SECThe Foreign Corrupt Practices Act (FCPA) enforcement journey, which began last summer with the guilty plea of Vicente Garcia for the payment of bribes to obtain contracts in Panama for his employer, SAP International, ended this week with the release of the Securities and Exchange Commission (SEC) civil action against the parent of SAP International, SAP SE, a German company. The case was concluded via a Cease and Desist Order (the “Order”). The fine was a relatively small $3.7MM with prejudgment interest of another $188K.

The facts were straightforward, which Garcia had previously admitted to in his guilty plea and sentencing hearing last December. He circumvented SAP internal controls to create a slush fund from which to pay bribes. To do so, he had to actively evade an internal compliance system that had stopped him from hiring a corrupt agent to facilitate the bribe payments. Frustrated by the success of the SAP compliance function to stop his initial bribery scheme, he then turned to using a previously approved distributor to facilitate the payment. He did so through giving this distributor an extra ordinary discount. The corrupt distributor then sold the SAP products to the Panamanian government at full price and used the price difference to fund the bribes to the corrupt government officials. This led to a $14.5MM sale to the distributor with $3.7MM in profits to SAP. Hence, the amount of profit disgorgement.

The bribery scheme is a clear lesson for any company that utilizes a distribution model in the sale chain. Bill Athanas, a partner in Waller Lansden Dortch & Davis LLP, has articulated a risk management technique for this type of bribery scheme, which he has called Distributor Authorization Request (DAR) and it provides a framework to help provide a business justification for any such discount, assess/manage and document any discount offered to a distributor. 

It begins with a DAR template, which is designed to capture the particulars of a given request and allows for an informed decision about whether it should be granted. Because the specifics of a particular DAR are critical to evaluating its legitimacy, it is expected that the employee submitting the DAR will provide details about how the request originated as well as an explanation in the business justification for the elevated discount. In addition, the DAR template should be designed so as to identify gaps in compliance that may otherwise go undetected.

The next step is that channels should be created to evaluate DARs. The precise structure of that system will depend on several factors, but ideally the goal should be to allow for tiered levels of approval. Athanas believes that three levels of approval are sufficient, but can be expanded or contracted as necessary. The key is the greater the discount contemplated, the more scrutiny the DAR should receive. The goal is to ensure that all DARs are vetted in an appropriately thorough fashion without negatively impacting the company’s ability to function efficiently.

Once the information gathering, review and approval processes are formulated, there must be a system in place to track, record and evaluate information relating to DARs, both approved and denied. The documentation of the total number of DARs allows companies to more accurately determine where and why discounts are increasing, whether the standard discount range should be raised or lowered, and gauge the level of commitment to compliance within the company. This information, in turn, leaves these companies better equipped to respond to government inquiries down the road.

Yet in addition to the DAR risk management technique advocated by Athanas is more robust transaction monitoring in your compliance program going forward. As noted in the Order, one of the remedial measures engaged in by SAP after the bribery and corruption was detected was that the company “audited all recent public sector Latin American transactions, regardless of Garcia’s involvement, to analyze partner profit margin data especially in comparison to discounts so that any trends could be spotted and high profit margin transactions could be identified for further investigation and review.”

This is the type of transaction monitoring which a Chief Compliance Officer (CCO) or compliance practitioner traditionally does not engage in on a pro-active basis. However this is clearly the direction that US regulators want to see companies moving towards as compliance programs evolve.

Here a couple of questions would seem relevant. What happened? and How do you know? In answering these questions, it is clearly important that there should be an understanding of the business cause of significant sales and that there could be other issues involved in the situation that may require consideration by the compliance practitioner. While a company would usually only consider an analysis of variations at the level at which the sales increase was material, this was not the path taken by SAP in their post-incident investigation. Moreover, such a sales increase would most probably be material for the Panama region and certainly for the employee in question.

Once the appropriate level is determined, direct questions should be asked and answered at that level. Explanations of a sales increase as being the result of the appointment of a new head of business development or a more aggressive sales manager should not simply be taken at face value. Questions such as what techniques were used; what was the marketing spend; how much was spent on discounts to distributors; etc., might help to get at the true underlying reason for a spike in sales. Further, a company should review its findings over subsequent periods for confirmation. So, for example, if a sales increase legitimately appears to be due to the efforts of a new person in the territory or region, is that same increase sustained in later periods? The answer to such a question might identify red flags indicating the need for further review.

