Last week the Justice Department (DOJ) announced a resolution of the long standing Foreign Corrupt Practices Act (FCPA) enforcement action involving Telefonaktiebolaget LM Ericsson (Ericsson), a multinational networking and telecommunications equipment and services company headquartered in Sweden. The matter was stunning in the total amount of fines and penalties assessed, coming in at over $1 billion, consisting of a criminal fine assessed by the DOJ at just over $520 million. Separately, the Securities and Exchange Commission (SEC) assessed profit disgorgement of nearly $540 million. Over the course of this week I have considered the Ericsson FCPA enforcement action. Today, I conclude by reviewing the criminal penalty sustained by Ericsson, its actions during the pendency of the enforcement action which led to a double whammy in its fine calculation and cost the company an additional $95 million above what it could have paid as a criminal penalty.

The documents reference herein consist of the following:

  1. DOJ Press Release (Press Release);
  2. SEC Complaint against Ericsson (SEC Compliant);
  3. DOJ Deferred Prosecution Agreement with Ericsson (DPA);
  4. Ericsson Egypt Ltd. Plea Agreement (Ericsson Egypt Plea Agreement);
  5. DOJ Superseding Information with Ericsson Egypt (Ericsson Egypt Information); and
  6. DOJ Information with Ericsson (Ericsson Information)

Failures in Internal Controls

There was a clear failure in internal control by Ericsson. They were generally classed into one of three categories: (1) ineffective internal controls; (2) lack of controls and (3) management override of internal controls. Management entered into sham consulting agreements. The ineffective internal controls were the authorization of payments to the consultants while knowing or recklessly ignoring red flags which indicated a high probability that at least a portion of these commissions were bribe payments. The lack of controls generally revolved around consultants with which there was no written contract and/or due diligence was not started until almost one year after the contracts were signed.

One of the key lessons for the compliance profession is that the use of basic tech solutions can also be used in conjunction with and as an internal control. Moreover, there were three current tech solutions which almost every company has in place that can act as internal controls and facilitate a best practices compliance program. The first is a contract management system to provide contracting consistency and allowing comparisons of contract terms and conditions. The second is an ERP system, such as SAP or Oracle, for processing payments. This would have allowed information on offshore payments to known money laundering jurisdictions to be routed to the compliance function. It could also have prevented the appending of corrupt third parties to previously approved agents, distributors, joint venture (JV) partners and other third parties which had been properly vetted to do business with Ericsson. The third is an automated business cycle process tech which can be run seamlessly during the pre-contracting process.

FCPA Corporate Enforcement Policy

The DOJ has made clear in numerous enforcement actions in 2019 the benefits of self-disclosure, cooperation and remediation. Ericsson did not avail itself of the full range of credits to reduce its overall fines and penalties. According to the DPA, Ericsson “did not receive full credit for cooperation and remediation pursuant to the FCPA Corporate Enforcement Policy, [citation omitted], because it did not disclose allegations of corruption with respect to two relevant matters, produced certain relevant materials in an untimely manner, and did not timely and fully remediate, including by failing to take adequate disciplinary measures with respect to certain executives and other employees involved in the misconduct”. Unpacked, there are two key areas of failure by Ericsson during the investigation.

First, Ericsson did not self-disclose. Second, the company apparently did not disclose matters involving bribery and corruption that it either uncovered during the investigation or was otherwise aware of during this time frame. Finally, Ericsson also fell short in its remediation and failed to receive full credit for its failure to take disciplinary actions against executives and employees involved in the bribery and corruption at issue. When you realize these same failures are taken into account twice in the penalty assessment phase, you see that through this course of conduct, Ericsson cost itself upwards of an additional $95 million in penalties.

Further, when you read the FCPA Corporate Enforcement Policy, together with the Benczkowski Memo and the Criminal Division’s Evaluation of Corporate Compliance Program, 2019 Guidance, you see not only the roadmap to a lower penalty and greater credit but also a roadmap to avoiding a corporate monitor, of which Ericsson did not avail itself.

