In this episode, Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories, including:

  1. We discuss our highlights from the recently concluded SCCE 2017 Compliance and Ethics Institute. See Tom’s blogs, here, here, here and here. Click here for a report from Matt Kelly.
  2. Mike Volkov explores ISO 37001 in a week-long series? See the full week’s series on his site, Corruption Crime & Compliance. Henry Cutter reports on the standard’s slow acceptance in the WSJ Risk and Compliance Report.
  3. What is the status of your Board’s training for compliance? Ben DiPietro reports in the WSJ Risk and Compliance Report.
  4. Italian prosecutor charges Shell and former execs with overseas bribery. Dick Cassin reports in the FCPA Blog.
  5. Revenue recognition rules change in December. Auditors are under orders to ‘show no mercy’ to companies which have not prepared for the changeover. Tammy Whitehouse reports in Compliance Week.
  6. Continued chaos in the Trump Administration. Matt Kelly is back with addition ethical considerations from HHS Secretary Tom Price in Radical Compliance.
  7. Astros come home down 3-2 to the NY Yankees. Will they overcome?
  8. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program. In October, I consider compliance with business ventures such as in the M&A context, joint ventures, distributors, channel ops partners, teaming agreements and all other manner of business venture. The third week I continue to take a deep dive into JVs under the FCPA. This month’s sponsor is the Volkov Law Group. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  9. The Everything Compliance gang recorded a podcast at the 2017 Compliance and Ethics Institute, with special guest Roy Snell sitting in for Mike Volkov. The podcast will go up Thursday October 26th.
  10. Tom premiers an exciting new service offering the Doing Compliance Master Class.
  11. AMI SVP Eric Feldman is speaking in Houston on November 2, at 1:30. If you are in Houston, please plan to join us. For more information see the GHBER website for details and registration.
  12. Jay previews the Rosen Weekend Report.

The 2017 SCCE Compliance and Ethics Institute (CEI) is now in the books. Once again, the organization had record setting attendance with over 1,800 attendees from some 41 different countries. During the event, I had the chance to do an Everything Compliance podcast where we were lucky enough to have SCCE President Roy Snell join our group of top compliance commentators. Today I want to write about their observations on some of the highlights of the 2017 CEI.

For Roy Snell, myself and everyone who attended the Awards Banquet, the highlight was the acceptance speeches by Bojan Bajić and Višnja Marilović. Their story of how, in the still war-torn country of Bosnia, they worked to literally create a speak up whistleblower culture, legislation to protect whistleblowers, then moved forward to create an entire anti-corruption legislation for the country was one of the most inspirational moments I have experienced in my compliance career. In his acceptance speech Bajić showed himself to be naturally gregarious and hugely funny, even in his second language of English. The contrast with Marilović could not have been starker, as she recited all the trials and travails she went through as the whistleblower who helped bring down corruption. At the end of her acceptance speech there were SCCE members in the audience who were literally in tears from listening to her story. It was that powerful. Roy Snell has committed to finding a way to post the videos of their acceptance speeches to the SCCE website.

Jay Rosen thought the advanced discussions groups, of which he led a panel, were a highlight. He talked about the format which brings compliance professionals from many disparate industries and countries together to talk about best practices in a way that facilitates learning going forward. He contrasted the advanced discussion groups with more basic sessions for newbies or others who might have less experience in the compliance profession.

Rosen’s biggest insight was from the keynote speech by Marjorie Doyle. She told a great story on compliance and, apparently, he never realized that doing compliance is like taking care of cows on the ranch. Doyle even posted the ten lessons of compliance derived from ranching. Also, Doyle firmly believes in rewarding one’s self for a job well-done. She does so by purchasing jewelry for herself and while Rosen had thought it was all about shoes he indicated that he did note the overall pattern. He also found her keynote to have been “an incredibly passionate speech.”

Jonathan Armstrong brought an international perspective to his highlights. He noted that it is a huge advantage for a compliance practitioner from outside the US to be able to not only hear about cutting edge US best practices in compliance but also sitting down for in-depth dialogue with fellow compliance practitioners to foster more and greater learning. He also noted there was clearly a conscious effort to include the first-time participants or international attendees who might have felt uncomfortable in walking up to engage with another compliance practitioner. He provided an example from the Saturday volunteer event where first time attendees spent no longer than one minute alone as someone would come up to engage them. From an English perspective, he found the welcoming spirit quite a refreshing change and effective.