A final lesson to be considered is when you have an employee like Garcia. Is he a rogue employee? Does rogue mean his behavior is only sociopathic so that he appears to operating within the rules? Or were there clear signs that greater scrutiny needed to put in place? What about his clear attempt to bring in a corrupt agent, at the last minute of a deal to facilitate it? This is a clear red flag and was not approved by SAP compliance. Does this put the company on notice that an employee is not only willing to go beyond the rules but also engage in illegal conduct down the road? How many passes does such an employee get before they are shown the door?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016

SECYesterday, I began a review of Foreign Corrupt Practices Act (FCPA) enforcement actions by the Securities and Exchange Commission (SEC) where there were no parallel Department of Justice (DOJ) enforcement actions. Today I conclude the two-part review by looking at the Bristol Squibb-Myers, Hitachi and Mead Johnson enforcement actions.

Bristol-Myers Squibb: Lessons from Remediation

In October, the SEC announced a FCPA enforcement action against Bristol-Myers Squibb Company (BMS) for the actions of the company’s joint venture (JV) in China, which made cash payments and provided other benefits to health care providers (HCPs) at state-owned and state-controlled hospitals in exchange for prescription sales. The company agreed to a total fine and penalty of $14MM, which included the return of $11.4 million of profits plus prejudgment interest of $500,000 and payment of a civil penalty of $2.75 million.

BMS was slow to remediate gaps in internal controls over interactions with HCPs and monitor potential inappropriate payments to them that were identified repeatedly in annual internal audits of BMS China between 2009 and 2013.” Kara Brockmeyer, Chief of the Enforcement Division’s FCPA Unit, was quoted in the Press Release for the following,  “Bristol-Myers Squibb’s failure to institute an effective internal controls system and to respond promptly to indications of significant compliance gaps at its Chinese joint venture enabled a widespread practice of providing corrupt inducements in exchange for prescription sales to continue for years.”

The company extensively remediated its compliance program in the face of these deficiencies. The Order set out may of the steps taken by BMS to enhance its anti-bribery and general compliance training and policies and to strengthen its accounting and monitoring controls relating to interactions with HCPs, including travel and entertainment expenses, meetings, sponsorships, grants, and donations funded by its Chinese business unit. Many of these can be useful actions that a Chief Compliance Officer (CCO) or compliance practitioner can use as a benchmark against their compliance program.

The measures taken include: numerous steps to improve the internal controls and compliance program at BMS China. Examples cited in the Order included (1) a 100% pre-reimbursement review of all expense claims; (2) the implementation of an accounting system designed to track each expense claim, including the request, approval, and payment of each claim; and (3) the retention of a third-party vendor to conduct surprise checks at events sponsored by sales representatives. The company terminated over ninety employees and also disciplined an additional ninety employees, including sales representatives and managers of the company, who failed to comply with or sufficiently supervise compliance with relevant policies. In addition, BMS replaced certain BMS China officers as part of an overall effort to enhance “tone at the top” and a culture of compliance. Finally, BMS revised the compensation structure for BMS China employees by reducing the portion of incentive-based compensation for sales and distribution, eliminated gifts to HCPs, implemented enhanced due diligence procedures for third-party agents, implemented monitoring systems for speaker fees and third-party events, and incorporated risk assessments based on data analytics into its compliance program.

This enforcement action continued the clear trend of SEC only FCPA enforcement actions for internal controls violations of the Act. CCOs need to heed this very clear message and determine what gaps exist in their compliance internal controls. Most interestingly, although a corporate monitor was not required, there was a quite rigorous schedule laid out under which the company had to report to the SEC its continued progress on implementation of a best practices compliance program going forward. Further, the company was required to submit to the Commission staff a report within 180 calendar days of the entry of the Order and then again at 270 days, a complete description of its remediation efforts, its plans for any future enhancements or improvements to its policies and procedures for ensuring compliance with the FCPA and other applicable anti-corruption laws.

Hitachi: No Good Deed Goes Unpunished

In September, the SEC announced resolution of a FCPA enforcement action involving Hitachi Ltd (Hitachi). Hitachi agreed to a penalty of $19MM in a separate and also uncontested final judgment. Perhaps the most interesting aspect of the Hitachi matter is that it involved bribery of a political party, the African National Congress (ANC). This portion of the enforcement action stands as a stark reminder that political parties are covered by the FCPA just the same as government officials. The FCPA Guidance states: “The FCPA’s anti-bribery provisions apply to corrupt payments made to (1) “any foreign official”; (2) “any foreign political party or official thereof ”; (3) “any candidate for foreign political office”; or (4) any person, while knowing that all or a portion of the payment will be offered, given, or promised to an individual falling within one of these three categories.” Although the statute distinguishes between a “foreign official,” “foreign political party or official thereof,” and “candidate for foreign political office,” the term “foreign official” in this guide generally refers to an individual falling within any of these three categories.

