In the new FCPA Corporate Enforcement Policy, it stated that as one of the items required for a company to receive full credit for timely and appropriate remediation, “Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications”. In other words, the problem of modern disappearing text messaging apps.

In this episode, I visit with  Brian Burke, partner at Shearman & Sterling and head of the firm’s Asia Litigation practice about the continued fallout since the release of the Justice Department’s new FCPA Corporate Enforcement Policy and its requirement instant messaging. We discuss the new Policy’s requirement and how companies can protect themselves. Brian can also speak to how companies can ensure the use of applications like WeChat and WhatsApp in business settings does not inadvertently threaten an employer’s subsequent ability to seek a declination or reduction in fines – and the practical measures companies can take in an effort to comply with the date retentions requirement under the Policy.

Some of the highlights include:

  • Document control and retention have been a requirement for some time, why did the DOJ feel the need to specifically address this issue?
  • Are there any enforcement actions we can look to for guidance?
  • Can you suggest any practical steps a company can take? Ban What’s App communications? Ban Instagram or any other messenger app?
  • In the era of BYOD, how does a company police this with its workforce, particularly oversees?
  • What must a company show to the DOJ to demonstrate compliance with this requirement?
  • What advice are you giving clients on this issue?

For a copy of the firm’s most recent FCPA Trends & Patterns in the Enforcement of the FCPA, click here.

SAI Global has released a white paper entitled “Predicting Risk: A Strategic Culture Framework for the C-Suite” (the “White Paper”). I recently visited with the White Paper’s author, Caterina Bulgarella, who is a culture architect and ethics collaborator with SAI, about the White Papers, her research and the issues developed from it.  In this White Paper, she introduces a strategic culture framework which compliance professionals and companies can use to not only help them assess their ethical culture but provides a framework to map ethics to their business process in a manner which improves ethics and compliance and improves overall business processes leading to more robust efficiencies and greater profitability. You can listen to the podcasts each day at 10 AM on the FCPA Compliance Report and on JDSupra or if you want to binge out they are all available on my iTunes site, beginning at noon today.

Bulgarella believes we are in a time of profound change and the speed at which things are changing. The fourth industrial revolution is happening now and bringing sweeping change. Over the next five years, 50 billion machines will be connected across the globe, on pace to revolutionize the way companies and people operate. This makes everything uncertain and ambiguous and that the changes are rewriting our value system faster than we can even realize. She provided a couple of examples. More generally, we know technology is changing how we act, operate, deliver and do many other things. More specifically, simply consider Artificial Intelligence (AI) and how this tool is going to cause a loss in privacy and confidentiality. Some of the questions it raises is whether these changes are ethical or not? Is the pace of change and the change itself a reasonable price to pay to or should we be more cautious?

When you overlay all this with the complexities of not only the modern world but also the current business environment, you can see the need for a more coherent framework for discussion and analysis of ethics and compliance. What may have been acceptable business practices can change literally overnight; here you can witness the number of companies that are scrambling to explain their contracts with ICE and that they were not involved with the child separation policies instituted by the Trump Administration. With so much at stake and with so many variables, companies need a more robust framework to help them make not only the right decision but ethical decisions as well.

The strategic culture framework was created to help improve many of these corporate practices in tangible ways. It integrates a wealth of insights from behavioral science, as what we know about human behavior today is vastly more precise than what we knew even five years ago. Many of these insights have not been incorporated in organizational practices and that is where the strategic culture framework comes in, to connects the dots. The strategic culture framework explains how culture affects people’s ability to do the right thing and what risks an organization faces.

The strategic culture framework is a model for maximum impact because it identifies the two culture dimensions that organizations should actively manage to reduce risk and increase ethical performance. The first dimension is delegation of ethical dilemmas. This is the extent to which the culture of an organization creates dilemmas and leaves these dilemmas un-addressed. The second dimension is distance to which the culture builds ethical capacity. This means that the culture must build resources, practices, and resilience that help people to deal with ethical challenges successfully.

