program, which I previously examined in some depth. There was language brought forward from both the Pilot Program and the 2017 Evaluation of Corporate Compliance Programs (Evaluation). Each of these additions builds upon the 10 Hallmarks of an Effective Compliance Program incorporated through reference into the new Enforcement Policy.

These new additions to a best practices compliance program elevate both the corporate compliance function and the position of the Chief Compliance Officer (CCO) in an organization. Perhaps most importantly, the DOJ made clear there must be compliance expertise on the Board, which signals that companies should now have a compliance program subject matter expert (SME) on their Board of Directors. Hopefully companies like Wells Fargo and Uber will take notice of this new DOJ expectation. Compliance department budgets will also need to be commensurately increased.  There is also now the requirement for not only a root cause analysis but the looping the information obtained during the root cause analysis back into the remediation phase of any corporate compliance program. While myself and others have argued these were DOJ requirements based on the Pilot Program and Evaluation, it is now a part of the US Attorney’s Manual, they will be given the full credence they deserve.

James Koukios, in Episode 360 of the FCPA Compliance Report, characterized these changes as “clarification and consolidation”; another way to consider these changes are of preservation and enhancement. The DOJ preserved the foundational compliance elements found in the 10 Hallmarks of an Effective Compliance Program and enhanced compliance programs through the incorporation of those items from the Pilot Program and Evaluation. Whichever formulation you might prefer, clearly the compliance discipline was moved forward by the DOJ with the new Policy.

All of these new statements, consolidations of prior DOJ publicly released documents and items from other sources are now consolidated in one Policy. Certainly, this is a positive move forward for all parties involved in the process; prosecutors, companies and their counsel. Looking back at the DOJ statements from this year, it is clear how important the compliance function and compliance profession is in FCPA enforcement. In April Attorney General Sessions said, at the Ethics & Compliance Initiative (ECI) Annual Conference, the following about compliance practitioners, “your work seeks to prevent, by building strong cultures of compliance within your companies to deter illegal and unethical conduct. We applaud those efforts. Our department would much rather have people and companies obey the law and do the right thing, so we don’t have to see them in court. Your good work makes our jobs easier, and it makes your companies and our country better. So far, so good. The E&C community is recognized for doing their job of helping companies follow their moral compass.”

Finally, the DOJ has brought everyone into the fight against bribery and corruption. Someone as thoughtful as former Deputy US Attorney General George J. Terwilliger III, writing in the FCPA Blog, said, “The new policy is grounded in the notion that companies and the government have a shared interest in securing the rule of law, which in this context includes global commercial markets freed from the influence and corrosive effects of corruption.” When you can couple such a policy under the rule of law, it is quite an achievement. It is the final concept which makes this new Policy truly unique. Hats off to the DOJ for it.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

As I continue my exploration of the new Department of Justice (DOJ) policy regarding Foreign Corrupt Practices Act (FCPA) enforcement, the FCPA Corporate Enforcement Policy (Policy), one of the things that struck me was the sound of the death-knell, once and for all time, of the call for a compliance defense. The protocol set up by the DOJ is certainly creative and perhaps even unique in federal criminal law enforcement. The enforcement aspects, coupled with the incentives provided to corporations and the detailing of compliance best practices, are much more comprehensive to and robust for the advancement of corporate compliance than any argument for a compliance defense.

In considering the new Policy, most practitioners have started with the presumption that if a company meets the requirements under the new Policy, they will receive a declination. There are a variety of factors present in FCPA enforcement actions which would lead the DOJ to make this blanket offer. As stated in the new Policy “The investigation and prosecution of particular allegations of violations of the FCPA will raise complex enforcement problems abroad as well as difficult issues of jurisdiction and statutory construction.”

Those who advocate a compliance defense argue it will somehow drive more compliance. Of course, there has never been any evidence to back up this claim. The structural problem with the compliance defense is it is simply a paper program to give companies cover as they look the other way while their employees engage in bribery and corruption. It is designed to a be a ‘wink-wink, we told you not to do it.’ Companies would then claim any FCPA violation is all those “rogue” employees out there and a company certainly cannot be expected to control its own workforce. The compliance defense is designed neither to encourage the doing of compliance nor operationalizing compliance in a company. It is simply designed to give companies a way to argue to the DOJ it is not our responsibility while not moving forward in the fight against international bribery and corruption one iota.

