Next week in a sponsored podcast series, I will visit with Vincent DiCianni, founder and President of Affiliated Monitors, Inc. (AMI) and Eric Feldman, Senior Vice President of AMI. We consider the global view of ethics, compliance and corporate culture of non-US companies, outside the US; in both their home countries and in other countries where they operate. In today’s post I preview the series and hope that you will check it out as I know you will find it useful.

DiCianni noted the single biggest difference for non-US companies and countries is the focus on legal compliance as opposed the US focus on values-based ethics and compliance programs. This is partly attributable to the maturity of an intersection of several conditions. The first is the nascence of national anti-compliance legislation. Many countries have only passed such laws within the past five years. Next is the relative youth of many anti-corruption enforcement agencies and prosecutorial services. Finally, many countries have Code based rather than Common Law based legal systems. Such legal systems tend to favor more legalistic compliance as opposed to a more general formula such as the Ten Hallmarks of an Effective Compliance Program that was laid out in 2012 FCPA Guidance.

Obviously, some countries are more advanced along this continuum. The United Kingdom had its Bribery Act come into force in 2010. Brazil had the Clean Companies Act come into force the following year. Prosecutors in both of these countries are farther along in their enforcement actions and have issued guidance on the types of best practices compliance programs that companies should put in place. However other countries such as Germany, Spain and France are less further along in both their legal frameworks and their corporate compliance programs.

DiCianni made clear that these countries are all moving forward along the compliance continuum much in the way the US did, beginning 10-15 years ago. In the mid-00’s compliance was largely legal based written by lawyers for lawyers. However this decade we have seen a move to a more values-based system of ethics and compliance, which has been reflected in corporate compliance programs.

One thing DiCianni has observed, literally across the globe, is the desire of compliance practitioners to move the ball forward. This comes in the form of enthusiasm for the compliance profession but also an understanding of the true costs of bribery and corruption in everyday society. This also means there is a great thirst for compliance learning and instruction on how to implement best practices compliance programs.

Many countries have other focuses such as corporate social responsibility (CSR) requirements for their corporations which impact the compliance function. DiCianni believes that a CSR function can lead to a more ethical culture within an organization. He noted that many non-US companies have taken the lead on modern slavery, conflict minerals and other issues. He believes this leadership will strengthen a values-based culture within a company and it is something that US companies should more strongly consider taking leadership positions on.

One of the interesting contrasts by non-US companies by DiCianni was what he termed, the failure to enforce their own internal codes. This is true whether it be in a Code of Conduct or policies and procedures. This all ties back into a consistent theme from AMI, which is institutional fairness and a values-based culture. DiCianni stated, “sometimes it’s the most important aspect of a compliance program, what do you do when there’s a violation internally. Do you do anything to enforce your policy?” The problem he noted is that “if you don’t then it’s sort of not worth the paper it’s written on. If you’re going to just have a paper program that doesn’t have any real bite, that’s a concern that I’ve seen globally for those companies that have compliance programs.” If you do not enforce your own compliance requirement, for whatever reason, it creates a very negative impact on your employees.

We concluded by considering some of the enforcement regimes and mechanisms outside the US. While US prosecutors and regulators have certainly taken the lead in the international enforcement of anti-corruption laws, countrie s such as the UK and Brazil are quickly taking up their roles as well. In the UK, we have seen the first uses of Deferred Prosecution Agreements (DPAs) by the Serious Fraud Office (SFO). The Brazilian prosecutors seem to be moving in that direction, if in a de facto manner.

Feldman noted that the US has led most of the enforcement efforts because of the long-standing role of the Foreign Corrupt Practices Act (FCPA) as one of the earliest anti-corruption laws. US enforcement has also been the most aggressive across the globe. However over the past five years or so the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have worked to train a cadre of prosecutors in enforcement techniques and tactics to fight the international scourge of bribery and corruption.

This cross-training steered by US prosecutors led to several immediate and longer-term impacts. The most obvious and initial impact was the cooperation by prosecutors and regulators, literally across the globe. One need only review each DOJ or SEC Press Release announcing a FCPA prosecution and the non-US agencies who provided assistance are listed near the bottom. The cooperation began during the Obama Administration but has continued under the Trump Administration and Sessions-led DOJ. Feldman noted that he has seen more cooperation in the investigations and international enforcement front and a sharing of the penalties in several cases. This began as the one Pie model where there would be ‘one pie’ of penalties for an organization. The name has evolved into the anti-piling policy.