Bulgarella noted that while there is really a broad and deep discourse around corporate values and around the idea of building business ethics around corporate values, she does not believe there is sufficient dialogue as to what organizations actually value. It is what the organization actually values that ultimately shapes how things are done and what is given priority within that organization. Company values shape the decision-making and execution and it is critical to understand them, together with the consequences they can create and risks they entail.

Bulgarella concluded with some thoughts on corporate culture, which she characterized as “the DNA of an organization which goes to the heart of an organization’s identity and purpose.” This is really what an organization believes and it is the “source of the substratum to all that is human, all the human endeavors in an organization.” However, she also cautioned that culture is a complex architecture. It is important to keep in mind the complexity of every corporate culture, when trying to implement any for best practices ethics and compliance program.

Bulgarella listed several different complexities of corporate culture and how corporate culture shows up in the way an organization’s systems and processes are designed; it shows up in the way people behave in their types of expectations and it can even show up in their mindset. This can make it difficult to simply find one formula or one definition for culture. I would encourage people to focus on what the organization beliefs and values and recognized the corporate values of an organization’s belief system. That distinction can be critical.

We also discussed where the strategic culture framework could be going and how corporations can utilize the it to improve not only their culture and values but their business performance as well. Bulgarella emphasized the strategic culture framework is a tool help navigate complexity. She has seen organizations use the it in variety of ways to manage risk and ethical performance. Moreover, the strategic culture framework is a strategic tool that can be used to assess and measure culture, to recalibrate the key cultural determinance, to hold stakeholders accountable and to help executive teams and Boards take a comprehensive look at the risk profile of their organizations. The strategic culture framework can deliver a very concise and powerful map of both risk and ethical performance because it cuts across different layers of culture as it provides actionable guidance for the reason that it highlights a key priority.

The strategic culture framework is a tool to use to gauge the effectiveness and impact of ethics and compliance practices. It is well-known that effective compliance and ethics programs can reduce dilemmas and increase ethical capacity. If they cannot move the needle in those two directions, they are likely missing the mark when it comes to impact. To make progress on the practices we have considered though the strategic culture framework clearly demonstrates a commitment to creating the internal pathways to a strong, vibrant and healthy listener culture.

Yet, as the White Paper notes, in “its simplest implementation, the strategic culture framework can be used to inform internal discussions on culture and risk. It can also be leveraged to orient the work of independent monitoring committees and create a scorecard of culture and risk for the board to review regularly.”

For a full copy of “Predicting Risk: A Strategic Culture Framework for the C-Suite” click here. For more information on SAI Global, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018

While dodging black cats, walking under open ladders and looking into broken mirrors, Jay Rosen and myself are back on this Friday the 13thto take a look at some of the top compliance stories from the past week.

  1. Want to take a deep dive into the Credit Suisse FCPA enforcement action? Check out Tom’s 3-blog post series (Part I, Part IIand Part III) and Mike Volkov’s two-part series (underlying factsand lessons learned).
  2. What’s the best way to use data to detect corruption? Enestor Dos Santos, principal economist at BBVA Research writes in Global Anti-Corruption Blog. For the full BBVA Research report clickhere.
  3. Did FCPA enforcement pick up in Q2? William Garrett explores this question in WSJ Risk and Compliance Journal.
  4. Romania’s president removes chief anti-corruption prosecutor. Radu-Sorin Marinas reports in Reuters.
  5. Tony Hayward (yes, that Tony “I want my life back” Hayward) will lead Glencore’s corruption investigation. What could go wrong? Harry Cassin explores in the FCPA Blog. Is Glencore pushing the corruption risk envelope too far? David Pilling opines in the Financial Times. (sub req’d)
  6. Does AI create or simply expose ethical dilimmmas? (Hint-it’s all about the data). Vera Cherepanova explores this question in the FCPA Blog.
  7. The second half thebriberyact.com guys; Richard Kovalevsky QC leaves Chambers to move to Stewart’s. Waithera Junghae reports in GIR. (sub req’d)
  8. Are the administration’s moves against ZTE part of a larger all out trade war strategy against China and/or the rest of the world? Louise Lucas explores this question in the Financial Times. (sub req’d) New management says compliance is the top priority. See report in com.
  9. Tone at the top really does matter. PapaJohn Chairman (and former CEO) resigns from Board after using racial slur in con call with vendor. Vendor fires PapaJohn’s as client. See report in Wall Street Journal.
  10. Uber finally gets a CCO but loses its head of HR. Greg Bensinger and Sadie Gurman report in the WSJon the hire. Bensinger reports on the resignation of the head of HR in WSJas well.
  11. The Red Sox have the best record in baseball at the All-Star break. Can they avoid yet another collapse? Jay and Tom debate.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Last week Credit Suisse Group AG (CSAG) and Credit Suisse (Hong Kong) Limited (CSHK), a subsidiary of CSAFG, settled a Foreign Corrupt Practices Act (FCPA) enforcement action for just over $77 million for the illegal hiring of family members and close personal friends of Chinese government employees and employees in Chinese state-owned enterprises. CSHK obtained a Non-Prosecution Agreement(NPA) from the Department of Justice (DOJ) and CSAG entered into an agreed Cease and Desist Order(Order) with the Securities and Exchange Commission (SEC). Collectively, they paid a criminal fine to the DOJ in the amount of $47 million and disgorgement to the SEC in the amount of $24.9 million with interest of $4.8 million for a total to the SEC of $29.8 million.

