How it worksWhat is satisfactory due diligence under the Foreign Corrupt Practices Act (FCPA)? That question seems to be more important after the Huffington Post’s story on Unaoil and the subsequent release of the Panama Papers. However, both of these events largely focused on the “who” part of due diligence and the need to know whom you are doing business with going forward. However there is another important question which does not come up as often in due diligence, which is how?

How does a particular third party perform its services with or for your company? If it is on the sales side of things, how can a third party help you make sales? If a third party comes through the Supply Chain, how do their products or services meet the needs of your company? If the third party has a closer business relationship, such as a joint venture (JV), teaming agreement or other similar arrangement, you may well need a much deeper understand of how this third party does business because the relationship may well become so close you will be intertwined with the party. It may mean more than simply does their how product work but how does this third party conduct themselves and their business?

The questions beyond simply who were made clear in a Wall Street Journal (WSJ) article by Christopher Weaver and John Carreyrou, entitled “Deal With Theranos Haunts Walgreens. It turns out that Walgreens left a gap by “never fully validating the startup’s technology or thoroughly evaluating its capabilities”. The clear message is if you are going to partner with a technology company which is going to change your business model, you best make sure the technology works. Moreover, if a potential JV partner refuses to show you its technology, how it keeps records, its financials relating to the products and services you are contracting for and generally tries to hide from you the very thing you are buying into; you should not walk but run away from the deal.

This article detailed the lack of steps and miss-steps by Walgreens when entering its partnership with Theranos and how these actions have caused Walgreens to consider its $50MM investment in Theranos as something it will never recoup, caused Walgreens reputational damage and potentially subjected it to civil liability. As the reporters noted, “The relationship is now in tatters, making Walgreens an extreme case study of what can go wrong when an established company that craves growth decides to gamble on an exciting and unproven startup.”

One might think that if you are investing in a technology company that provides medical testing, the investor would want to see the laboratory where the testing is performed. It turns out that Walgreens representatives were never allowed to tour, let alone review the labs where the results of Theranos pinprick blood tests were run. A Walgreens consultant, Paul Rust, who was sent to Theranos to do a quality control data review said, “It was a very strange situation. The results were actually really good, but I was never allowed to go into the lab. I have no idea that the results I saw were run on the Edison devices or not.” He went on to say that he was “led to believe that they were being run on the Edison.” Yet even Rust was surprised no Walgreens representatives had been allowed to view Theranos labs.

Interestingly, when Theranos did provide the test results to Walgreens representatives, the results came back with ““low” and “high” values rather than numeric values. As a result, Walgreens couldn’t compare results from the Theranos machine to any commercially available tests.” Once again, this was something which Walgreens should be sought additional information on.

Yet even when Walgreens’ consultants, assisting the company in evaluating Theranos and the proposed transaction, voiced and wrote up their concerns, they were not passed along to Walgreens management. The article reported, “In a report later in 2011, the consultants concluded Walgreens needed more information to assess the partnership. Those findings and reports by other consultants were kept from many Walgreens officials, including some directly involved in the negotiations with Theranos.”

Walgreens made another classic mistake in the due diligence process; they took comfort when a competitor was allegedly considering a similar venture with Theranos. The article said, “Some executives were comforted when Theranos said Safeway Inc. had agreed to host blood-drawing sites at some of its supermarkets. If Safeway trusted Theranos, then Walgreens could, too, the Walgreens officials believed.” How often have your heard that some other company is considering or has approved them through due diligence and a decision was based on the alleged actions of an alleged party.

Walgreens hamstrung itself from managing the relationship after the contract was signed by agreeing to contract terms that prevented Walgreens from auditing or even viewing “Theranos clinical data or financial records”. Finally, and perhaps most damagingly, there was a complete lack of communications between the two companies about the issues that have bedeviled Theranos. The article concluded, “Walgreens shelved the expansion plans after the Journal reported in October that Theranos did the vast majority of tests it offered to consumers on traditional lab machines. The Journal also reported that some former employees doubted the accuracy of a small number of tests run on Edison devices. One of the most recent setbacks came in mid-April when the Journal reported that regulators had 3½ weeks earlier proposed banning Ms. Holmes from the lab-testing industry. The drugstore chain’s senior executives found out from the news report.”