The aggressiveness of US prosecutions led to the US penalizing many non-US based companies and keeping the vast lion’s share of the financial penalties. Simply look at the current Top Ten in all time FCPA enforcement cases and you will see that only two of the top ten are US based companies. In addition to the cross training listed above, many countries wanted to get in on the financial penalty action. This has led to many large anti-corruption fines and penalties being shared by multiple countries since 2016. This includes Odebrecht/Braskem, with $2.6bn shared between the US, Switzerland and Brazil; Petrobras with $1.78bn shared between the US and Brazil; Telia Company, with $965MM shared by the US and Sweden; Alstom, with $814MM shared between the US and Switzerland; Rolls-Royce, with $809MM shared between the UK, US and Brazil; VimpelCom, with $795MM shared between the US and The Netherlands; and SocGen, with $585MM shared between the US and France.

Feldman pointed to the specific example of Singapore, where over the last couple of years have had the instance of Keppel Offshore being prosecuted by DOJ for corruption under the FCPA. This was very embarrassing to the government of Singapore because while Singapore always had corruption laws on the books it did not have a big method of enforcing them. Then two years ago, Singapore passed legislation requiring DPAs as an alternative mechanism for settling those types of international corruption cases. Now DPAs are a part of the landscape for anti-corruption prosecutions in Singapore. Just across the straits in Malaysia, the country passed tougher anti-corruption laws as well. All of this means from Feldman’s perspective that both investigations and enforcement are up in a much wider variety of countries combatting bribery and corruption.

As to where all of this enforcement may be heading, Feldman noted the DOJ model of enforcement has been fairly consistent. The basic level of enforcement and theory that the US will continue going forward to enforce the FCPA is fairly high. Feldman believes that the cooperation which began in the earlier part of the decade will continue, particularly between DOJ and the SFO, when it comes to the UK Bribery Act. This may be even more so with the new Director of the SFO, who is a former DOJ prosecutor and has an “American understanding and acceptance of enforcement of these laws, as an accepted way of doing business. I think is going to move the SFO to even more aggressive enforcement going down the road.”

The bottom line is that even if the US somehow or for some reason dialed back its prosecutions under the FCPA, there are multiple international enforcement agencies who stand ready to pick up the slack and reap the benefits in terms of fines and penalties. This also means that companies operating in these countries should have robust compliance to not only detect and prevent legal violations but provide a solid defense if something goes askance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2018

What is the intersection of innovation in your compliance program and the requirements of an effective compliance program? Today, Tom Fox continues his 5-part series on the front lines of compliance with Hallmark IX of the Ten Hallmarks of an Effective Compliance Program, continuous improvement.

  • Hallmark 10 states that: “A good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”
  • What does that actually mean? In short, it’s about putting compliance into the fabric of your organization. There are many ways to go about doing this, and one of the most effective ways is through the continuous improvement technique of ‘internal inspection.’ Ben Locwin discusses this in Episode 266 of the FCPA Compliance and Ethics Report Podcast.
  • With internal inspection, you’re looking at your program from the inside out. Ben Locwin explains it like this: “We have a problem. Let’s not run away from it. Let’s embrace it.” To do that, you should ask what you can do better, and what can you do next. The willingness of the organization to look at itself is key to continuous improvement.
  • It’s not enough to admit there was a mistake and get rid of the employee who made it. Tom talks about how people aren’t willfully ignorant; they try to do the right things. It could be as simple as a clarity issue with how they understand their role or their work, and if that’s the case, the next employee could easily make the same mistake.
  • Instead of laying blame at the people in the organization, it is wiser to do a ‘root cause analysis’ to determine and develop the preventative actions that can keep the problem from happening again. In other words, you fix the system and processes that led to the problem in the first place.

Ongoing Education

If you’re a compliance professional looking for a convenient and effective way to fulfill your continuing education requirements, visit Tom’s website and choose from 4 hour-long training packages that will keep you up to date with the latest developments in the compliance field.

