Show Notes for Episode 31, week ending December 2, 2016-the Government Speaks edition

  1. Justice Department Assistant Attorney General Sally Yates remarks at 33rd annual ACI National FCPA Conference;
  2. Head of SEC Enforcement Andrew Ceresny remarks at 33rd annual ACI National FCPA Conference;
  3. Richard Bistrong interview of Barry Vitou on the future of the SFO, on the FCPA Blog;
  4. Release of new eBook on Trump and Compliance by the Everything Compliance podcast gang, published by Corporate Compliance Sights;
  5. Matt Ellis releases new book on The FCPA in Latin America;
  6. With help from US, Dutch enter the global fight against terrorism in a big way, see article by Geert Vermeulen, on the FCPA Blog;
  7. Bloomberg News is reporting a potential settlement by Brazilian & US authorities with Odebrecht for $2.5bn over corruption allegations unearthed in Operation Car Wash;
  8. Reflections on the First FCPA Mock Trial Institute;
  9. New DOJ site on Individual Accountability; and
  10. How ‘bout them 11-1 Cowboys and the impact of Gronk’s injury on the Patriots.

qtq80-0i5583When I was in the corporate world, I cannot begin to recall the number of times senior management had an overly optimistic forecast regarding some transaction; whether the transaction was the purchase of a smaller company, a joint venture (JV), teaming agreement or you name the business venture. Unfortunately, such unrealistic forecasting is not simply limited to business ventures as the UK learned in the run up to the Brexit vote and the US learned in the most recent presidential election. Tim Harford, writing in his Undercover economist column in the Financial Times (FT), said “the truth is once Trump secured the nomination, a Trump presidency was always a strong possibility. The betting markets seemed to recognize this, offering odds of three-to-one a week or so before the” election. Of course, three-to-one shots “happen all the time – or at least, about a quarter of the time.”

What I found interesting was three lessons Harford suggested from the wildly inaccurate polling before the US election. Drawing on research by Guy Mayraz from Oxford University’s Experimental Social Science center, the first lesson is the bias towards predicting what they hope will happen. If you want your business to increase, you have to believe your transaction/investment/deal will always make money. After all, have you have ever seen a business plan that was designed to lose money?

The second lesson derived from something called the Good Judgment project and almost sounds like someone channeled their inner Howard Sklar and his maxim of “Water is Wet”. It is that that “self-critical, open-minded forecasters do a better job than narrow-minded overconfident ones.” He goes on to further note that dwelling on our own fallibility is not something people do very well; whether it involves hanging out with our friends or on cable news. The result is that “Confident, eye-catching forecasts are the snack food of analysis”. Unfortunately, this is even more true in the business world.

Finally, forecasters must always remember that more than one outcome is possible. A strong possibility may be a possibility but it is not a certainty. Harford suggests that one way to overcome this bias is to develop alternative scenarios. My 12 O’Clock High podcast host Richard Lummis calls this the “devil’s advocate” role at the business planning table. Harford further formalizes this contra-concept by suggesting every scenario-planner create at least two contradictory alternatives to their rosier, positive scenario.

Harford’s ultimate point is that in any forecast there must be preparedness for contra-events. Elizabeth Holmes, founder of Theranos, famously said that if you have a Plan B as a back-up, you have already lost. I find that to be worse than not helpful in any setting, particularly the business setting. No matter what your forecasting or scenario planning model shows, prepare for other results. For any Board of Directors overseeing a compliance program or managing any type of risk, it all begins by asking questions.

Just as any compliance program begins with your risk assessment so should a Board begin at this point. However, the Board should start by reviewing what process is being used to identify risks, whether those risk be corruption in violation of such law as the Foreign Corrupt Practices Act (FCPA), violation of anti-trust law such as the Sherman Act or any other risk which might arise in a business segment, product line or geographic area. This risk analysis should be broader than simply a legal/compliance risk assessment and should be tied to other matters, such as business continuity planning, crisis response plans and even basic fraud which led to the sales incentive program which recently laid Wells Fargo low.

