Harold Ramis as Dr. SpenglerHarold Ramis died on Monday. For a generation of comedians and fans of comedy he was one of the driving lights of that genre. He was one of the screenwriters of Animal House and wrote the screenplays for both of the Ghostbuster movies, in addition to starring in them. His New York Times (NYT) obituary called him the “Alchemist of Comedy” and quoted from Paul Weingarten, who wrote, in The Chicago Tribune Magazine in 1983, “More than anyone else, “Harold Ramis has shaped this generation’s ideas of what is funny.”” So thanks Harold Ramis for Blutto, Otter, Founder, D-Day, Dr. Spengler and all the rest.

I am currently attending the Society of Corporate Compliance & Ethics (SCCE), 2014 Utilities & Energy Conference. As usual, it is an excellent event for the compliance practitioner. One of the things that I find not only intriguing but also extremely useful about this conference is the pairing of compliance practitioners from the fields of energy and utility. I did not attend the utility focused sessions for the first couple of years but now prefer those sessions because they focus so much on the process of compliance. While the actual compliance issues are not anti-bribery or anti-corruption, the process-oriented approach utilized in the utility energy can be a great set of lessons for the energy industry compliance practitioner to consider when looking at an energy company compliance regime.

On Monday there was a presentation by David Douglass, Federal Energy Regulatory Commission (FERC) Compliance at Kansas City Power & Light Company. Initially, Douglass presented several different compliance models, which the anti-corruption compliance practitioner can use to benchmark or evaluate your company’s compliance program. The first one Douglass termed the Compliance Maturity Model – Compliance at Every Level. It included:

  • Step 1 – Reacting only and engaging in panic. The elements of this level of maturity include the admonition to “Get it done”. Typically under this step compliance is operating in isolation and can only marshal resources as necessary and where ever they might be found.
  • Step 2 – Anticipating and acceptance of compliance. This increased maturity can help to bring about some efficiency, usually through the accepted use of automation. This allows a compliance practitioner to see connections between multiple programs and take steps to plan future approaches to ongoing and ad hoc compliance challenges as they might arise.
  • Step 3 – Collaborating. Under this step, compliance moves to being seen as a collaborative partner with the business units. This allows the identification of risks, the assessment of the company’s exposure to those risks and to prioritizing actions to meet those assessed risk. Finally, the collaboration step can allow for the re-use of technological components for multiple purposes, thus reinforcing great cost savings and value.
  • Step 4 – Orchestrating through and with the rest of the company. Under this ultimate step in the model, compliance works to help set enterprise wide objectives to help to coordinate enterprise wide risk analysis and response. The corporate wide visibility to risk analysis, management and remediation as well as compliance performance.

In addition to the above Compliance Maturity Model, Dougalss discussed two of the programs were set out by federal utility regulators. The first was the FERC’s Effective Compliance Program, which has the following seven standards:

  1.  Internal standards and procedures to prevent and detect violations;
  2. High-level management knowledge and oversight of internal compliance programs;
  3. Reasonable (due diligence) efforts to screen out “poor performers”;
  4. Reasonable internal communications and training efforts;
  5. Reasonable steps to evaluate program effectiveness, including confidential reporting options for employees;
  6. Creating and enforcing compliance incentives and noncompliance sanctions;
  7. After detection of a violation, companies shall take reasonable, responsive steps.

He then cited to the North American Electric Reliability Corporation’s (NERC’s) four hallmarks of effective compliance programs, which included the following:

1.    Senior management / leadership

  • Compliance Program is established in the company.
  • Compliance Program is formally documented and widely disseminated throughout the organization.
  • The Compliance Program is supervised by a high ranking company representative.
  • The head of the compliance function has access to President / CEO and Board.
  • The Compliance Program is designed and managed with independence.
  • There are sufficient resources dedicated to implement Compliance Program.
  • The Compliance Program has the full support of all company leadership

2.    Preventive measures are in place

  • A sufficient frequency of review of compliance program occurs.
  • There is sufficient frequency of training of employees on compliance program.
  • There is sufficiency of subject matter training of employees on compliance program.

3.    Prompt detection, cessation, and self-reporting

  • There is a sustainable process to internally assess compliance with regulations.
  • There is a sufficient response to identification of wrong-doing or misconduct.