The FCPA enforcement matter was concluded with a substantial positive for CSAG given its conduct surrounding the affair. CSHK employees worked actively to circumvent, over-ride and hide their actions; clearly indicating the intent to provide benefits to foreign government officials in return for significant benefits. I have been considering this FCPA enforcement, lessons to be learned for the compliance practitioner and how CSHK was able to garner such a superior NPA result. Today I conclude with some of the factors which led to the DOJ giving a 15% discount on the criminal penalty and steps companies should take around the hiring of family members of foreign government officials and employees of state-owned enterprises.

Even with the intentional acts of CSHK, the (very) bad facts outlined in the prior posts, CSAG obtained what can only be described as a superior result in CSHK receiving a NPA and the US entity agreeing to a Cease and Desist Order. This enforcement action is now one of three from the spring of 2018 which demonstrates the effect of the new FCPA Corporate Enforcement Policy, announced in late November 2017, and the new anti-piling on policy announced in May 2018. The other two enforcement actions were the Declination issued to Dun & Bradstreet, Inc. and the Deferred Prosecution Agreement (DPA) obtained by Panasonic Avionics Corporation. The DOJ and SEC have made clear the benefits to a company which cooperates and remediates, even if they do not so fully and they do not self-disclose the FCPA violation.

The Result

CSHK did not receive any credit for self-disclosing the FCPA violations and “because neither it nor CSAG voluntarily and timely disclosed to the Offices the conduct described in the Statement of Facts”. However, CSHK did receive “partial credit for its and CSAG’s cooperation with the Offices’ investigation, including credit for conducting an internal investigation, making factual presentations to the Offices, voluntarily making foreign-based employees available for interviews in the United States, producing documents to the Offices from foreign countries in ways that did not implicate foreign data privacy laws, providing translations of foreign language documents, and collecting and presenting evidence to the Offices”. Tellingly, it did not receive full credit for its cooperation “because its cooperation was reactive, instead of proactive.”

CSHK did institute significant remediation, including:

(1)   adopting additional compliance internal controls related to their hiring programs;

(2)   implementing procedures in the Asia Pacific region in 2013, and globally in 2015, to ensure the identification of and anti-corruption vetting for all candidates referred for employment by foreign government officials and employees of state-owned enterprises;

(3)   requiring all candidates for employment to be screened by an independent service for connections to government officials, SOE employees and other “politically exposed persons” and verifying the efficacy of this screening;

(4)   requiring additional post-hire controls on employees linked to foreign government officials and employees of SOEs, such as ring fencing them from work involving such officials and SOE employees and requiring compliance personnel to track their performance;

(5)   requiring and conducting periodic reviews of hiring controls, and developing procedures for the regular evaluation of hiring controls;

(6)   conducting yearly headcount reviews to ensure accurate record-keeping concerning hiring; and

(7)   requiring improved FCPA and anti-corruption training for all staff, including job-specific training for bankers, recruiters, human resources, and compliance personnel.