The key is that Boards of Directors need to use their expertise and ask the right questions. The problem is that many Board members do not know what questions to ask in this area. Some of the following are good areas to begin your inquiry.

  • What is the risk assessment process? When was the last time your risk assessment was performed? Was it enterprise wide or limited in scope?
  • How effective is your overall risk assessment process? Is it stale? Here you are focusing not so much on the recency of your risk assessment but have corporate circumstances changed so that the risks which were previously assessed?
  • Who is involved in the risk assessment process? Was it performed in-house? Did you bring in a regular service provider who may have created the processes which are now being assessed?
  • Does the risk assessment process take into account any new legal or compliance best practices developments? Technology development speeds along for every business. Even the Justice Department recognizes this in every Deferred Prosecution Agreement (DPA) it enters into for FCPA violations by requiring companies to take into account relevant developments in the field and evolving international and industry standards for best practices in compliance.
  • Are there any new operations that pose substantial compliance risks for the company? Where has your company moved geographically or product-wise? Have there been any significant acquisitions or other business developments which have changed thing for the company?
  • Is your company tracking enforcement trends? 2016 has been one of the most significant years in FCPA enforcement but anti-corruption enforcement is only one of the major risk developments which can be derived from reviewing the FCPA enforcement actions. The aforementioned Wells Fargo fraudulent accounts scandal and the ongoing Volkswagen (VW) emissions-testing scandal continue to resonate throughout the business world.
  • Equally important, are any competitors facing enforcement actions? This piece of information has long been a real source of information to Chief Compliance Officers (CCOs) as they have assessed and opened internal investigations based on enforcement actions involving competitors. In a speech at the recent ACI-FCPA Conference, Securities and Exchange Commission (SEC) Director, Division of Enforcement, Andrew Ceresney again said that hedge funds and private equity companies are and will continue to be under SEC scrutiny for FCPA violations around their hiring practices for family members of foreign government officials, as well as other violations of US securities laws. If you are on the Board of such an entity, you might want to ask some very pointed questions about now.
  • Has the company moved into any new markets which impose new or additional risks? This moves beyond the questions I suggested above to consider such things as supply chain and supplier risk. Even a name and shame law like the California Transparency in Supply Chain Act can cause reputational damage. Moreover, even if some types of enforcements lessen under a Trump administration, aggressive states’ Attorney Generals or other state regulators could well pick up the slack.
  • Has the company developed any new product or service lines which change the company’s risk profile? As there will always be some business development along these lines, what changes have increased risk for your business?

For a Board of Directors to be truly effective and informed it must know where the company stands not only at the present moment, but also known that the company has a strategic plan for the management of risk going forward. Arnold & Porter partner Stephen Martin suggests that such knowledge is encapsulated in a 1-3-5-year compliance game plan. I would add that this formulation should be expanded to encapsulate greater risk management. Yet a compliance program must be nimble enough to respond to new information or actions, such as mergers or acquisitions (M&A), divestitures or other external events. If something dramatically changes, you want to get your Board’s attention on the changes which may need to happen with your risk management program. This type of agility is best accomplished by obtaining buy-in from the Board through its understanding of the role of forecasting a compliance program going forward.

Harford ends his piece with this final lesson from the 2016 UK Brexit vote and US election, “uncertainties are not going away, so it’s not too late to learn.” For every Board of Director or CCO, you need to start a forecasting review now to be ready to respond if an incident arises so that it will not become a full legal violation. Better yet, such forecasting could lead you to prevent such conduct before it even arises and needs detection and remediation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

qtq80-AnPoaxMatt Stephenson, myself and others have engaged in a dialogue about where Foreign Corrupt Practices Act (FCPA) enforcement may be headed under the incoming administration. I have tried to focus on why compliance with anti-corruption laws, such as the FCPA, will not lessen. The discussions at ACI’s 33rd International Conference on the FOREIGN CORRUPT PRACTICES ACT (ACI-FCPA Conference) demonstrate why compliance will remain an important part of the business process of any US company doing business internationally.