4.    Effective remediation

  • There are effective internal controls and procedures present to prevent recurrence of misconduct.

Douglass also discussed the ‘3-lines of defense concept” for a best practices compliance program. Under this concept a properly constructed compliance program has three lines of defense to prevent a compliance incident. These three lines of defense are identified as (1) the Risk Content Owners line of defense; (2) the Risk Process Owners line of defense; and (3) the Risk Content and Content Monitoring Owners line of defense.

 I.                Risk Content Owners

This first line of defense is the business owner(s) who are on the front lines for any company. Their roles include management of day-to-day business risks and to recommend actions to manage and treat that risk. This group also is tasked with complying with the company’s risk management process. Where appropriate, this group will implement risk management processes where applicable and this group will execute risk assessments and identify emerging risk.

 II.             Risk Process Owners

This second line of defense is typically the company legal and compliance departments. Not only are these the standard setters in an organization but they may also be charged with certain monitoring tasks. This group should establish policy and process for risk management. This group is the strategic link for a company in terms of risk. It should provide guidance and coordination among constituencies. It should identify enterprise trends, synergies, and opportunities for change. This group should also initiate change, integration and operationalization of new compliance best practices. Typically this group is the liaison between the third and first lines of defense. Lastly, this group will oversee certain risk areas and in terms of certain enterprise objectives such as compliance with regulations such as Foreign Corrupt Practices Act (FCPA), Export Control, etc.

III.           Risk Content and Monitoring Owners

This third, and final, line of defense is generally thought of as the Assurance Providers and consists of senior management, Internal Audit and up to the Board of Directors. Its roles include either working with or through senior management and/or the Board of Directors. This line of defense is tasked to rationalize and systematize risk assessment and governance reporting so that it is not only transparent but useful and stored in a manner that can be retrieved if a regulator comes calling. It will provide oversight on risk management content/processes, followed by the second line of defense. Finally, it will provide assurance that risk management processes are adequate and appropriate.

This tripartite model is an excellent way for a company to not only think through how to design an overall structure but as an outline to assess how well it may be doing in any one specific compliance area such as anti-corruption compliance under the FCPA. The first line of defense should be driven down to the Business Unit level. This will allow, indeed require, the Business Unit to buy into the overall compliance program. The legal and compliance departments are the key bridge that writes and leads implementation of the overall compliance program through training but also assesses whether the compliance program is effective and remains robust. The role of senior management is to provide overall leadership and deployment of resources throughout this entire process.

I have found that the anti-corruption compliance, or indeed the anti-money laundering (AML) or export-control practitioner can learn quite a bit from their peers in the utility industry. While they may not rise to the level of “Alchemist of Comedy”, as did Harold Ramis, you might want to listen to what they have to say.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

One of the more public and ongoing corruption scandals in the world right now seems to be happening in Turkey. To say the events and facts are confused is an understatement. At this point there are not any international players who have been implicated but given the breadth and scope of what has come out of that country over the past month or so, it would only appear to be only a matter of time. It began in December when, according to the BBC, “The arrests were carried out as part of an inquiry into alleged bribery involving public tenders, which included controversial building projects in Istanbul. Those detained in the 17 December raids included more than 50 public officials and businessmen – all allies of the prime minister. The sons of two ex-ministers and the chief executive of the state-owned bank, Halkbank, are still in police custody.”

The Prime Minister claims that all of these arrests were simply political theater, generated by supporters of Fethullah Gulen, an influential Islamic scholar living in self-imposed exile in the US. Members of Mr. Gulen’s Hizmet movement are said to hold influential positions in institutions such as the police and the judiciary and the AK Party itself. Many believe the arrests and dismissals reflect a feud within Turkey’s ruling AK Party between those who back the Prime Minister, Recep Tayyip Erdogan. On Tuesday the Prime Minister and his supporters struck back at the police by removing approximately 350 police officers from their positions in the capital, Ankara. The Prime Minister and his supporters have also attacked the judiciary leading the investigation, claiming that it is all politically motivated.