In the FCPA, most companies understand the need to know with who they contract for sales or vendor related issues. They also understand the need to know why they should do business with a proposed third party (IE., a business justification). However the need to perform an investigation into how the third party can actually deliver what they are contracted to do is equally important. Moreover, even with the most robust due diligence, there are still additional steps which a company must engage in to properly manage third parties. Most compliance practitioners believe that compliance terms and conditions should be a part of every contract and there is really no debate that an audit clause and material breach of contract provision should be included.

The Walgreens imbroglio around Theranos points out why such clauses are mandatory. If you do not have them, you do not have the ability verify what you may or may not have been told in due diligence. Finally, managing the relationship after the contract is signed is where the rubber hits the road. If you only obtain a due diligence report and insert compliance terms and conditions, you will have done nothing to test whether the third party is actually performing as it has agreed to under the terms of the contract.

Perhaps if Walgreens had inquired into the how Theranos performed its medical testing it would not find itself in the situation it is in now.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Chief-Compliance-OfficerAt the Opening Session of Compliance Week 2016, Stephen L. Cohen, Associate Director of Enforcement, Securities and Exchange Commission (SEC) and Andrew Weissmann, Chief of the Department of Justice (DOJ) Criminal Division’s Fraud Section, spoke about their views of what constitutes an effective compliance program under the Foreign Corrupt Practices Act (FCPA). Compliance Week’s Editor-in-Chief Bill Coffin moderated the panel. The majority of the discussion was around the Chief Compliance Officer (CCO) position; specifically the independence of the position, the authority the CCO has in an organization and the resources made available to the CCO.

Weissmann related that many presentations are made to the DOJ in the context of Filip Factors presentations, where a company generally presents evidence of the effectiveness of its compliance program at the time of the incident that led to the criminal investigation. He said that one of the things he thinks is important is how a CCO talks about the company’s compliance program.

He began by noting the initial straw poll showed that 65% of those responding to the first poll said their compliance program could probably pass DOJ muster or needs work. Weissmann viewed this as a positive sign because it demonstrated to him the ongoing evolution a company’s compliance program. He said he would often specifically delve into how a risk assessment had been done and then use that information as a springboard to inquire into whether it actually predicted the FCPA violation(s). It was not surprising to hear Weissmann basically say McNulty Maxim No. 3 (what did you do when you found out about it?) when he said that he would inquire into the company’s response and whether the response was then integrated that into the compliance function.

Cohen also said that he encourages CCOs to come and meet with him early in the SEC investigatory process. He did acknowledge that outside counsel usually hated the idea, obviously because they lose complete control, which they seek to maintain. Yet Cohen thinks that it helps him because it gives him a window into whom he is dealing with in the process. Additionally, as the CCO is generally more attuned to remediating problems, rather than simply protecting the company like outside counsel, a different view can often be obtained through such meetings. I would note from the CCO perspective, this is very valuable as it gives you the ability to begin to win an ally for your remediation program early on in the process.

One of the specific areas that Cohen wants to know about is what are the resources that have been made available to the CCO and what is the level of CCO independence? He is concerned about whether the CCO is appropriately valued and supported in the organization. He specifically asks if the CCO is on the Executive Leadership Team (ELT) or other top group of C-Suite executives. He would also inquire into whether the CCO had visibility into the transaction(s) that may have become the problem issue(s). Not necessarily whether there was a bribe authorized but if the transaction warranted someone violating the FCPA to get the deal done, did the compliance function have visibility into the matter? It is all Cohen’s way of trying to ascertain whether the CCO and compliance function have standing in company to get things done.

Weissmann was asked about individual liability for CCOs under the FCPA. I found this question propitious given my blog posts earlier this week. He said that the DOJ not going after CCOs for criminal liability unless they are a part of bribery scheme or some cover-up. He reiterated that the DOJ is trying to reduce the risk of criminality for violations under the FCPA and indeed that was one of their goals in hiring its new Compliance Counsel, Hui Chen. Chen enables the DOJ to be more robust in evaluating compliance programs of companies that come before the DOJ. He also noted that this new position works to heighten the power of CCO within companies as it gives them a specific advocate at the DOJ during enforcement actions.