Also of interest is the jurisdictional basis of the enforcement action. Hitachi is a Japanese corporation. Yet, according to the Compliant “At the time of the violations, and from at least January 1, 2005 until April 26, 2012, Hitachi’s American Depositary Shares (“ADSs”) – representing shares of common stock – were registered with the Commission under Section 12(b) of the Exchange Act [15 U.S.C. § 781] and were listed and traded on the New York Stock Exchange. Hitachi was an issuer of securities in the United States and filed reports on Form 20-F with the Commission pursuant to Section 13(a) of the Exchange Act [15 U.S.C. § 78m].” Thereafter Hitachi delisted its ADRs from registration. This jurisdictional prong once again emphasizes the breadth and scope of FCPA enforcement. Further, many foreign companies may be inadvertently subjecting themselves to US jurisdiction through such registrations.

The bribery schemes themselves were notable only for their blantantness. Yet, the enforcement action pointed up the oft-times difficulty in providing corporate social responsibility and distinguishing it from outright corruption in certain countries. As noted in a Financial Times (FT) article, entitled “Hitachi reaches deal over S Africa ‘payments’”, businesses “operating in South Africa are encouraged to take on black business partners under the ANC’s policy of black economic empowerment (BEE), intended to redress economic imbalances created by apartheid.” Yet, critics claim that there is a “blurred line between business and politics in the awarding of state tenders” in South Africa. However, the ANC front group was charged “only approximately $190,819 stake which returned to it over $5MM in “dividends” and another $1MM in a “success fee” for contracts to Hitachi worth “about $5.6bn.””

Listed at the end of the SEC Press Release were the groups that assisted the SEC in investigating and bring the enforcement action. They included, “the Justice Department’s Fraud Section, the Federal Bureau of Investigation, the Integrity and Anti-Corruption Department of the African Development Bank, and the South African Financial Services Board.” Brockmeyer also singled out the “assistance we [the SEC] received from the African Development Bank’s Integrity and Anti-Corruption Department and hope this is the first in a series of collaborations.”

For the compliance practitioner, the Hitachi SEC enforcement action provides a valuable reminder that the FCPA covers more than foreign government officials and officials of state owned enterprises. Political parties are also covered so that if part of your corporate social responsibility includes payments to political party front groups, your company could get into FCPA hot water. For foreign companies that have subjected themselves to FCPA jurisdiction, intentionally or otherwise, the message is even starker. The SEC (and Department of Justice (DOJ)) will leave no stone unturned to root out bribery and corruption, even if done by non-US subsidiaries, with no apparent ties to the US.

Mead Johnson: The Importance of Your Internal Investigation

Rather than violations of internal controls, this enforcement action turned on violations of the accounting provisions of the FCPA. According to the Cease and Desist Order, “certain employees of Mead Johnson China improperly compensated HCPs, who were foreign officials under the FCPA, to recommend Mead Johnson’s infant formula to, and to improperly provide contact information for, expectant and new mothers.” One of Mead Johnson’s sales channels in China was through distributors. To facilitate this illegal conduct, funding to the distributors, called the “Distributor Allowance”, was diverted to make illegal payments.

This tactic was clearly a violation of the company’s books and records obligations under the FCPA. By doing so, Mead Johnson was able to hide its payments to doctors and HCPs from not only regulators but the company’s shareholders as well. As the Cease and Desist Order noted, the company’s “records were incomplete and did not reflect that a portion of Distributor Allowance was being used contrary to Mead Johnson’s policies.”

In an interesting twist Mead Johnson, based on an allegation of potential FCPA violations in China, performed an internal investigation on its China unit in 2011 and came up with no evidence. Somewhat dryly the SEC noted that the company did not make any self-disclosure around these allegations and “did not thereafter promptly disclose the existence of this allegation in response to the Commission’s inquiry into this matter.”