The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have worked quite diligently to increase professionalism around anti-corruption enforcement in jurisdictions outside the US. At the ACI-FCPA conference Kara Brockmeyer, Chief, FCPA Unit, Division of Enforcement at the SEC, and Daniel Kahn, Chief, FCPA Unit, Fraud Section, Criminal Division at the DOJ, articulated an additional reason, which was the increase in international cooperation and enforcement.

Over the past few years, the DOJ and SEC have worked to create a network of international cooperation in the global war against bribery and corruption. In addition to forming liaisons, they have put on three conferences dedicated to the training of foreign prosecutors on investigations, best practices around anti-corruption compliance program and cooperation between countries in sharing of documents and other evidence. Both speakers remarked about the increased sophistication of foreign prosecutors in both investigations of bribery and corruption and in understanding compliance programs around anti-corruption laws.

While I had previously considered such training as a way for US authorities to garner relationships to assist US based FCPA investigations, both speakers talked about more joint and coordinated international investigations. This point towards to not only to parallel investigations but also coordinated resolutions. While the OECD is a large part of how the US makes such connections it is these formal trainings that have allowed US regulators to also make inroads into increasing prosecutions of such conduct.

Yet, in addition to this increased cooperation with US authorities, many other countries’ anti-corruption regulators are now actively prosecuting bribery and corruption as well. Obviously Operation Car Wash in Brazil is a prime example but the speakers pointed not just to increased assistance with the US but also enforcement, in the words of Brockmeyer, “going global”. She pointed towards two 2016 enforcement actions as prime examples.

As set forth in the SEC Press Release in the VimpelCom enforcement action there was cooperation from the following regulatory and enforcement authorities outside the US: “Public Prosecution Service of the Netherlands (Openbaar Ministrie), National Authority for Investigation and Prosecution of Economic and Environmental Crime in Norway (ØKOKRIM), Swedish Prosecution Authority, Office of the Attorney General in Switzerland, and Corruption Prevention and Combating Bureau in Latvia.  Other valuable assistance was provided by the British Virgin Islands Financial Services Commission, Caymans Islands Monetary Authority, Bermuda Monetary Authority, and Central Bank of Ireland, Estonia Financial Supervisory Authority (Finantsinspektioon), Comisión Nacional del Mercado de Valores (Spain), Latvian Financial and Capital Market Commission, UAE Securities and Commodities Authority, Banking Commission of the Marshall Islands, and Gibraltar Financial Services Commission.” The final resolution required VimpelCom to pay $167.5 million to the SEC, $230.1 million to the DOJ, and $397.5 million to Dutch regulators.

As set forth in the SEC Press Release in the Embraer enforcement action, the following regulatory bodies and enforcement agencies were involved: “the Brazilian Federal Prosecution Service, the Brazilian Federal Police, Brazil’s Comissão de Valores Mobiliários, the South African Financial Services Board, the Swiss Financial Market Supervisory Authority (FINMA), the Banco Central del Uruguay, the Spanish Comisión Nacional del Mercado de Valores, and the French Autorité des Marchés Financiers. In this matter the total fines and penalties paid by Embraer were pay a $107 million penalty to the Justice Department as part of a deferred prosecution agreement, and more than $98 million in disgorgement and interest to the SEC. Embraer received a $20 million credit on the amount of disgorgement based upon its payment to Brazilian authorities in a parallel civil proceeding in Brazil.”

Another interesting concept the speakers put forth was the one pie concept. They explained that increasingly, enforcement authorities were moving towards one total cost to anti-corruption violators which would be equitably split up by authorities where the corruption occurred or by the countries which had jurisdiction. Kahn said that companies who self-disclosed to multiple regulators and extensively remediated, along the lines laid out in the FCPA Pilot Program, were more likely to garner credit with US regulators for fines paid to overseas authorities. A contra example was Alstom, which tried to settle piecemeal with a variety of countries and entities such as the World Bank. Under this approach, Alstom did not received credit from US authorities for any of their other payments. For this, and other reasons, Alstom now stands at Number 2 on the Top Ten list of FCPA settlements, paying a whopping $772MM.