Cohen took another approach to responding to the inquiry about CCO liability. He said that he believed there had been approximately 8000 SEC enforcement actions over past 10 years in regulated space involving CCOs. Of all of those cases, only five had involved individual liability actions brought against CCOs. These were along the lines of the FINRA action against Linda Busby I detailed yesterday, where the CCO had a clear regulatory responsibility to implement or enhance a compliance program and failed to do so. Cohen also made the point again that these five SEC enforcement actions were all in regulated industries only, not FCPA cases.

On the question of CCO independence, Weissmann believes this is one indicia of an effective compliance program. He reiterated yet again the DOJ’s stated position that it does not concern itself with whether the CCO reports to the General Counsel (GC) or reports independently, but he is more concerned about whether the CCO has the voice to go to the Chief Executive Officer (CEO) or Board of Directors directly, without going through the GC first. Even if the answer were yes, Weissmann would want to know if the CCO has ever exercised that right.

Finally, Weissmann turned to the operationalization of compliance. Echoing the remarks of the DOJ Compliance Counsel last fall, he wants to know if the if business unit of a company is responsible for at least a part of compliance. Put in the manner of Chen, is compliance operationalized within your organization? Weissmann had an interesting angle on the real problem for a CCO if compliance is not embedded into the business; that problem is that the CCO simply becomes a policeman, telling the business unit what it cannot do. Or as I would say, being Dr. No from the Land of No.

Cohen had several questions he would ask to determine the level of CCO independence within an organization. First and foremost, is the CCO a part of the senior management or the C-Suite? Is the CCO part of regular meetings of this group? He also wanted to know who could terminate the CCO so he might inquire to see if it was the CEO, the Audit Committee of the Board or did the CCO termination require approval of the entire Board? Most importantly, could a person under investigation or even scrutiny by the CCO fire the CCO? If the answer is yes, the CCO clearly does not have requisite independence.

In addition to the foregoing, Cohen had some additional questions he would consider. The first was who could over-rule the decision by a CCO within an organization? He would also inquire into who is making the decisions around salary and compensation for the CCO? Is it the CEO, the GC, the Audit Committee of the Board or some other person or group?

The remarks of Weissmann and Cohen demonstrated the continued evolution in the thinking of the DOJ and SEC around the CCO position and the compliance function. Their articulated inquiries can only strengthen the CCO position specifically and the compliance profession more generally. The more the DOJ and SEC talk about the independence of, coupled with resources being made available and authority concomitant with the CCO position, the more corporations will see it is directly in their interest to provide the position in their organizations.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

7K0A0223This week I have been exploring the Public Accounting Oversight Board (PCAOB) with Joe Howell, an Executive Vice President (EVP) with Workiva Inc. We have considered how some of the issues addressed by the PCAOB directly impact the Foreign Corrupt Practices Act (FCPA) compliance practitioner in ways that might not seem immediately self-evident. Today I will conclude my series with Howell by considering some of the costs for the failure of internal controls and how auditors, governed by the PCAOB, can help foster and facilitate a best practices compliance program.

There is no materiality standard under the FCPA. This is generally a different standard than internal auditors or accountants consider in a company. However Howell believes their approach is wrong based upon simply more than just a plain reading of the statute itself. This is because Howell feels it is not simply the materiality of the bribe, it may not even be the materiality of the contract that you receive because of the bribe. Howell’s view is that it is much broader as the materiality would be the entire cost that potentially the company could be liable for: pre-resolution investigation, an enforcement penalty and fine, and then post-settlement remediation or other costs.

Howell began by noting that a company must report contingent liabilities in its financial statements, if only in notes. Even if a company cannot estimate these costs, they must be described. A financial statement would be incomplete and actually wrong if they fail to describe a liability when you know that you have one. This means “If a company discovers that a bribe was paid and a fraud was perpetrated and that money was used to pay a bribe, they now know that they have some sort of liability, a cost that they’re going to have to recognize at some point, but they don’t know how much it is yet.”

Howell acknowledges there can be many reasons why a corporation would not want to put such a disclosure on the face of its financial statements; nevertheless, they do need to describe it in the financial statements in order to actually give the reader of the financial information the full picture that they are required to provide.