In addition to the obvious turmoil based on the above, the country is feeling the fallout in the international monetary arena. In an article in the Financial Times (FT), entitled “Turkey warns of corruption probe risk”, reporter Daniel Dombey said that the country’s currency, the Turkish lira, had dropped 7.5% since the initial arrests back in December. He quoted the country’s Finance Minister, Mehmet Simsek, who said that there had been “some negative implications for the Turkish macro [economy].” Dombey also noted that the Turkish stock market had dropped almost 12% during the same time frame.

In the 2013 Transparency International (TI) Corruptions Perceptions Index (CPI), Turkey had a score of 50 which gave it a rank of 53 out of the 177 countries listed. It generally had better scores than other countries in southeastern Europe such as Greece and the Balkan countries. Other than Cyprus, it had better CPI scores than most other mid-eastern countries. But what about now and what does this mean for the US based multi-national who is currently doing business in Turkey or considering doing so?

One of the things that a compliance program must have is the flexibility to respond to changing events on the ground. Just as last summer’s GlaxoSmithKline PLC (GSK) corruption scandal in China brought attention to those issues in China, these very public events should bring the attention of your compliance team. My former This Week in FCPA co-host Howard Sklar said that a compliance program needed to be nimble in order to respond to such events in far-flung places. Risks change and they must be evaluated on a regular basis or in response to new facts on the ground, such as those which are present in Turkey.

There may also be more than anti-corruption risk at play in any given situation. If a company only looks at one type of risk, such as anti-corruption, rather than others such as export control or anti-money laundering (AML) it can lead to the concept of what is called the “functional trap” of labeling and compartmentalizing risk. In an article in the June issue of the Harvard Business Review (HBR), entitled “Managing Risks: A New Framework”, authors Robert Kaplan and Annette Mikes declare that good risk discussions must be integrative in order for risk interaction to be evaluated. If not, a business “can be derailed by a combination of small events that reinforce one another in unanticipated ways.”

The authors posit that it is difficult for companies to accurately and adequately discuss risk for a variety of reasons. One of these reasons is the aforementioned silo effect which can lead to a lack of discussion by a wide group regarding a number of risks, for example compliance risk; reputational risk; brand risk; credit risk; human resources risk are but a few of the types of risks mentioned in their article. The authors believe that one of the ways to knock down these silos when it comes to a more complete management of risk is to “anchor their discussions in strategic planning, one integrative process that most well-run companies already have” in place.

The authors cautioned that beyond simply introducing a systematic process for identifying and mitigating key risks, companies should also employ a risk oversight structure. The authors discussed the experience of the Indian IT company, Infosys, which uses a dual structure. It consists of a central team that identifies general strategy risks and then establishes central policy, together with a specialized, decentralized functional team. This second team designs and monitors policies and controls in consultation with local business units. These decentralized teams have the authority and expertise to respond to changes in the company’s risk profile coupled with the nimbleness and agility of being in the field to deal with smaller issues before they become larger problems for the central team back in the corporate office.

I believe that the current political turmoil in Turkey provides an example of the diversity your compliance program and risk assessment must maintain. Just as it is important to perform due diligence on third party representatives, before execution of an appropriate contract, the real work is in managing the relationship. In risk management, you must identify and assess the risk but the real work begins in managing the risk. This is where the rubber meets the road.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

JRydbergEd. Note-today I continue with my series of interviews with thought leaders in the compliance arena. Today, I post an interview of Jon Rydberg, CEO and Founder of Orchid Advisors.

Where did you grow up and what were your interests as a youngster?

I spent the majority of my life in Connecticut but lived in the Los Angeles area for approximately nine years. My wife and I moved back to the east coast in 2009 to be with family. Growing up the son of two teachers and a two-time valedictorian meant my childhood was destined to be focused on academics, leaving little time for other interests such as golf and soccer. My true childhood passion was entrepreneurship, only I didn’t know it at the time. My parents would say that I was good at generating ideas, starting a project and then losing focus only to do it all over again with another new idea. I guess you could classify my childhood to resemble that of a early-stage venture capitalist.

Where did you go to college and what experiences there led to your current profession?