All of this means that the SEC and DOJ, together with the OECD, created an active and robust international anti-corruption enforcement regime, which is moving literally across the globe. Any US company doing business outside the US must have a compliance program in order to prevent, detect and remedy any corruption issues. Furthermore, if they want to receive the maximum credit from multiple regulatory bodies they will need such a best practices compliance program.

Indeed in some jurisdictions such a compliance program can be defense to a criminal charge against corporations if there are employees engaging in bribery and corruption. Yet even in the UK, where such a defense is available, a company must actually do compliance, not just have a paper program in place and call it a day’s work done.

All of this means doing compliance is even more important than ever and will be going forward. Even with a Trump administration.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

qtq80-vTJzwGThe FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its custom­ers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. Many compliance practitioners understand you should be checking in routinely with local Finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.

Yet ongoing monitoring is not limited to the financial component of compliance. The Red Flag Group (RFG) has developed an ongoing monitoring approach for the human part of the compliance equation. This is through a cost-effective approach to email review through email sweeps. The concept is straightforward; at regular intervals you can sweep through your company email database for identified key words that can be flagged for further investigation, if required. The beauty of this approach is that does not require an extensive eDiscovery software tool or license purchase. It can be accomplished generally in two days or less. Also it is not limited to anti-corruption compliance but any of the risk factors identified for your company.

The objective of this approach is to ‘find the smoke’ which may be the evidence of a compliance breakdown (and related fire) by sweeping through emails is to uncover those that may contain real issues. From this starting point, you can assess and prioritize, by checking and verifying that there are issues worth investigating. From here you can identify the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities.

In addition to the cost effectiveness of this approach, in that you are only paying for the services when you need them and as they are delivered, this approach satisfies the Tom Fox mantra of Document, Document, and Document because everything you have done can be verified and audited. Finally, as the regulators continue to evolve in their understandings and appreciation of a best practices compliance program, you will evolve your compliance program to a new level of detection that could well allow you to have a more robust prevent mode. When your compliance program has a strong prevent prong, it can be the most effective to stave off anything issues from becoming Foreign Corrupt Practices Act (FCPA) violations.

Continuous improvement through continuous monitoring will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is a continuously evolving organism, just as your company is continually improving its business processes. The FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improve­ment and sustainability.”

For more information on the RFG email sweep monitoring program, please join me and my RFG colleague Juliet Lui for a webinar on this topic, Tuesday, December 6 at 10 CST. For more information and registration, click here.

TexasBarToday_TopTen_Badge_Large

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

qtq80-DhpIrGWhat is risk and how should it be evaluated? What is the data that should be reviewed to determine if an increase in sales is based on unethical or even illegal behavior? Finally, what happens when you migrate company personnel who have been involved in such illegal or unethical behavior to other locations, does their nefarious conduct spread throughout the organization or is it curtailed? I thought about those questions and some others when I read a recent article in the Wall Street Journal (WSJ) by Emily Glazer, entitled “Wells Fargo’s Troubles Flourished in Arizona”.

Every Chief Compliance Officer (CCO) and compliance practitioner understands that the sales side of a business is where the highest risk is located because that is most generally the side of the business which generates the most money and potential profit. Yet looking at sales numbers are not something which compliance professionals will generally have access to as a part of a compliance program. Once again the Wells Fargo fraudulent accounts scandal provides useful lessons for the anti-corruption compliance practitioner in any best practices compliance program.

Glazer reported, “Arizona was one epicenter of questionable practices at Wells Fargo that led to regulatory enforcement action against the bank”. This came to light when “A Wells Fargo & Co. employee letter to top executives cites allegedly questionable practices in its Arizona region. The letter, sent anonymously, suggests how bad behavior in one part of the bank may have spread to other parts of the country, fueling its sales-practices scandal. The letter, reviewed by The Wall Street Journal, claims that regional executives who oversaw bank branches in Arizona encouraged bankers to lead customers to open multiple products or to find ways to open accounts without customers’ specific knowledge.”