Yet here CSHK did not receive full credit as it did not discipline those within the organization who “engaged in the misconduct, and instead only recorded policy infractions internally and provided notices of infractions”. For all of the above and some other efforts, the company did receive a 15% discount off the bottom range in the Sentencing Guidelines. It is also important to note that the SEC stated in its Order, “Respondent acknowledges that the Commission is not imposing a civil penalty based upon the imposition of a $47 million criminal fine as part of Credit Suisse’s settlement with the United States Department of Justice.”

Going Forward

It is incumbent to note that there is nothing illegal in the hiring of family members of foreign government officials or employees of SOEs. What is illegal under the FCPA is intentionally hiring a family member or close personal friend to influence a decision maker at a foreign government or SOE to confer a benefit. If the answer to that question is yes, then the FCPA is impacted. That benefit can be a new contract, contract renewal, tax benefit, confidential inside information or the wide variety of other conduct which constitutes a benefit under the FCPA.

Moreover, there is nothing in the FCPA which makes illegal or prevents the hiring of a family member or close personal friend of a foreign government official or SOE employee. Admittedly, such a hiring may be more high risk and require greater risk management but there is nothing which prevents any business from such hires. The key is that the hiring goes through the standard hiring process.

It all starts with the hiring criteria. If a candidate does not meet your company’s educational or professional standards for hiring, they should not be considered – full stop. There should not be any waivers or exceptions granted unless it is for a technical position that the candidate is uniquely suited for, all of which must be documented. If such a candidate is hired then they must be ring-fenced from working on any matter related to their family member who is a foreign government official or SOE employee.

What is the criteria Compliance can advise HR on to implement and operationalize the compliance issues in hiring? There are three questions I suggest be used to analyze the hiring of a family member of foreign official or SOEs. They can also be installed as internal controls.

  1. Does the candidate meet your firm’s hiring criteria?
  2. Did the foreign official whose family member you are considering for hire demand or even suggest your company hire the candidate?
  3. Has the foreign official made or will make a decision that will benefit your company?

If the answer to the first question is “No” and the second two “Yes”, you may well be in a high-risk area of violating the FCPA. You should investigate the matter quite thoroughly and carefully. Finally, whatever you do, Document, Document, and Document your investigation, both the findings and the conclusions. Furthermore, these questions can be set up as internal controls. This is another example of how a company can operationalize compliance and burn it into the fabric and DNA of an organization. Additionally, it provides another level of oversight or “a second set of eyes” on the hiring process around hires that are high-risk under the FCPA.

I hope you have enjoyed this short series on the CSAG FCPA enforcement action. For an enforcement south of $100 million there was quite a bit to unpack and more to learn for the compliance practitioner.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018

Last week Credit Suisse Group AG (CSAG) and Credit Suisse (Hong Kong) Limited (CSHK), a subsidiary of CSAFG, settled a Foreign Corrupt Practices Act (FCPA) enforcement action for just over $77 million for the illegal hiring of family members and close personal friends of Chinese government employees and employees in Chinese state-owned enterprises. CSHK obtained a Non-Prosecution Agreement (NPA) from the Department of Justice (DOJ) and CSAG entered into an agreed Cease and Desist Order (Order) with the Securities and Exchange Commission (SEC). Collectively, they paid a criminal fine to the DOJ in the amount of $47 million and disgorgement to the SEC in the amount of $24.9 million with interest of $4.8 million for a total to the SEC of $29.8 million.

The FCPA enforcement matter was concluded with a substantial positive for CSAG given its conduct surrounding the affair. CSHK employees worked actively to circumvent, over-ride and hide their actions; clearly indicating the intent to provide benefits to foreign government officials in return for significant benefits.