My father was a teacher at the local high school. So, naturally that meant I had to attend the local preparatory school, Avon Old Farms. It was an incredible experience being surrounded by the best and brightest of student athletes and tenured professors. After high school, I received a BS in Mechanical Engineering and an MBA in Corporate Finance from Bucknell and Rensselaer, respectively. And, I was only a few classes short of a Masters in Accounting before my career escalated and my free time for academic interests became hard to come by

How did my current career spawn from that? It likely began with my first job, designing packaging for explosive devices in accordance with DOT regulations. Shortly after I was managing R&D efforts for tactical weaponry that were destined for Aerospace & Defense giants such as Lockheed, Boeing and United Technologies. In the early 2000s I led the A&D industry segment a global audit and consulting firm Protiviti and had a similar client service role for Ernst & Young. Almost every product I’ve touched since day one has been subject to a federal or state regulation. Today, I am the CEO of a national consulting practice focused on Transforming the Compliance EcosystemTM.

You have worked both in Big 4 accounting firms and in corporations. What lessons did you learn from these different types of employment experiences?

#1 – The concepts of compliance, internal control and internal audit are too often misunderstood, including amongst top executives. Unfortunately, the concepts are thought of us impediments, not enablers, of high-end business performance or beneficial elements of the corporate governance structure – until it is too late. The Orchid team offers an open invitation to any person or firm that wishes to partner on our initiative to enhance the perceived value of these functional areas.

#2 – Achieving compliance, comfortably, means establishing it as an equal business metric to quality, safety and financial performance. Human nature will drive people to focus on incentivized areas, obviously. So, concepts like a ‘balanced scorecard’ add value to ensuring the long-term viability of the organization and protects owner interests.

#3 – Don’t be afraid of recognizing when help is needed, no one knows everything. Take the opportunity to learn from those who’ve seen both the good and the bad elsewhere.

You have worked with a variety of US governmental agencies. Are there any general guidelines that you can give the compliance practitioner to who might be presenting to or working with a government agency for the first time?

Yes, I think it can be summed up with my favorite phrase – there is a big difference between being compliance and having a compliance program. The point is, Federal and State agencies have a job to do in both establishing new legislation and then regulating it. The role of a regulator isn’t loved but there’s not much we can do about it. A best practice approach is to build trust, be honest and transparent and recognize that continuous improvement begins with a self assessment and ends with a written compliance plan.

What led you to found Orchid Advisors and how do you hope to change the Compliance EcosystemTM?

I had worked with a number of high-profile attorney’s on various compliance projects who knew the law inside and out but who had little practical implementation experience. It was clear to me that someone, or some firm, had to be created to bridge the gap between those who could recite the regulations chapter and verse and those who make and ship widgets on a daily basis. Orchid Advisors was launched to ‘operationalize’ compliance with a proprietary methodology called the Compliance EcosystemTM.

The Compliance EcosystemTM takes the concept of compliance (as a department or impediment to execution) to a whole new level. Much like the Japanese approach to manufacturing processes and total quality development, the Compliance Ecosystem embeds compliance control into: (1) Business strategy; (2) Corporate culture; (3) Process and technology; and (4) Continuous improvement. Furthermore, it emphasizes the importance of managing compliance not only within the four walls of your business, but also at your suppliers, distributors and other supply chain partners.

And, the beauty of our methodology is that it applies to every industry, any company size or structure and any regulation. That being said, our initial focus includes: Anti-bribery (FCPA, UK Bribery, etc.); ATF firearms compliance; ITAR compliance; Import / Export compliance and Sarbanes-Oxley compliance.

You recently released the book “Anti-Bribery Leadership”, authored with myself. Who do you think should read this book and why?

Our book is unique. As Matt Kelly, Editor of Compliance Week stated, “it isn’t Shakespeare and it’s not intended to be.” This guide is specifically designed to be short and laser focused for high-level corporate executives, board members and corporate attorneys. In 60 pages we’ve provided:

  • A list of questions that those executives should be asking their own organizations;
  • A compliance methodology accepted by the Federal Government;
  • Examples of high-risk areas drawn from our own Department of Justice and Securities and Exchange Commission investigations; and
  • Tools to govern the ongoing operations of the business.