Marc Alain Bohn, writing in the FCPA Blog, said, “if a company has decided against voluntarily disclosing allegations of misconduct — something it has no affirmative obligation to do — it is critical for the company to conduct a thorough and well-documented internal investigation that is clear-eyed about the investigation results and can be defended to the agencies in the event the government ever becomes aware of the allegations.” He went on to note, “Investigations that lack sufficient depth, resources, or forethought can pose significant risk because they increase the likelihood that something critical will be overlooked, potentially permitting misconduct to continue unabated. They may also give the appearance that a company is not truly committed to compliance or is more concerned with sweeping misconduct under the rug.”

There are several lessons to be learned from the Mead Johnson enforcement action. Performing an investigation, finding no FCPA violations only to have a regulator sitting on your shoulder and later finding such evidence is never good. The SEC also reaffirmed its clear intention to continue to enforce the accounting provisions of the FCPA, with or without a parallel DOJ enforcement action. Companies must also take heed on their internal controls. Clearly certain China business unit employees had developed a work-around of the compliance internal controls by requiring the distributors to use their allowances to pay bribes. Internal controls must not only exist but they must be effective. That means you have to test their effectiveness, not simply tick the box that you have put them in place.

I see no evidence or even reason for SEC only FCPA enforcement to slow down in 2016. I would suggest you initiate a review of your internal compliance controls sooner rather than later.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016

SEC2015 continued the trend of Foreign Corrupt Practices Act (FCPA) enforcement actions brought by the Securities and Exchange Commission (SEC) with no parallel Department of Justice (DOJ) enforcement action. As you might expect, these SEC enforcement actions turned on violations of the Accounting Provisions of the FCPA, either the books and records provisions or the internal controls provisions. In this two-part series to begin the New Year I take a look at five SEC enforcement actions and use them to point where enforcement may be going in 2016 and what the Chief Compliance Officer (CCO) or compliance practitioner should take away from the enforcement action. Part I will focus on BNY Mellon and BHP and Part II will look at the Bristol Squibb-Myers, Hitachi and Mead Johnson enforcement actions.

BNY Mellon: Hiring of Children and Relatives

In August, the SEC announced a resolution with the Bank of New York Mellon Corporation (BNY Mellon) for FCPA violations. This was the first enforcement action around the now infamous Princesslings and Princelings investigation where US companies hired the sons and daughters of foreign government officials to curry favor and obtain or retain business.

While JPMorgan Chase has garnered the most attention around this issue, probably because of its notorious spreadsheet tracking of sons and daughters hires to develop business in China, there are multiple US companies under scrutiny for similar conduct. The FCPA Blog has reported that Credit Suisse, Goldman Sachs, Morgan Stanley, Citigroup, and UBS are all under investigation by the SEC for their hiring practices around the sons and daughters of foreign government officials. BNY Mellon has the honor of being the first company to reach resolution on this issue.

There is nothing illegal around the hiring of a close family member of a foreign governmental official. It does however present a higher risk for indicia of bribery and corruption and violation of the FCPA. A higher FCPA risk means you need to evaluate that risk more closely and manage that risk accordingly.

The obvious starting point for the hiring of a close family member of a foreign governmental official is whether the candidate is qualified for the position. If they are not qualified it is ‘Full Stop’ at that point. In the case of BNY Mellon there was no evidence any of the candidates had the academic background, credentials, leadership traits or intangible skills to meet the bank’s normal internship hiring criteria. As with any other anomaly granted in a company’s normal process, there must be a documented reason for the exception, review by appropriate authority of the exception and documentation as to why the exception was granted. None of these steps were present in the BNY Mellon matter. Put another way, if you are hiring a family member or close relative of a foreign government official for any reason other than merit, it had better be a darn good one and be well documented as to the decision-making calculus with appropriate senior management oversight.

But your risk management does not stop simply with the hiring process. If the foreign governmental official is the person who made the request for the hiring of the family member, this is a Red Flag not to be overlooked. Your analysis needs to be on the role of that foreign governmental official in awarding new business to your company or in retaining old business. If the foreign governmental official has direct or even strong indirect control over such business relations, this may present such a direct conflict of interest, this may be a risk that you cannot manage. A good rule of thumb here is whether there is full transparency in the hiring with the foreign government involved with your company. In the case of BNY Mellon, they did not want anyone in the Sovereign Wealth Fund to know BNY Mellon had hired the son or nephew. That is a clear sign that transparency is lacking and someone, somewhere is engaging in unethical conduct, if not breaking the law.