Acting Assistant Attorney General John Cronan said in a DOJ Press Release,“The Department of Justice remains steadfast in our commitment to combatting bribery and corruption in all its many forms, including where companies engage in corrupt hiring practices to gain the favor of foreign officials to generate improper business advantages and increase profits.” U.S. Attorney Richard Donoghue said, “Credit Suisse Hong Kong’s practice of employing friends and family members of Chinese government officials as a quid pro quo for lucrative business opportunities was both profitable and corrupt and now the company will pay the price for that corruption.” Assistant Director-in-Charge William F. Sweeney, Jr. was quoted for the following, “In the banking industry, not every undertaking is fair game. Trading employment opportunities for less-than-qualified individuals in exchange for lucrative business deals is an example of nepotism at its finest. The criminal penalty imposed today provides explicit insight into the level of corruption that took place at the hands of Credit Suisse Group AG’s Hong Kong-based subsidiary.”

The Bribery Scheme

The illegal actions were engaged in by CSHK and their business in China. CSAG itself had a policy around not only the hiring of family members of foreign government officials and those of state-owned enterprises but also for training activities and internships which recognized that job offerings were “things of value” under the FCPA, (the “Global Policy). The Global Policy stated, “such referrals could only qualify for positions in existing campus or lateral hiring programs with open application processes and that no special treatment could be provided for those referrals in the recruiting process.” Additionally, any such hire had to go through a rigorous process overseen by CSAG’s Legal and Compliance Department (LCD).

However, CSHK worked throughout the relevant time frame of 2007 to 2015 to evade, over-ride and hide such hires from the LCD and avoid the company’s rigorous internal controls around the hiring of family members of foreign government officials and employees of state-owned enterprises. These hires were a clear quid pro quo for business steered the way of CSHK by corrupt foreign officials and employees of state-owned enterprises (SOEs). The Order stated, “senior Credit Suisse managers repeatedly took steps to onboard Referral Hires from SOEs and government ministries independently from the scrutiny of the company’s established, merit-based campus recruiting program.”

The family members illegally hired were called “Referral Candidates” and they were hired without CSHK conducting such basic Human Resource (HR) controls as employment interviews, screenings or “vetting of any kind”. Following the JPMorgan Sons and Daughters hiring program example, CSHK maintained a written documentation of its own program, with the Order noting, “spreadsheets that listed “referral hires” or “relationship hires.” These spreadsheets included information identifying the referring client or relationship when the relationship was with a government regulator. Some of these spreadsheets identified the “[c]ontribution” of the referral hire, including in at least three instances, deals specifically attributable to the relevant relationship.”

The illegal actions were not limited to only CSHK as the Order related, “certain Credit Suisse managers in the U.S. were aware of CSHK hiring of Referral Candidates. One manager went so far as to call such hires “boondoggles”. Senior Credit Suisse managers in the Asia-Pacific region (APAC) were also aware of these illegal hiring practices, indeed instructing hiring of family members simply “based on the business advantages the government official who referred the candidate could provide.” Some of these same senior officials mandated employees engage in “sham practices” to give the appearance that the hiring practice was being followed, instructing “subordinates to conduct interviews of referral candidates and automatically score the candidate highly, regardless of his/her actual performance.”

The NPA noted that in addition to the hires not going through the regular hiring process, they “often lacked technical skills, were less qualified, and had significantly less banking and other relevant experience than candidates hired through Credit Suisse’s other employment channels.”  But the illegal actions did not simply end with the hiring’s , as “Credit Suisse continued to provide these referral hires with additional benefits and promotions, including at the request of certain SOE or other government officials, even though these referral hires had performed poorly or were not otherwise suited to receive such benefits or promotions.”

In addition to lacking even a modicum of the basic skills to work at CSAG, several of the Referral Hires did not even bother to act as if they cared about their jobs or the work which was provided to them. They did not attend mandatory training sessions and did not bother to stay at the office during business hours. In short, some of these Referral Hires were actually a negative employment relationship for CSHK, destroying morale and actually hurting the paper culture of compliance that CSAG had laid out in its Global Policy. It was clear the only reason such people were hired, maintained their jobs and were even promoted and awarded bonuses were as a result of family members sending business to CSHK.

Tomorrow, I will look at some of the individual hires to see how CSHK over-rode internal controls, hid the hiring process from the home office and violated the FCPA.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018