Anti-Bribery Leadership: Practical FCPA and U.K Bribery Act Compliance Concepts for the Corporate Board Member, C-Suite Executive and General Counsel is available in both bound and eBook versions. You can purchase a bound copy by clicking here and an eBook version on Kindle by clicking here. The eBook version is currently a Top Ten best-seller.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Today we celebrate that noted British comedian who made his fame in America – Bob Hope.  He had a successful film career largely thanks to the series of seven “Road” movies he made with Bing Crosby and Dorothy Lamour, including Road to Singapore (1940), Road to Morocco (1942), Road to Utopia (1946) and Road to Rio (1947). Hope is also known for his entertainment of US military forces overseas. In 1941, after America’s entrance into World War II, Hope began performing for US troops abroad; he would play shows for more than a million American servicemen by 1953. Some 65 million people watched him perform for troops in Vietnam on Christmas Eve in 1966, in his largest broadcast. Hope also became a legend for his countless TV specials, which he would perform over the course of some five decades. He hosted the Academy Awards ceremony a total of 18 times, more than any other Oscars’ host.

What does Bob Hope have to do with compliance? First he was a comedian and second he reinvented himself several times. The anniversary of his birthday reminded me of an article written by Carole Switzer, the co-founder and President of the Open Compliance and Ethics Group (OCEG), for Compliance Week Magazine entitled “Analyze This: The Value of Business Risk Assessments.” In her article, one in a continuing of her series of GRC Illustrated articles, Switzer says that anti-money laundering (AML) compliance programs, like therapy are “difficult to define and relatively easy to avoid.” She quoted Larry David, co-creator of Seinfeld and creator of “Curb Your Enthusiasm” for the following thought on therapy, “I know enough about myself now to know that I really don’t need to know anymore.” Unfortunately, as Switzer notes, many companies have the same problem when it comes to their AML programs.

Switzer discusses a recent report by the UK Financial Services Authority (FSA) which highlighted four general reasons that UK banks failed to have effective AML programs. The same four reasons hold true for non-banking sector US companies in the area of AML.

(a) Denial. The FSA reported that one-third of the banks “failed to review their business-risk assessment program on a regular basis. Additionally, about one-third of the companies scrutinized also failed to alter their risk assessments in response to new developments and insights, such as when allegations of major corruption were levied against a customer or when a country’s risk profile spiked due to regime change.”

(b) Grandiose delusions (imagine a bank with grandiose delusions!). The FSA found that too many “customer-facing “relationship managers” could override customer risk scores produced by the risk-assessment program—without sufficient evidence to support the decision to disregard the score.”

(c) Borderline suspicious. Bank personnel did not understand how the AML risk assessment was generated and indicated that they were “confused” regarding what score indicated that a customer was a high risk.

(d) Avoidance coping. The FSA noted that institutions “inappropriately low risk weightings for high-risk factors, “sometimes overtly”; while “other banks chose to ignore well-known high-risk indicators and other adverse information from a variety of sources, “such as links to certain business activities commonly associated with higher levels of corruption.”

Fortunately Switzer laid out her thoughts on what an effective business risk assessment program should contain. From this risk assessment, you can identify where your company should focus its AML resources, determine how changes might affect your company, and where your program may need enhancement. She is quite clear that without an effective risk assessment, “your AML program will be inefficient as well as ineffective.” She sets our five steps to take.

  1. Define the Risk. Switzer says that “At the forefront of any good business risk assessment program is an executive vision. The executive sponsorship must ask themselves diffi­cult, critical questions.” This is largely because while there are certainly known risks to a business there are also risks you and your company may not be aware of so it is important to define what you know but leave it flexible enough to cover the unknown when it becomes known to you. Switzer lists some of the questions that you might begin with, which include: What are the inherent risks in our current business? What controls do we have in place? How much risk, after the business risk assessment process is instituted, remains? Should we close business locations? Should we add additional controls? Should we put spending restrictions in place? Are other industries at the same level of risk?
  2. Gather Intelligence. In this step, after executive sponsorship has set the strategy in motion, you must gather intelligence to truly understand the exposure across the organization’s products, services, and customer base. The AML team should consult local business and compliance leaders to gain key insight. The specific steps include: (1) Develop the business risk assessment questionnaire. (2) Determine what controls are currently in place. (3) Review the external risk. (4) Understand the magnitude of each risk factor. (5) Gather and normalize all data for review.
  3. Review the Findings. Once a full business assessment has been conducted and all the data collected, a full analysis of the data is performed at multiple levels. The overall picture of risk is reported to business line, regional leaders, and enterprise leaders. Switzer’s specific steps include (1) Creation of full evaluation reports of all measured data. (2) Involve AML staff, regulators, and critical business leaders in your review. (3) Utilize external, unbiased consultation to determine product and service risk for remediation.
  4. Decide How to Proceed. Switzer advises that after you come to an understanding of your exposure and risk, your vision has been set, and you have gathered data and reviewed it, you can set a course to move ahead. However, she cautions that “continual review of the plan’s impact on the business, even at this stage, is critical.”
  5. Implement the Plan. At this final step, after your company has defined its strategy, determined, by measurement, the exposure to AML risk, understood and evaluated the areas of potential risk and then “determined a path to accept, resolve and eliminate, it’s time to go to work setting the plan into motion—however, just because you are now implementing doesn’t mean you can relax. Constant scrutiny, learned best practices, and ongoing monitoring are critical.”