In this episode of Across the Board, I visit with Doreen Lilienfeld. She is a partner at Shearman & Sterling in New York. Today we visit on the firm’s Shearman & Sterling Annual Corporate Governance & Executive Compensation Survey.  Some of the topics we discuss are:

  • What is the Shearman & Sterling Annual Corporate Governance & Executive Compensation Survey?
  • Why should Boards of Directors be concerned with corporate culture?
  • What is corporate culture?
  • What are some corporate culture red flags?
  • Why is corporate culture a company asset?
  • What are some indicia of a health corporate culture?
  • How does a Board work to institutional corporate culture oversight?
  • How should a Board work through or think through its role in oversight?

To review the Shearman & Sterling Annual Corporate Governance & Executive Compensation Survey, click here.

This week I have been considering the new developments in the long-running 1Malaysia Development Berhad (1MDB) scandal. These developments include a guilty plea by a former Goldman Sachs Group Inc. (Goldman Sachs) banker in Southeast Asia, Timothy Leissner, who was the client relationship manager for the Malaysian sovereign wealth fund, the country’s former Prime Minister Najib Razak and the person alleged to have looted the fund, Jho Low. As was laid out in a two-count Criminal Information(Information) Leissner pled guilty to both money laundering and violations of the Foreign Corrupt Practices Act (FCPA). He was ordered to forfeit $43.7 million in ill-gotten gains from his illegal activities. A separate (but related) three-count Indictment, named Goldman Sachs Managing Director, Roger Ng, who was charged with conspiracy to violate the FCPA and money-laundering. Ng was arrested in Singapore and will presumably be transported to the US to stand trial or more likely plead guilty. Also named in the Indictment was international fugitive Jho Low. I want to conclude this short series by considering the lessons for the compliance professional that we have learnt so far.

Due Diligence, Due Diligence, Due Diligence

One thing made clear from this matter is that due diligence is not a one-time, discreet event. It is an ongoing process by which new information comes in and is evaluated for a risk-based approach to conducting business. Most interestingly in this matter, Leissner tried to get Goldman Sachs to take on Low as a customer. However, according to the Information, these attempts were unsuccessful because certain personnel within Goldman Sachs’s Compliance Group and Intelligence Group refused to approve the business relationship with Low, “in part, on concerns that they had about the source” of his wealth.

This rejection of Low’s application was communicated to Leissner and Ng. However, “Notwithstanding their knowledge of the concerns that had been raised about” Low not being a suitable client for Goldman Sachs, Leissner “and other employees and agents” of Goldman Sachs,  continued to work with Low based upon their belief that he “would help ensure that government officials within 1MDB, the Malaysian government and Abu Dhabi would deliver lucrative business deals to” Goldman Sachs.

Yet, even though Low’s involvement in all three bond deals, Projects Maximus, Magnolia and Catalyze, was well-known throughout the southeast Asia region, this was not a part of the evaluation by Goldman Sachs on whether it should have gone forward with any of the transactions. In Goldman Sachs’ most recent Quarterly Report(10-Q), filed after the guilty plea and indictments were released, it stated, in part, “In addition, an unnamed participating managing director of the firm is alleged to have been aware of the bribery scheme and to have agreed not to disclose this information to the firm’s compliance and control personnel. That employee, who was identified as a co-conspirator, has been put on leave.”

Further, in a Financial Times (FT) article, entitled “More than 30 Goldman Sachs executives reviewed 1MDB deals”, Laura Noonan and Stefania Palma reported, “A second person with knowledge of the deal’s approval process confirmed that more than 30 people at the bank reviewed it. “There was no concern that the money was going to be stolen”.” The internal Goldman Sachs reviewers included former Chief Executive Officer CEO Lloyd Blankfein and the current CEO David Solomon, “who was head of Goldman’s investment banking division from 2006 to 2012, as well as Gary Cohn, then chief operating officer of the bank.”

In an unrelated FCPA Blog article, entitled “US v. Hoskins complicated due diligence on intermediaries, Eric Lochner raised a risk related to FCPA violations, stating, “compliance officers will also need to police against opportunists inside and outside the organization. The Hoskins ruling created a class of at least some (possibly many) foreign intermediaries beyond the reach of the FCPA. So some employees and third parties might try to exploit that distinction, where those foreign nationals beyond reach do the dirty work of operating a bribery scheme.” That could certainly apply to Low. 