Finally, if you do decide to move forward and hire the close family member, you need to assign that new hire to work that is not associated with the business relationship between your company and the foreign government involved. Just as in the lifecycle of third party management, managing the relationship after a contract is inked is in many ways the most critical element; the same is true in the employment relationship involving close family members of foreign government officials.

Ultimately, you need to have internal controls to ensure effective compliance going forward. You cannot have customer relationship managers making the calls on hiring which over-ride the Human Resources (HR) procedures. There must be not only HR review but also mechanisms to flag for compliance review such hires. Lastly, there needs to be sufficient senior management oversight because this is such a high-risk proposition.

BHP: High-Risk Hospitality

In May came the release of the SEC FCPA enforcement action involving BHP Billiton Ltd. (BHP), which revolved around the company’s hospitality program for the Beijing 2008 Olympics. Every CCO and compliance practitioner should study this enforcement action in detail so that they can craft appropriate compliance internal controls for high dollar entertaining for big time sporting events. For any company that may be planning high dollar hospitality spends for the 2016 Brazil Olympics, this enforcement action lays out what you should and should not do in your compliance program. But this holds true for any major sporting event such as the Super Bowl, World Cup or you name the event.

BHP had a paper program that appeared robust. As laid out in the SEC Cease and Desist Order, “BHPB developed a hospitality application which business managers were required to complete for any individuals, including government officials, whom they wished to invite.” Yet, an effective compliance program does not end at that point. Now would be an appropriate time to recall that high risk does not mean you cannot engage in certain conduct. High risk means that to have an effective compliance program, you have to manage that risk. A basic key to any effective compliance program is oversight or a second set of eyes baked in to your process. BHP formally had this oversight or second set of eyes in the form of an Olympic Sponsorship Steering Committee (OSSC) and Global Ethics Panel Sub-Committee.

Where BHP failed was that “other than reviewing approximately 10 hospitality applications for government officials in mid-2007 in order to assess the invitation process, the OSSC and the Ethics Panel subcommittee did not review the appropriateness of individual hospitality applications or airfare requests. The Ethics Panel’s charter stated that its role simply was to provide advice on ethical and compliance matters, and that “accountability rest[ed] with business leaders.” Members of the Ethics Panel understood that, consistent with their charter, their role with respect to implementation of the hospitality program was purely advisory. As a result, business managers had sole responsibility for reconciling the competing goals of inviting guests – including government officials – who would ““maximize [BHPB’s] commercial investment made in the Olympic Games” without violating anti-bribery laws.”

But there was more than simply a failure of oversight by BHP. The Cease and Desist Order noted that not all of the forms were filled out with the critical information around a whether a proposed recipient might have been a government official. Even more critically missing was information on whether the proposed recipient was in a position to exert influence over BHP business. Moreover, BHP did not provide training to the business unit employees who ended up making the call as to whether or not to provide the hospitality on payment of travel and hospitality for spouses. The Cease and Desist Order stated that BHP “did not provide any guidance to its senior managers on how they should apply this portion of the Guide when determining whether to approve invitations and airfares for government officials’ spouses.” Finally, there were no controls in place to update or provide ongoing monitoring of the critical information in the forms.

All of this led to the SEC stating the following, “As a result of its failure to design and maintain sufficient internal controls over the Olympic global hospitality program, BHP invited a number of government officials who were directly involved with, or in a position to influence, pending negotiations, efforts by BHPB to obtain access rights, or other pending matters.” Perhaps it was stated most succinctly by Antonia Chion, Associate Director of the SEC’s Division of Enforcement, in the SEC Press Release announcing the enforcement action when she said, “A ‘check the box’ compliance approach of forms over substance is not enough to comply with the FCPA.”

Stay tuned for Part II tomorrow…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016

FCPA InvestigationsWe begin our exploration of the new Department of Justice (DOJ) Compliance Counsel and the metrics laid out by Assistant Attorney General Leslie called for her review of compliance programs. Today we review the first criteria and tie it to one specifically made applicable to financial institution but to which I believe both should and will soon apply to non-financial institutions. These metrics are:

  • Does the institution ensure that its directors and senior managers provide strong, explicit and visible support for its corporate compliance policies?
  • Does US senior management maintain a material role in implementing and maintaining a company’s overall compliance framework?