Switzer concludes by stating that “Risk assessment programs must evolve quickly as risks and crimes do. Building in a good system of correction and monitoring that can flex with your organization is critical.” So just as Bob Hope reinvented himself as the tastes of society changed, your risk assessment should be a “living, breathing process.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Ed. Note- For those of you who do not know her, Mary Shaddock Jones is one of the compliance professions I regularly rely on for advice. I continually ask her to send over some guest posts as they are always topical, top notch and provide practical advice for the compliance practitioner. I will be out of pocket over the next two weeks and Mary has agreed to take over the lion’s share of posts for my blog. Today she begins her series with a topical post on chocolates and the pre-holiday season from Halloween to Thanksgiving. I know you will not only enjoy her series but get quite a bit out of them.

This summer, the Securities and Exchange commission charged Texas-based medical device company Orthofix International with violating the Foreign Corrupt Practices Act (“FCPA”) through improper payments of bribes (code named “chocolate”) to officials at Mexico’s government-owned health care and social services institution, Instituto Mexicana del Seguro Social (“ IMSS”), in order to obtain or retain business.  Sure, for those of you who regularly read Tom Fox’s blog, this is old news.  However, since he is off and today is Halloween, I thought I would start a series for the next two weeks re-examining some of the more recent, and perhaps not so recent cases with a fresh set of eyes.

The practical pointer for today’s blog is straightforward – it is imperative that companies which have FCPA exposure audit both their petty cash accounts, and all expenses coded to training and promotion. This is apparently where the improper expenditures were “hidden” by employees of Orthofix.  In my experience, companies need to be closely reviewing what little case law or factual allegations exist with regard to the FCPA so that they too know where to find any potential problems that may exist within their own company.  There are only so many ways to hide the dollar.  If you find yourself sitting in front of the DOJ and/or SEC in the future on allegations related to a violation of the FCPA…you will not gain any “chocolate points” if you haven’t implemented a robust compliance program.  But as FCPA practitioners have said over and over again – simply having a Code of Business Conduct, an Anti-Corruption Policy Manual and even person to person training is not enough.  You have to be proactive in trying to find what others don’t want to be found.  That is why the Orthofix employees didn’t book the improper payments as “bribes”.  They aren’t stupid.  They know this is one red flag that will stop the energizer bunny in its tracks.  So instead, they disguise the improper payments in a way that they think is clever.

According to the SEC, in order to obtain cash for the bribes, the Promeca executives wrote checks to themselves, which they justified as “cash advances”.  A smart person in the accounting department would ask – what was the cash advance for?  What was bought?  Are their valid receipts which state what was bought, when was it bought, who was taken to dinner or lunch, what was discussed, etc?  In order to continue the deception, the executives submitted false receipts for imaginary expenses including meals and new car tires.   Practical Pointer:  It may be a boring and tedious task, and one which hopefully never uncovers questionable payments – but companies must have someone in charge of reviewing expense reports – for everyone – from the top dog on down to the dog walker.  Do you have a process in place for reviewing expense accounts?  If not, put one in place.