The thing that Armstrong identified as a key insight was what I might term the “360 degree” view of communications around compliance. It began with the insight that the language a compliance practitioner uses can often drive the perception of what compliance is in an organization. Put simply if the employees perceive you as the compliance police or Dr. No from the Land of No; they will treat you as such and not engage with you on anything close to a voluntary basis.

Matt Kelly has organized and participated in many conferences. He picked up on Armstrong’s theme that some of the best conversations he garnered the most learning through were informal discussions. He gave an example of a compliance practitioner he with whom he struck up a conversation during one of the break times in the vendor room. Kelly related that she is overhauling all the risk assessments her company does as they do a large number of them and they realized we were all asking the people the same things over and over. The company employees were becoming exasperated employees and she was looking at how to streamline it. He related this is a very typical problem for a lot of compliance officers and she could bounce some ideas off Kelly about how to simplify it. This was an example of what Kelly sees as one of the real strengths of the CEI, to bring compliance professionals together to share ideas in an informal setting. It drove home the power of the informal portion of the event and how it works with the formal agenda to facilitate growth for the compliance professional and the compliance profession.

Kelly bookended his thoughts with something that he gained more insight from in one of the formal sessions. It was around the issues of Artificial Intelligence (AI) and compliance. He noted that he has previously considered AI as simply “more of a tech thing”. However, in a session he garnered an appreciation of the US Sentencing Guidelines obligations that a compliance program is supposed to be designed so that people can be trained to learn from their mistakes and can improve the incentives for good conduct and provide punishment for bad conduct. If you simply have an algorithm which does not respond to either punishment or rewards you may need to rethink your approach.

For myself probably the biggest insight was from Donna Boehme, the Lion of Compliance. Even with her current travails Donna was present and participating in the conference. She told me she did so because she wants to support the next generation of up and coming compliance professionals. She views it as the responsibility of more senior compliance practitioners to participate and be present for the next generation who are learning the ropes. While I certainly know that lesson well, I found it good to be reminded of it by Donna.

I hope you will plan to join us at the SCCE 2018 CEI, which will be held once again at Caesar’s Palace in Las Vegas from October 14 to 19, 2018.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

In this episode, I visit with Doreen Edelman, a partner at Baker Donelson on the top FCPA enforcement action of 2017, the Telia Company matter. We discuss the background facts of the case; we explore the amount of the fines and penalties, were they too high or were they too low; we consider the involvement of senior management right up to the CEO and the Board’s role; we explore the multiple lessons for the compliance professional, the CCO, senior management and the Board of Directors. We conclude with what the enforcement action means going forward and the increase in international enforcement, cooperation and investigation in anti-corruption.

Doreen Edelman can be reached at dedelman@bakerdonelson.com.

Doreen blogs on export control and trade issue concerns at Export Control Matters.

One of my favorite words in the context of Foreign Corrupt Practices Act (FCPA) enforcement is dis-link. It a useful adjective in explaining how certain conduct by a company must be separated from the winning of business and more broadly it works on many different levels when discussing the FCPA. This concept of dis-linking was most prominently laid out in Opinion Release 14-02 (14-02). It provided one of the most concrete statements from the DOJ on the unidimensional nature of compliance in the mergers and acquisition context; both in the pre-acquisition and post-acquisition phases.

In this Opinion Release the Requestor was a multinational company headquartered in the United States. The Requestor desired to acquire a foreign consumer products company and its wholly owned subsidiary (collectively, the “Target”), both of which were incorporated and operated in an un-named foreign country. It never issued securities in the United States and had negligible business contacts in the US, including no direct sale or distribution of their products. During its pre-acquisition, due diligence of the Target, Requestor identified several likely improper payments by the Target to government officials of Foreign Country, as well as substantial weaknesses in accounting and recordkeeping. Considering the bribery and other concerns identified in the due diligence process, Requestor also detailed a plan for remedial pre-acquisition measures and post-acquisition integration steps. Requestor sought from the DOJ an Opinion as to whether the Department would then bring an FCPA enforcement action against Requestor for the Target’s pre-acquisition conduct. It was specifically noted that the Requestor did not seek an Opinion from the Department as to Requestor’s criminal liability for any post-acquisition conduct by the Target. 