Telecom Takes Over

Perhaps the largest lesson is that telecom is now the Number 1 industry for FCPA enforcement actions. Ericsson’s fine and penalty have put them second place in the FCPA Blog’s all-time Top Ten FCPA Enforcements and also Number 2 on the all-time Disgorgement List. But, perhaps more interesting, telecom now has four of the top six of all-time FCPA enforcement actions, as identified below:

  1. Telefonaktiebolaget LM Ericsson(Sweden): $1.06 billion in 2019
  2. Telia Company AB(Sweden): $965 million in 2017
  3. MTS(Russia): $850 million in 2019
  4. VimpelCom(Netherlands): $795 million in 2016

Telecom has all the hallmarks of a high-risk industry, with almost all business transactions (other than the sale of phones and accessories) outside the US involving foreign government or state-owned enterprises (SOE). This means if your company is in this industry it needs to start scrubbing its operations which have any government or SOE touchpoints. It is not simply the straight-forward bribery schemes used by Ericsson but also in the area of gifts, travel and entertainment. Living in the top city in the world for FCPA enforcement and working most of my professional life in the industry which experienced the first FCPA-industry sweep, I can attest that government will be looking closely at other telecom companies. Given the steep premium that Ericsson paid for not self-disclosing, not fully cooperating and not fully remediating during the pendency of the enforcement action, this final lesson may be the most lasting.

To read my complete series on the Ericsson FCPA enforcement action, see:

Part 1-Overview

Part 2-The Bribery Schemes

Part 3-Failures in Internal Controls

Part 4-The Double Whammy in Penalties

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2019

Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.

Today’s Great Women in Compliance podcast is a little different.  At the most recent SCCE Compliance and Ethics Institute held in September, Lisa and Mary asked the session attendees to provide examples of the best professional advice they received, and we had a lot of great information from women throughout the ethics and compliance community.  It was a unique opportunity for Mary and Lisa to be on the same episode, as most of the GWIC podcasts are with one of them interviewing ethics and compliance leaders.

We got exceptional insights from this community, and Lisa and Mary thought it would be the perfect way to end the 2019 podcasts.  Not only did Great Women in Compliance’s first full year brought lots of great discussions on the podcast, it brought out constant reminders of the fantastic individuals that make up the GWIC community.

We all hope you enjoy this advice from the GWIC Community and best wishes to you and yours in 2020. Join the Great Women in Compliance community on LinkedIn here.

Fizza Khan, this week’s guest on the Innovation In Compliance show, has been in regulatory consulting for over 10 years. She is the CEO and founder of Silver Regulatory Associates, an innovative company that specializes in helping companies meet their regulatory obligations. She and Tom Fox discuss the idea of outsourced compliance as well as the interesting and often complicated world of cryptocurrency.

Listen to the Episode Now:

The Cutting Edge of Outsourced Compliance

Tom comments that the regulatory compliance space has different guidelines, regulations and laws than his world of ABC compliance. He asks Fizza to describe some of the cutting edge things her company is doing, in particular the idea of ‘outsourced compliance’. She replies that financial services companies must have a strong regulatory compliance program that’s not only good on paper, but practically functioning. Her company, as an outsourced compliance option, can help firms meet their obligations either by integrating into their compliance program or by working alongside an existing compliance program to ensure that it aligns with the client’s interests.

Services Offered

Silver Regulatory Associates offers various services depending on your needs. These include:

  • Registration and foundation services
  • Maintenance service
  • Assessment service
  • Exam support service

Crypto: Security or Exchange Instrument?

There are many questions surrounding cryptocurrency. Whether it is a security or an exchange instrument is one of the questions facing the industry. Fizza explains that the Howey Test is used to determine whether a particular instrument will be deemed a security and needs to come under the SEC’s regulations. The test makes its determination based on three criteria:

  1. Is the investment in the form of money?
  2. Is the investment of money in a common enterprise?
  3. Is there an expectation of profits from the enterprise? Is that expectation of profit derived from the efforts of others?

Tom asks Fizza to discuss what a company must do if it’s determined to be a security vs an exchange instrument, and how her company can help them fulfill their regulatory obligations. She explains the implications of each scenario. Her company helps clients determine the next steps and take appropriate action to become compliant, she says. Continuous analysis and monitoring of cryptocurrency guidelines is paramount. If a company changes the way it uses, manages or distributes its cryptocurrency, this could trigger additional regulatory requirements.

Preparing for the SEC Exam

Tom mentions an article Fizza wrote, entitled, Uptick In SEC Exams: Four Ways To Ensure A Smooth Process. He asks her to explain how she helps companies prepare for such an exam. She replies that the article targets investment managers and broker dealers who are already regulated and registered with the SEC. The routine exam is when SEC staff examiners come to organizations to ensure that their compliance program is meeting all regulatory obligations. They also want to see that the program is being actively implemented in the business. Silver helps you prepare for a smooth exam: they analyze your existing program, help you prepare the required documents, and they even prepare you to answer questions the SEC might pose. Fizza gives several tips to help you highlight your strengths in the Day One presentation.