Unfortunately for Orthofix, the improper payments became too large to hide in expense reports; therefore, a new hiding place had to be located.  The next best thing to expense reports is training and promotional expenses.   Remember that the FCPA includes three affirmative defenses under its anti-bribery provisions – the first of which is “reasonable and bona fide expenditures related to certain promotional activities”.  If the FCPA allows the payment for “promotional expenses”, what better place to hide improper payments than in plain sight?   Just because someone calls an expense a promotional expense, does not mean that the Company does not have to trust, but verify.

Specifically, the FCPA permits payments if the payment to a foreign official was a “reasonable and bona fide expenditure, such as travel or accommodation expense, that was directly related to the demonstration of a product or service, or performance of a contract with a governmental agency.”  Unfortunately, I was unable to determine from the public filings how the training or promotional payments were characterized so as to allow them to remain undetected by the accounting department at Orthofix until hundreds of thousands of dollars in improper payments had been made.  However, the practical pointer for you is this – do you have a process in place which places controls over when expenditures can be made for travel and lodging/training and/or promotional/marketing expenses?

Consider the following policy language:

The FCPA permits the payment of reasonable and bona fide expenditures on behalf of a Government Official and directly related to (1) the promotion, demonstration, or explanation of products or services; or (2) the execution or performance of a contract with a non-U.S. government or agency thereof.

Travel and Lodging: No travel or lodging may be offered or given to a Government Official without the prior written consent of the Company Compliance Officer or his or her designee and must meet the following guidelines: (1) it serves a legitimate Company business purpose; (2) invitations to a Government Official are transparent, in writing, and clearly state the business purpose of the trip; (3) no payment is made directly to a Government Official either through an advance or reimbursement for expenses (the Company should directly purchase travel or lodging from those who provide them, utilizing a travel agent or other third party if possible); (4) providing “per diem” fees or expenses is avoided, particularly where meals are already being provided; (5) no cash payments to a Government Official are made whatsoever; (6) travel and lodging expenses are only provided for the identified Government Official and not for spouses, family, or friends of the Government Official; (7) travel arrangements are directly between the place of residence or employment of the Government Official and the intended destination of the business travel, with no non-business side trips; (8) no reimbursements are paid without presentation of appropriate receipts; (9) providing the travel or lodging is permitted under local law and regulations and guidelines of the recipient’s governmental entity (note that some customers have strict policies against receiving gifts); and  (10) other than the travel or lodging identified above, the Government Official is not compensated for his or her participation in the planned trip.

Guidelines for Entertainment: Unless prior written approval from the Company Compliance Officer or his or her designee is obtained, entertainment provided to a Government Official must meet the following guidelines: (1) it serves a legitimate Company business purpose; (2) providing the entertainment is permitted under local law and regulations and guidelines of the recipient’s governmental entity (note that some customers have strict policies against receiving gifts); (3) it is of the type and value that is reasonable (not lavish, excessive, or frequent); (4) it is in line with the local customs of the country where provided; (5) it is of a type that is appropriate (e.g. no strip clubs); and (6) it is accurately recorded in the Company’s books and records.

Guidelines for Marketing Expenses: Unless prior written approval from the Company Compliance Officer or his or her designee is obtained, marketing materials (such as pens, caps, or mugs) provided to a Government Official must meet the following guidelines: (1) they serve a legitimate Company business purpose; (2) they are of nominal value; (3) they are of the type and value that are customary and appropriate for the occasion;(4) they are branded with the Company’s name and/or logo; (5) they are permitted under local law and regulations and guidelines of the recipient’s governmental entity (note that some customers have strict policies against receiving gifts); and (6) they are fully and accurately recorded in the Company’s books and records.

Remember, it is not enough to simply have a policy in place; you must also conduct trainings (have the training in both English and the predominant local language of your employees) and audits to ensure compliance.

No more chocolates for today… tomorrow is All Saints Day.  Stay tuned to see who didn’t perhaps make the list of saints.

—————————————————————————————————————————-

Mary Shaddock Jones has practiced law for 25 years in Texas and Louisiana primarily in the international marine and oil service industries.  She was of the first individuals in the United States to earn TRACE Anti-bribery Specialist Accreditation (TASA).  She can be reached at msjones@msjllc.com or 337-513-0335. Her associate, Miller M. Flynt, assisted in the preparation of this series.  He can be reached at mmflynt@msjllc.com.

—————————————————————————————————————————–

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.