Wells Fargo offices in Arizona, which had “once ranked last in terms of sales among roughly 35 national Wells Fargo regions. The state climbed in about two years around the start of this decade to No. 1 through the use of what current and former employees say were aggressive sales goals and questionable training programs pushed by regional managers who were related or close friends, according to the letter and current managers. The top rank became a source of pride for managers in Arizona. “The satisfaction of being ‘#1, second to no one,’ has [evolved] into an addiction,” according to the letter.”

The tactics laid out to engage in these illegal and unethical actions were about as bad as it can get and, according to Glazer, “The push to drive new product and account openings came from top executives in the Arizona region, the employee letter said.” One tactic included the creation of “laminated fliers for employees across the state to be used as a “tool” if a customer didn’t give branch workers an email address necessary to open certain products, according to the letter. The flier suggested the employee create an email address using the customer’s cellphone number and their carrier, allowing the product sign-up to move forward, according to the letter and people who described the fliers.”

Yet the conduct which led Arizona to becoming a top sales region for the company did not end at the Four Corners. Glazer reported, “The Arizona managers were later recruited to other parts of the country where their tactics proliferated, according to the employee letter. That “enabled the culture to spread through the nation like cancer,” it added.”

Sales spikes in low performing regions can and should be reviewed by a wide variety of disciplines within an organization, including compliance. One would think that companies would want to know and understand the reasons for any sales increase so that it could be determined if such strategies might work in other areas of a company’s operations. This is true for the compliance function as well. As far back as the December 2012, in the Eli Lilly Foreign Corrupt Practices Act (FCPA) enforcement action brought by the Securities and Exchange Commission (SEC), I raised the issue that a dramatic sales increase should be reviewed by compliance to determine if there were any corruption issues involved. This same logic works for sales in the US over products as benign as debit cards. Moreover, if you consider whether the issue should be reviewed by a Board of Directors, it certainly would be material for one state region going from worst to first in sales.

One CCO told me that every time he hears an employee who wins a sales award for making numbers wildly far above plan, he wonders what might have led to such remarkable attainment. Sales spikes is data that increasingly becomes more important for compliance to consider. Just as the Key Energy FCPA enforcement specifically mentioned transaction monitoring around massive increases in gift giving in a geographic region where sales had spiked, a similar analysis is appropriate in the Wells Fargo sales condition in Arizona.

Another issued raised by Glazier’s piece is the “cancer” which spread across the company when employees who had such success in Arizona were transferred to other areas outside the state. This provides another clear lesson for the compliance function as well, which is to follow and track the results of those who had such spectacular success. This issue is more than simply tracking those high result employees but also delivering more focused training to those who might be considered high risk, even if that high risk is for increasing sales through a nefarious manner. This Wells Fargo example show why ethics and compliance training is so critical. If a company has a few bad apples and they spread; it can literally be like a cancer for the organization.

The monetary fines and penalties assessed against Wells Fargo have been well documented. However, the real costs only now seem to be becoming realized. In a Bloomberg article, entitled “Wells Fargo New Accounts Tumble 44% in Wake of Sales Scandal, Jennifer Surane reported that credit card applications dropped by 200,000 and new account openings dropped by 300,000 in the month of October, down almost 50% from the previous year. Mary Mack, the bank’s new head of community banking section was quoted ““It takes time to rebuild trust,” said Mack, who visited 19 cities to listen to retail bank employees for ideas of how the company can move beyond the scandal. “The actions we’re taking will be reflected in more positive trends as we move forward, but in the near-term, I expect many of these trends to continue, including relative stability in our customer base and lower account openings.” Indeed.

Furthermore, Glazer reported one other item which should concern every CCO and compliance practitioner. It concerned the letter to Wells Fargo management which led off her article. Glazer noted the letter was sent from a bank manager in Arizona to Ms. Mack and “Employees are waiting to see how the bank responds and whether there will be any attempts at reprisals to the letter”. One might think that with all the microscopes aimed at Wells Fargo right now, retaliating against internal whistleblowers would never happen. Yet that concern was one of the top ones mentioned in the Glazer piece. What does that tell you about the ethical culture and the culture of compliance at Wells Fargo?

.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016