Pre-Acquisition Due Diligence

In preparing for the acquisition, Requestor undertook extensive due diligence aimed at identifying, among other things, potential legal and compliance concerns at the Target. Requestor retained an experienced forensic accounting firm (“the Accounting Firm”) to carry out the due diligence review. This review brought to light evidence of apparent improper payments, as well as substantial accounting weaknesses and poor recordkeeping. The Accounting Firm reviewed approximately 1,300 transactions with a total value of approximately $12.9 million with over $100,000 in transactions that raised compliance issues. The clear majority of these transactions involved payments to government officials related to obtaining permits and licenses. Other transactions involved gifts and cash donations to government officials, charitable contributions and sponsorships, and payments to members of the state-controlled media to minimize negative publicity. None of the payments, gifts, donations, contributions, or sponsorships occurred in the US, none were made by or through a US entity and none went through a US bank.

The due diligence showed that the Target had significant recordkeeping deficiencies. Further, the records which did exist did not support the clear majority of the cash payments and gifts to government officials and the charitable contributions. There were expenses that were improperly and inaccurately classified. The accounting records were so disorganized that the Accounting Firm was unable to physically locate or identify many of the underlying records for the transactions. Finally, the Target had not developed or implemented a written code of conduct or other compliance policies and procedures, nor did the Target’s employees show an adequate understanding or awareness of anti-bribery laws and regulations.

Post-Acquisition Remediation

The Requestor presented several pre-closing steps to begin to remediate the Target’s weaknesses prior to the planned closing in 2015. Requestor aimed to complete the full integration of the Target into Requestor’s compliance and reporting structure within one year of the closing. Requestor presented an integration schedule of the Target into the acquirer which included various risk mitigation steps, communications and training on compliance procedures and policies, standardization of business relationships with third parties, and formalization of the Target’s accounting and recordkeeping in accordance with Requestor’s policies and applicable law.

DOJ Analysis

The DOJ noted black-letter letter when it stated, ““It is a basic principle of corporate law that a company assumes certain liabilities when merging with or acquiring another company. In a situation such as this, where a purchaser acquires the stock of a seller and integrates the target into its operations, successor liability may be conferred upon the purchaser for the acquired entity’s pre-existing criminal and civil liabilities, including, for example, for FCPA violations of the target. However, this is tempered by the following from the 2012 FCPA Guidance, “Successor liability does not, however, create liability where none existed before. For example, if an issuer were to acquire a foreign company that was not previously subject to the FCPA’s jurisdiction, the mere acquisition of that foreign company would not retroactively create FCPA liability for the acquiring issuer.””

As none of the payments were made in the US, none went through the US banking system and none involved a US person or entity that this would not lead to a creation of liability for the acquiring company. Moreover, there would be no continuing or ongoing illegal conduct going forward because “no contracts or other assets were determined to have been acquired through bribery that would remain in operation and from which Requestor would derive financial benefit following the acquisition.” Therefore, there would be no jurisdiction under the FCPA to prosecute any person or entity involved after the acquisition.

The DOJ also provided this additional information, “the Department encourages companies engaging in mergers and acquisitions to (1) conduct thorough risk-based FCPA and anti-corruption due diligence; (2) implement the acquiring company’s code of conduct and anti-corruption policies as quickly as practicable; (3) conduct FCPA and other relevant training for the acquired entity’s directors and employees, as well as third-party agents and partners; (4) conduct an FCPA-specific audit of the acquired entity as quickly as practicable; and (5) disclose to the Department any corrupt payments discovered during the due diligence process. See FCPA Guide at 29. Adherence to these elements by Requestor may, among several other factors, determine whether and how the Department would seek to impose post-acquisition successor liability in case of a putative violation.”

Discussion

The DOJ communicated several important messages through 14-02. First it demolished the myths of springing liability to an acquiring company in the FCPA context and buying a FCPA violation, simply through an acquisition; there must be continuing illegal conduct for FCPA liability to arise. Most clearly beginning with the 2012 FCPA Guidance, the DOJ and SEC have communicated what companies need to do in any M&A environment. While many compliance practitioners had only focused on the post-acquisition integration and remediation; the clear import of 14-02 is to re-emphasize the importance of the pre-acquisition phase.