Yet perhaps the most basic misunderstanding that those advocating the compliance defense make is that there is simply a binary choice to be made: us vs. them; guilty vs. not guilty, conviction at trial vs. no conviction at trial. They fail to understand that the underpinnings of FCPA enforcement have always held a much broader view. It was true at the time of the FCPA’s enactment in 1977 and it is even more true today. The new Policy recognizes this unusual nature in the international fight against bribery and corruption. George J. Terwilliger III, writing in the FCPA Blog, said, “The new policy is grounded in the notion that companies and the government have a shared interest in securing the rule of law, which in this context includes global commercial markets freed from the influence and corrosive effects of corruption.”

This is the brilliance of the new Policy, as not only does it encourage doing compliance by mandating an operationalized compliance program. The new Policy also requires a company to do much more than simply operationalize compliance. Each component of the new Policy moves this notion forward. First there is a presumption created, not a guarantee, that a company will receive a declination. This is important for not only the aggravating factors that the Policy listed, “involvement by executive management of the company in the misconduct; a significant profit to the company from the misconduct; pervasiveness of the misconduct within the company; and criminal recidivism.” The carrot of a declination requires other steps and continuation of those steps throughout the investigation and enforcement process.

A company must voluntarily self-disclose with three requirements. It has to be (1) “prior to an imminent threat of disclosure or government investigation”. (2) The self-disclosure must be “within a reasonably prompt time after becoming aware of the offense,” which the company must demonstrate. (3) Finally, the company must disclose, “all relevant facts known to it, including all relevant facts about all individuals involved in the violation of law.” This means the company cannot wait until it is on the front page of the New York Times (NYT) or Wall Street Journal (WSJ) to then come in and report. The company cannot sit on the discovery as multiple US companies have done around their disclosures of data breaches. Finally, the new Policy continues the Yates Memo mandate that companies will have to continue to produce “Yates Binders” of information about the illegal conduct, including evidence of culpable individuals.

A company must proactively cooperate fully with the DOJ during the pendency of the investigation. This cooperation mandates presentation of the facts, in a manner not designed to violate attorney/client privilege, together with timely updates. There must be timely document security and if a company claims it is limited on information it can get out of another country into the US, the burden is on the company to demonstrate this legal restriction and not simply hide behind a foreign law. The new Policy also requires the company to find a way to get the evidence to the US stating, “Moreover, a company should work diligently to identify all available legal bases to provide such documents.” The Policy addresses two key issues not previously addressed formally by the DOJ. The first is requiring de-confliction with the DOJs investigation or other ongoing investigations. The second is to recognize that employees have Fifth Amendment rights in internal company investigations. Finally, and perhaps most timely in light of the latest Uber revelation, requires companies to prohibit “employees from using software that generates but does not appropriately retain business records or communications”.

I have written at length about the compliance program aspect of the new Policy. Here I would only note that it incorporates the 10 Hallmarks of an Effective Compliance Program by reference, certain requirements first articulated under the 2016 FCPA Pilot Program and requirements from the Evaluation of Corporate Compliance Programs. In one document, compliance practitioners can determine the most current best practices in compliance. This is welcomed by the compliance community.

The new Policy formalizes the declination with disgorgement, created under the FCPA Pilot Program. This formalization also works to further the goals of anti-corruption enforcement by recognizing companies should not retain their ill-gotten gains, which is also antithetical to the concept of the compliance defense which allows retention of such gains. This is an appropriate sanction.

The new Policy furthers the goals of global anti-corruption enforcement but does it a way in which all the stakeholders involved are a part of that effort. It gives companies a very bright line to work towards, with the presumption of a full declination to follow at the end. This is a much more well-rounded approach for incentivizing not only the increased importance of compliance but also other goals of cooperation, investigations and returning monies not obtained in legitimate commerce. As Telwelliger noted, the Policy is “a welcome step in a more positive relationship between government enforcers and the vast majority of U.S. businesses that are committed to legal compliance and strong business ethics.” It is this commitment to doing compliance and business ethics through operationalizing of compliance which will drive corporate compliance programs and the compliance profession forward, not a paper-program compliance defense.