Any FCPA investigation is going to have a profound cost. If a company desires to take advantage of the new Department of Justice (DOJ) Pilot Program and self-disclose to the DOJ and Securities and Exchange Commission (SEC), it still may result in a risk of a fine, disgorgement of profits and other penalties. Howell added, “then monitoring at the backend and penalties and reputational risk. All of which go together to be material to the company. Even though the bribe was a little bribe, even though the fuse was a small fuse, the bomb is a big bomb. When you see a fuse, notice that it’s been lit, you have an obligation to report that. That’s material. It’s relevant to the reader of the financial statements. Because the fuse is small, you can’t say, I don’t have to report it.”

In an interesting insight for the Chief Compliance Officer (CCO) or compliance practitioner to consider, Howell said that even if you remediate but make the decision not to self-disclose that alone may be evidence that your books and records are not accurate. Take a minute to consider that from the SEC perspective. If your SOX 404 disclosure does not reflect any reportable FCPA incidents because you have remediated and made the decision not to self-disclose, that alone can be a violation of the FCPA.

While Howell believes that such contingencies will resolve themselves over time, he believes it is important to make that immediately available to readers of the financial statements. He went on to state that there are large numbers of diverse constituencies who depend on your accurate financial statements. These include, “your bankers, creditors, as well as your shareholders. You may have relationships that are contractual relationships with suppliers, customers that could be affected by this. You may have contracts with your employees that are affected by this. There may be contracts with other third parties that could be affected or impaired because of your violation of the FCPA, in one instance.”

I was intrigued by Howell’s inclusion of bankers and creditors relying on the accuracy of your financial statements. This is because it is not uncommon now that a loan document or a secondary financing would require a company to maintain an effective anti-bribery, corruption compliance program. I asked Howell if this is something an external auditor would evaluate and, if so, how would they go about evaluating such a loan covenant?

Howell said this could well be important because if such a loan clause were violated, that would be part of the corporate disclosure. Howell went on to note that if an auditor were to become aware that a fraud was “committed and that fraud resulted in resources being used to pay a bribe, the auditor then needs to take a hard look at all the disclosures about the contingencies. If they’re uncomfortable with that, they need to report themselves about what they think that the client may have missed. When fraud is discovered, they cannot keep silent. They have to report it.”

I concluded by asking Howell about the SEC Audit Standard No. 5: what it is and how it ties into the FCPA and the line through SOX all the way to Dodd-Frank. Howell said the precursor to Audit Standard No. 5 was Audit Standard No. 2 which specified what Howell called a bunch of ““thou shalt do” stuff that became very mechanical and it drove people’s costs up and it made people uncomfortable.”

This led to the adoption of Audit Standard No. 5 and a change to a more risk based focus using a principles-based audit standard. The SEC wanted to direct “auditors to those areas that present the highest risk, such as financial statement, closed processes, and controls designed to prevent fraud by management. It emphasizes that the auditor is not required to scope the audit to find deficiencies that don’t constitute material weaknesses.”

Howell believes that bribery and corruption are subsets of fraud and auditors are “required to always disclose fraud, even if it’s immaterial. If they find fraud, and even if the fraud is immaterial, it still means that it could be a failure in the controlled environment that means that they can no longer really rely on those controls. They have to do something else. What they would do is substantive testing, which that means then they would go back and start to look at everything. That’s prohibitively expensive. It takes an enormous amount of time and it results in audits that are not sustainable.”

This means one can then draw even a line to Audit Standard No. 5 and the risks that companies have doing business outside of the US under the FCPA as a risk that needs to be audited. Howell said this means you have to incorporate such an analysis into your FCPA compliance program because if you are doing business in high-risk countries which have a reputation for bribery as a way of doing business and you have operations there that rely on third parties that are securing contracts for you, you have an obligation to build a controlled environment which both prevents, to the best of your ability, mistakes from happening, bribes, and then if one were to happen, to be on the lookout for where that would most certainly and most likely show up.

Howell said this could be a variety of responses, including “transaction monitoring, surprise counts, sending in auditors to actually be part of that control environment to look for all the documentation. It is important to also have that sense of remediation. If you find it, what do you do with it? To whom do you report? What processes are in place? Are they working?”

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016