Due diligence must begin in the pre-acquisition phase. The steps taken by the Requestor in this Opinion Release demonstrate some of the techniques you can use in the pre-acquisition phase include (1) having your internal or external legal, accounting, and compliance departments review a target’s sales and financial data, its customer contracts, and its third-party and distributor agreements; (2) performing a risk-based analysis of a target’s customer base; (3) performing an audit of selected transactions engaged in by the target; and (4) engaging in discussions with the target’s general counsel, vice president of sales, and head of internal audit regarding all corruption risks, compliance efforts, and any other major corruption-related issues that have surfaced at the target over the past ten years.

Whether you can make these inquiries or not, you will also need to engage in post-acquisition integration and remediation. 14-02, taken together with the steps laid out in the 2012 Guidance, has provided the post-acquisition actions a compliance professions needs to take after the transaction is closed. If you cannot perform any or even an adequate pre-acquisition due diligence, the time frames you put in place after the acquisition closes will need to be compressed to make sure that you are not continuing any nefarious FCPA conduct going forward.

But it all goes back to dis-linking. If a target is engaging in conduct that violates the FCPA but the target itself is not subject to the jurisdiction of the FCPA, you simply cannot afford to allow that conduct to continue. If you do allow such conduct to continue your company will be actively engaging and participating in an ongoing FCPA violation. That is the final takeaway from this Opinion Release; it is allowing corruption and bribery to continue which brings companies into FCPA grief. Opinion Release 14-02 provided you a roadmap of the steps you can take to prevent such exposure.

Three Key Takeaways

  1. In the M&A context, the key is to dis-link any illegal conduct going forward.
  2. Opinion Release 14-02 provides the clearest roadmap for pre-and post-acquisition compliance actions in the M&A context.
  3. Never forget the Opinion Release procedure. It has been used successfully in two important M&A matters (08-02 and 14-02).

 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Previously many compliance practitioners had based decisions in the M&A context on DOJ Opinion Release 08-02 (08-02), which related to Halliburton’s proposed acquisition of the UK entity, Expro. In 2011, the Johnson & Johnson (J&J) DPA changed the perception of compliance practitioners regarding what is required of a company in the M&A setting related to FCPA due diligence, both pre-and post-acquisition. The 2012 Data Systems & Solutions LLC (DS&S) DPA which brought additional information to the compliance practitioner on what a company can do to protect itself in the context of M&A activity.

The 2012 FCPA Guidance spoke about the post-acquisition phase of due diligence, noting that is a part of the compliance process for mergers and acquisitions. Both the “DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.” While the 2012 FCPA Guidance discussed mergers and acquisitions in the context of a best practices compliance program it did not specify a time frame for post-acquisition integration.

Opinion Release 08-02 began as a request from Halliburton to the DOJ from issues that arose in the pre-acquisition due diligence of the target company Expro. Halliburton had submitted a request to the DOJ specifically posing these three questions: (1) whether the proposed acquisition transaction itself would violate the FCPA; (2) whether, through the proposed acquisition of Target, Halliburton would “inherit” any FCPA liabilities of Target for pre-acquisition unlawful conduct; and (3) whether Halliburton would be held criminally liable for any post-acquisition unlawful conduct by Target prior to Halliburton’s completion of its FCPA and anti-corruption due diligence, where such conduct is identified and disclosed to the Department within 180 days of closing.

Halliburton Opinion Release 

Halliburton committed to the following conditions in 08-02, if it was the successful bidder in the acquisition:

Within ten business days of the closing. Halliburton would present to the DOJ a comprehensive, risk-based FCPA and anti-corruption due diligence work plan which would address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. The Halliburton work plan committed to organizing the due diligence effort into high risk, medium risk, and lowest risk

Within 90 days of Closing. Halliburton would report to the DOJ the results of its high risk due diligence.

Within 120 days of Closing. Halliburton would report to the DOJ the results to date of its medium risk due diligence.

Within 180 days of Closing. Halliburton would report to the DOJ the results to date of its lowest risk due diligence.

Within One Year of Closing. Halliburton committed full remediation of any issues which it discovered within one year of the closing of the transaction.

Many lawyers were heard to exclaim, “What an order, we cannot go through with it.” However, we advised our clients not to be discouraged because 08-02 laid out a clear road map for dealing with some of the difficulties inherent in conducting sufficient pre-acquisition due diligence in the FCPA context. Indeed, the DOJ concluded 08-02 by noting, “Assuming that Halliburton, in the judgment of the Department, satisfactorily implements the post-closing plan and remediation detailed above… the Department does not presently intend to take any enforcement action against Halliburton.”