 

 

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

Last week, the Department of Justice (DOJ) premiered a new policy regarding Foreign Corrupt Practices Act (FCPA) enforcement. Deputy Attorney General Rod Rosenstein, in a speech, called it the FCPA Corporate Enforcement Policy. I have explored some of the issues relating to the compliance professional and compliance programs. I believe this new Policy has strengthened not only the need for an effective compliance program but also continued the DOJ’s elevation of the compliance profession within an organization.

Today I want to consider some of the components of the new Policy which speak more about enforcement. I had the opportunity to visit with James Koukios, a partner at Morrison & Foerster LLP and a former DOJ prosecutor in the FCPA unit of the Fraud Section. Koukios characterized the new Policy as one of “clarification and consolidation.” I found this new Policy to be the culmination of different concepts we have seen in FCPA enforcement actions, the 2016 FCPA Pilot Program, the 2017 Evaluation of Corporate Compliance Programs and DOJ pronouncements at speeches over the past few years. It also incorporated concepts articulated in the Yates Memo from September 2015.

I was most particularly interested in the presumption laid out in the new Policy. The language reads:

Due to the unique issues presented in FCPA matters, including their inherently international character and other factors, the FCPA Corporate Enforcement Policy is aimed at providing additional benefits to companies based on their corporate behavior once they learn of misconduct. When a company has voluntarily self-disclosed misconduct in an FCPA matter, fully cooperated, and timely and appropriately remediated, all in accordance with the standards set forth below, there will be a presumption that the company will receive a declination absent aggravating circumstances involving the seriousness of the offense or the nature of the offender. Aggravating circumstances that may warrant a criminal resolution include, but are not limited to, involvement by executive management of the company in the misconduct; a significant profit to the company from the misconduct; pervasiveness of the misconduct within the company; and criminal recidivism. [emphasis supplied]

This was the first time I could recall the DOJ saying that even with a violation of federal law, a company could start out with a presumption of receiving a declination. I put the question to Koukios of whether my view was correct and he responded, “I think you are exactly right, Tom.” He went on to add that due to the unique circumstances present in FCPA cases the DOJ aimed to bring additional benefits to companies based on their corporate behavior. Further, “the presumption can be overcome if there are certain aggravating factors and those are things that you would probably recognize from other parts of the U.S. attorney’s manual like high level management involvement, corporate recidivism and other factors like that.” Koukios characterized this presumption as “a real improvement over the over the pilot program.”

I was also interested in the process the DOJ used to develop the new Policy. Step back and consider the innovation of the Pilot Program and how it helped to formalize the process that former FCPA unit head Patrick F. Stokes had described at the 2015 ACI National FCPA Conference; where he laid out criteria for fine and penalty reductions. Stokes explained the discounts that both Parker Drilling and Hewlett-Packard (HP) received from their extensive cooperation and remediation. Obviously, there is language from the FCPA Pilot Program which was announced in April 2016. The Pilot Program put discounts in place of up to 50% for meeting the requirements and now that discount can range up to 100%.

Koukios pointed to the new category of declination with disgorgement as a solid achievement and the biggest outcome from the Pilot Program. He felt like it really benefited corporations, so they would not have to go through either a more formal Deferred Prosecution Agreement (DPA) or Non-Prosecution Agreement (NPA) process. Further, companies would have less information about their violations put out into the public record.

From the Yates Memo, there were two areas where the new Policy pointed towards companies self-disclosing quickly, efficiently and with solid information about culpable individuals. In the introductory policy section, it states, “Any information relating to a possible violation of the FCPA should be brought immediately to the attention of the Fraud Section of the Criminal Division. Even when such information is developed during the course of an apparently unrelated investigation, the Fraud Section should be notified immediately.” In the section defining “Voluntary Disclosures” it states, “The company discloses all relevant facts known to it, including all relevant facts about all individuals involved in the violation of law.” [emphasis supplied]

Last April, at the one year anniversary of the Pilot Program, the DOJ announced it was reviewing and evaluating the Pilot Program. The new Policy came out of that process. I found this process to be an excellent example where the DOJ reviewed how it prosecuted FCPA cases, inputted data and came up with something better and stronger in the form of the new Policy. There is also language from the 2017 Evaluation of Corporate Compliance Programs, most particularly impacting the compliance practitioner and compliance profession that I explored over the past two blog posts.

Tomorrow I will consider how the new FCPA Corporate Enforcement Policy sounds, once and for all-time, for the death-knell of the clarion cry for a compliance defense.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017