Article: Uptick In SEC Exams: Four Ways To Ensure A Smooth Process

Article: Insight: Key Crypto Compliance Considerations In Light of Facebook’s ICO

In this podcast series, recovering screenwriter (and Mr. Monitor) Jay Rosen and Tom (the Compliance Evangelist) indulge in passion for the movies by looking at them through the lens of compliance. Jay is a contemporary movie fan and I am more of a classic movie maven so we present a well-rounded view of the movie fandom. If you want to indulge in your love for the movies with two guys who are passionate about Hollywood and get some ideas for your compliance program, this is the podcast series for you. For this offering, we consider the Star Trek IV-The Voyage Home.

Some of the highlights include:

  • Why did this movie have such humorous themes?
  • The key message in this movie is to listen.
  • What are some of the leadership lessons from this movie?
  • Why every CCO needs allies in the C-Suite.
  • Can a city be a character in a movie?
  • Tom gives the movie a full bucket and a medium sized Diet Coke. Jay gives the movie an overflowing bucket but takes it to a new level with a Slurpee with a shot of whisky thrown in.

We will interrupt this series of Star Trek movies to look at the key Star Wars movies leading up to release of the final chapter in the original 9-part saga envisioned by George Lucas, The Rise of Skywalker. The series will run the week of December 16-20.

In this special five-part podcast series, I have been joined by Mikhail Reider-Gordon, Managing Director of Global Affairs at Affiliated Monitors, Inc. (AMI) the sponsor of this podcast series. We have discussed various aspects of monitorships, including why independence matters, the American Bar Association’s (ABA) Guidelines on Monitors, Gordon’s professorial career at the International Anti-Corruption Academy, cultural differences between international and US domestic monitorships.  and the continuing evolution in monitorships. Today, in this concluding Part 5, we consider the continuing evolution in monitorships.

Just as compliance programs and the role of the Chief Compliance Officer (CCO) have evolved, the situations involving a monitor have evolved. We began with a consideration of some of Gordon’s thoughts about how the intersection of law and technology, including privacy, data management and data bias are really driving the conversation with clients around oversight and monitorships. Gordon began with the trend and growth in monitoring entities that have violated data privacy laws. Interestingly, this can come not from any overt or even poor decision on a company’s part or action. It could be from a data breach or it could be they misuse data. Gordon pointed to misuse such as Facebook, under evolving privacy laws. Here Gordon related that “Companies are a little on the back foot.”

The reality is that the modern corporation, profit or non-profit turns on information and, from Gordon’s perspective, “a lot of entities have really not fully incorporated that into their overall compliance program structure. Monitors now are addressing both directly monitoring how an entity is handling their data, are well they are complying either with privacy laws or data security standard; as well as in other forms of monitorship where it is data intensive. There may be a personal identifying information or sensitive corporate information, sensitive IP and trade secrets. All that needs to be considered when monitors are working a company on a monitorship.”

The evolution of monitorships has also occurred around timing. Originally, monitors were brought in at the conclusion of an enforcement action. Now monitors are often brought in during and even before an enforcement action begins on a pro-active basis, to get out ahead of the problem. This can be to see if an issue exists or to remediate the issue before the conclusion of an enforcement action. If it is the former situation, it can help to prevent an enforcement action from even getting off the ground. If the enforcement action has already begun, the pro-active approach can help a company garner a declination or if one cannot be obtained prevent a multi-year, post-settlement monitorship from being mandated.

Gordon noted that through a pro-active monitorship, a company is “demonstrating to the regulator the seriousness. The company is demonstrating that they take this matter seriously, through this preemptive action. It is evidence there is genuine desire to comply with the letter and spirit of law. This means it can have real impact. This can lead regulators to conclude that the company is taking this matter seriously. This can lead regulators to basically conclude that all the resolution agreement needs to provide is to check their homework.”

It is this pro-active approach that allows a company to get out in front of things before a problem gets to a crisis point. Gordon noted, “we operate in a data-driven economy. There are new data privacy and security requirements and challenges up ahead. As a CCO, you may not be quite certain where that fit in to your overall compliance program. You anticipate one breach and you will suddenly find yourself in front of the FTC. That is the perfect opportunity to say maybe a proactive monitor coming in and helping us get a handle on how we ought to be addressing these risks on these problems before the crisis point.”

Gordan believes that such an approach not only has significant operational value but it can put an organization on the right footing with the regulators as it sets the right tone. But even more than simply the regulators (as important as they may be) are other internal and external stakeholders. Using such a pro-active approach, to find out where the  vulnerabilities and threats are then reduce them; it leads all such stakeholder to feel like there is a plan for dealing with these ever-evolving laws and social expectations which could impact risk. Gordon concluded with “and that’s invaluable” for any business.

For more information on AMI, check out their website. For more information on Mikhail Reider-Gordon, check out her LinkedIn profile.