These requirements move beyond simply having the correct ‘Tone at the Top’ which every Board and senior management articulate. They charge those two groups in a company with a substantive role in the actual doing of compliance going forward. One of my concerns is this metric sets up Board members and senior management for prosecution under the Foreign Corrupt Practices Act (FCPA) in the new era of the Yates Memo where companies are required to investigate and turn over individuals to the DOJ for prosecution if they want to receive any credit for cooperation. Of course, the Yates Memo also articulated the DOJ’s stated intention to more aggressively prosecute individuals as well.

Board Role

Here I think you can begin with two questions. First, does the Board of Directors exercise independent review of a company’s compliance program? Second, is the Board of Directors provided information sufficient to enable the exercise of independent judgment?

Boards of Directors should take a more active role in overseeing the management of risk within a company. Now this includes having a FCPA compliance program in place and actively oversee that function. This means if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward. Some of the areas for hard questions include

  • Corporate Compliance Policy and Code of Conduct – Is there an overall governance document which will inform the company, its employees, stakeholders and third parties of the conduct the company expects from an employee, translated into appropriate local langauges. Is there documents of delivery and training on this or these documents?
  • Risk Assessment – Has the Board assessed the compliance risks associated with its business?
  • Implementing Procedures – The Board should determine if the company has a written set of procedures in place that instructs employees on the details of how to comply with the company’s compliance policy. Once again, have these implementing procedures been translated as appropriate and do employees understand these procedures? Are all of the above documented?
  • Training – Has the Board been trained to understand its role in an effective compliance program?
  • Monitor Compliance – Has the Board independently tested, assessed and audited to determine if its compliance policies and procedures are a living and breathing program and not just a paper tiger.

There are several paths a Board of Directors can take to fulfill this duty. Obviously the full Board can be apprised of compliance issues and handle them appropriately. However this may be unwieldy or not workable if there is a large Board and the compliance function only has limited time to present a quarterly and annual report. The Audit Committee is usually considered a natural venue for the compliance function to report to as it handles issues somewhat related to compliance already. However I believe that with the convergence of the Yates Memo and this metric for the new DOJ Compliance Counsel, it is time for companies to create a Compliance Committee separate and a part from the Audit Committee. This Board-level Compliance Committee would be charged with oversight of FCPA compliance and ethics but could also be the reporting venue for anti-money laundering compliance (AML), export control compliance and all other such disciplines within an organization. Further after the Volkswagen emissions-testing scandal, not only have a robust compliance program but direct and transparent Board oversight may be the only thing stopping injury to your reputation from a competitor’s illegal or unethical conduct.

Senior Management

Strong Explicit Support

Tone at the Top has been a well-worn phrase for many years so I think the DOJ is looking for more than simply statements of support. I also believe that the DOJ is now looking beyond simply an ambassador of compliance role for senior management. Now this talk of compliance and support for compliance will start to come together in real dollars being made available to a compliance department for technological solutions and head count availability.

It is incumbent that any Chief Compliance Officer (COO) must have sufficient authority and independence to oversee the integrity of the compliance program. This includes a direct reporting line to the company’s Board of Directors and Audit/Compliance Committee but more importantly “unfiltered” access to the Board. The CCO must have a clear mandate, delegation of authority, senior-level positioning, and empowerment to carry out his/her duties. This also means a ‘seat at the table’ so the CCO is now a C-Suite level position in any organization.

It is absolutely mandatory that the CCO be given both the physical resources in terms of personnel and monetary resources to adequately perform the required task. Under monetary resources the CCO should have a budget independent of the General Counsel, rather than a shared budget. This also means appropriate head count for personnel resources.

Active Senior Management Involvement

Here I suggest that a company create a Management Oversight Committee. The makeup of this committee should generally be persons who are not subordinate to the most senior officer of the department or unit responsible for the relevant transactions, which are going to be considered. I think you should have more that more than one department should be represented on the Oversight Committee. This would include senior representatives from the Accounting (or Finance) Department, Internal Audit, Compliance & Legal Departments and Business Unit Operations.

This Management Oversight Committee would review significant compliance issues over a period of one to three months. It can provide not only an additional level of support to the CCO or compliance function but also triage compliance issues for appropriate remediation. It also has the effect of keeping senior management involved in the compliance function on an oversight basis. Clearly the DOJ wants more senior management involvement and by having such a Management Oversight Committee in place, it would put senior management directly in the reporting line if an incident arises or perhaps more importantly if trends begin to develop which indicate that compliance related issues could be moving towards full FCPA violations. In other words, the Management Oversight Committee could help assist the CCO move from detection and prevention to prescription of compliance issues to prevent them from becoming full violation by delivering an appropriate risk based solution.