Override of Internal Controls and Oversight

Even though the compliance and legal functions at Goldman Sachs prevented the company from taking on Low as a client, they failed miserably for the three bond deals. One of the reasons was the over-ride of internal controls. The 10-Q stated, “[T]he plea and charging documents indicate that Leissner and Ng knowingly and willfully circumvented the firm’s system of internal accounting controls, in part by repeatedly lying to control personnel and internal committees that reviewed these offerings…The indictment of Ng and Low alleges that the firm’s system of internal accounting controls could be easily circumvented and that the firm’s business culture, particularly in Southeast Asia, at times prioritized consummation of deals ahead of the proper operation of its compliance functions.”

How did (apparently) the southeast Asia business unit override these controls? It was the old-fashioned way, they lied. But you might wonder why an organization as large and international in scope as Goldman Sachs allow employees’ dissimilation to expose it to up to $1.8bn in fines, penalties and costs for this matter? It all brings up the need to have what Jonathan Markshas called “the “four eyes review/approval principle“, which requires a second review by supervisors from different reporting lines for substantive decisions, transactions, changes/overrides, etc. The second set of eyes must not only be done by someone from different reporting lines, but by someone who can be skeptical, is competent, understands the “red flags”, and if necessary can elevate any issues they might have. The “four eyes review/approval principle” is used to facilitate delegation of authority and increase transparency with the goals being adherence to company’s policies, compliance with laws and regulations, and the deterrence and detection of misbehavior or fraud.”

Corrupt Corporate Culture

Where was Goldman Sachs’ culture in all of this? As noted in the 10-Q, “the firm’s business culture, particularly in Southeast Asia, at times prioritized consummation of deals ahead of the proper operation of its compliance functions. In addition, an unnamed participating managing director of the firm is alleged to have been aware of the bribery scheme and to have agreed not to disclose this information to the firm’s compliance and control personnel.” This means there was a culture which supported doing business even if it was done illegally and others consciously looked the other way. It all sounds like a disaster not just waiting to happen but one which did happen.

What are some of the key compliance lessons learned from Goldman Sachs in the 1MDB scandal?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018

We’re midway through Tom’s five-part series that explores innovation in the compliance function. In today’s episode, he considers how design thinking can help Chief Compliance Officers create more robust compliance programs that will become deeply rooted in the company’s core.

In a recent Harvard Business Review (HBR) article, Jon Kolko discussed how design thinking can bring innovation into a compliance program. The article,  “Design Thinking Comes of Age,” talked about how “the approach, once used primarily in product design, is now infusing corporate culture.” It can be used to redesign your compliance program for your internal customers, like your employees and contractors. The goal in redesigning the compliance program is to get these groups to fluidly follow compliance protocols without a second thought.

Here are Kolko’s Components of Design Thinking:

  • Focus on the users’ experience with compliance. Designers should focus on the “emotional experience” of the users. Doing so allows the user to find emotional resonance with the compliance program, since the users’ needs have been thoughtfully included vs. simply focusing on internal operating efficiencies.
  • Create “design artifacts.” This can be a physical item OR any document that has come to define the traditional organizational environment. Kolko shares that design artifacts are critical because, “they add a fluid dimension to the exploration of complexity, allowing for nonlinear thought when tackling nonlinear problems.”  
  • Develop prototypes to explore potential solutions. Building parts of your system and testing it from the user’s perspective is a better way to communicate ideas and obtain feedback. Although this might appear counterintuitive, it’s important to remember that the key component for design thinking is a tolerance for failure.
  • Exhibit thoughtful constraint when moving forward. Kolko ends this section by stating that sometimes you lead with “constrained focus.” That means one must be deliberate about which processes to include or remove in the compliance program redesign.

Now that you understand the key components of design thinking, it’s also vital that you understand the challenges that apply directly to the CCO or compliance practitioner in implementing design thinking.

  • First, there must be a willingness to accept more ambiguity, particularly in the immediate expectation, for a monetary return on investment.
  • Second, a company must be willing to embrace the risk that comes from transformation.
  • The third is the resetting of expectations since design does not solve problems but rather “cuts through complexity” to deliver a better overall compliance experience.

By following the key components of design thinking and overcoming these three challenges, the internal customers can demonstrate the compliance training’s effectiveness and the company becomes a better-run organization.

Ongoing Education

If you’re a compliance professional looking for a convenient and effective way to fulfill your continuing education requirements, go to FCPAComplianceReport.com/Courses and choose from 4 hour-long training packages that will keep you up to date with the latest developments in the compliance field.