Johnson & Johnson (J&J) Deferred Prosecution Agreement

In Attachment D of the J&J DPA, entitled “Enhanced Compliance Obligations”, there is a list of compliance obligations in which J&J agreed to undertake certain enhanced compliance obligations for at least the duration of its DPA beyond the minimum best practices also set out in the J&J DPA. Regarding the M&A context, J&J agreed to the following: 

J&J will ensure that new business entities are only acquired after thorough FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. Where such anti-corruption due diligence is not practicable prior to acquisition of a new business for reasons beyond J&J’s control, or due to any applicable law, rule, or regulation, J&J will conduct FCPA and anti-corruption due diligence subsequent to the acquisition and report to the Department any corrupt payments, falsified books and records, or inadequate internal controls as required by … the Deferred Prosecution Agreement.

J&J will ensure that J&J’s policies and procedures regarding the anti-corruption laws and regulations apply as quickly as is practicable, but in any event no less than one year post-closing, to newly-acquired businesses, and will promptly, for those operating companies that are determined not to pose corruption risk, J&J will conduct periodic FCPA Audits, or will incorporate FCPA components into financial audits.

Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to J&J, on the anticorruption laws and regulations and J&J’s related policies and procedures; and

Conduct an FCPA-specific audit of all newly acquired businesses within 18 months of acquisition.

These enhanced obligations agreed to by J&J in the M&A context were less time sensitive than those agreed to by Halliburton in 08-02. In the J&J DPA, the company agreed to the following time frames:

18 Month – conduct a full FCPA audit of the acquired company.

12 Month – introduce full anti-corruption compliance policies and procedures into the acquired company and train those persons and business representatives which “present corruption risk to J&J.”

Data Systems & Solutions LLC (DS&S) Deferred Prosecution Agreement

In the DS&S DPA there were two new items listed in the Corporate Compliance Program, attached as Schedule C to the DPA, rather than the standard 13 items we have seen in every DPA since at least November 2010. The new additions were found on items 13 & 14 on page C-6 of Schedule C and deal with mergers and acquisitions. They read in full:

DS&S will develop and implement policies and procedures for mergers and acquisitions requiring that DS&S conduct appropriate risk-based due diligence on potential new business entities, including appropriate FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. If DS&S discovers any corrupt payments or inadequate internal controls as part of its due diligence of newly acquired entities or entities merged with DS&S, it shall report such conduct to the Department as required in Appendix B of this Agreement.

DS&S will ensure that DS&S’s policies and procedures regarding the anticorruption laws apply as quickly as is practicable to newly acquired businesses or entities merged with DS&S and will promptly:

Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to DS&S, on the anti-corruption laws and DS&S’s policies and procedures regarding anticorruption laws.

Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable.

This language draws from and builds upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance and the J&J “Enhanced Compliance Obligations” incorporated into its DPA. While the DS&S DPA does note that it is specifically tailored as a solution to DS&S’s FCPA compliance issues, I believe that this is the type of guidance that a compliance practitioner can rely upon when advising his or her clients on what the DOJ expects during M&A activities. 

FCPA M&A Box Score Summary

Time Frames Halliburton 08-02 J&J DS&S
FCPA Audit 1.     High Risk Agents – 90 days

2.     Medium Risk Agents – 120 Days

3.     Low Risk Agents – 180 days

18 months to conduct full FCPA audit As soon “as practicable
Implement FCPA Compliance Program Immediately upon closing 12 months As soon “as practicable
Training on FCPA Compliance Program 60 days to complete training for high risk employees, 90 days for all others 12 months to complete training As soon “as practicable

The Guidance, coupled with the 08-02 and the two enforcement actions, speak to the importance that the DOJ puts on M&A in the FCPA context. The time frames for post-acquisition integration are quite tight. This means that you should do as much work as you can in the pre-acquisition stage. The DOJ makes clear that rigor is needed throughout your entire compliance program, including M&A. This rigor should be viewed as something more than just complying with the FCPA; it should be viewed as just making good business sense.

Three Key Takeaways

  1. The Halliburton Opinion Release put some very tight dates into the post-acquisition due diligence and evaluation process.
  2. J&J and DSS added some specific post-acquisition requirements.
  3. The time deadlines require you to hit the ground running post-closing.

 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.