Taken together these two new metrics make clear that the DOJ is expecting both a Board of Directors and senior company management to take a more active role in any FCPA compliance program going forward. It also means both of these groups must actively support and promote the CCO and the compliance function with time, resources and respect. Finally all of this must be thoroughly and continuously documented.

The bottom line is that Board of Directors and Senior Management must be actively engaged in your compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015

CorruptionToday, I continue my four-part series on the above question posed to me recently by a colleague. In Part I, I wrote that only the US government had the wherewithal, tools and will to do so. Yesterday, I focused on corruption on the pitch and how bribery and corruption ‘changes the game’ of soccer (AKA Football). Today is the third of my of my four reasons on why Americans should care about the Department of Justice (DOJ) bringing their indictments against the 14 named defendants who were all associated with the governing body of international soccer, the Fédération Internationale de Football Association (FIFA). Up today is the corruption and US companies.

While there were no US companies specifically identified in the indictments, there were allegations that bribes were paid and pocketed in connection with the sponsorship of the Brazilian national soccer team by “a major U.S. sportswear company.” This company was later determined to be Nike. In an initial statement Nike denied any involvement in the payment of bribes and said they were cooperating with the relevant authorities. However, they later changed this original statement to say, “Like fans everywhere we care passionately about the game and are concerned by the very serious allegations. Nike believes in ethical and fair play in both business and sport and strongly opposes any form of manipulation or bribery. We have been cooperating, and will continue to cooperate, with the authorities.”

Nike is not alone in its World Cup sponsorship as there are numerous other American companies involved, both sportswear manufacturers and other retailers, such as those from the beverage industry. The involvement of US companies and companies subject to the Foreign Corrupt Practices Act (FCPA) brings up the specter of the FCPA for companies involved in FIFA sponsorship and marketing partnerships. I do not see this as an issue so much about level playing fields for business or even the greater benefits that US companies can bring even when they are required to pay bribes. (The latter argument was used by Wal-Mart apologists around the company’s payments of bribes to do business in Mexico as benefiting the people of Mexico. Let us be quite clear-the bribes paid by Wal-Mart benefitted Wal-Mart and its income from its Mexican operations.)

Information in the indictments was quite damning about the involvement of a company identified as ‘sportswear company A or E’. In a Financial Times (FT) article, entitled “Fifa corruption scandal threatens to engulf Nike as sponsors raise pressure”, Joe Leahy and Mark Odell reported one of the cooperating defendants Jose Hawilla, owner of Traffic Group and who has pled guilty, acted as a third party agent for Nike’s landmark 1996 agreement to allow Nike to fit out the Brazilian national soccer team. Moreover, the article noted, “The prosecutors said that additional financial terms between Traffic and the unnamed sportswear company were not reflected in the CBF agreement. Under these terms, the company agreed to pay a Traffic affiliate with a Swiss bank account an additional $30m in ‘base compensation’ on top of the $160m it paid to the CBF. Three days later, the company and Traffic signed a one-page contract saying the CBF had authorized Traffic to invoice Nike directly “for marketing fees earned upon successful negotiation and performance of the agreement”. Anyone see any Red Flags in that scenario?

Beyond the criminal side of the FCPA, there is the civil side enforced by the Securities and Exchange Commission (SEC) through the Accounting Provisions, which consist of the books and records provisions and the internal controls provisions. According to the FCPA Guidance, “The FCPA’s accounting provisions operate in tandem with the anti-bribery provisions and prohibit off-the-books accounting. Company management and investors rely on a company’s financial statements and internal accounting controls to ensure transparency in the financial health of the business, the risks undertaken, and the transactions between the company and its customers and business partners. The accounting provisions are designed to “strengthen the accuracy of the corporate books and records and the reliability of the audit process which constitute the foundations of our system of corporate disclosure.””

As was made clear with the recent BHP Billiton FCPA enforcement action, violations of the accounting provisions do not apply only to brib­ery-related violations of the FCPA. The FCPA Guidance states these provisions “stand alone to help investors have assurance that all public companies account for all of their assets and liabilities accurately and in reasonable detail.” For the books and records provisions this means that US public companies must “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer.” For the internal controls provisions, US public companies must provide a system of internal controls that “provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements.” In other words, the accounting provisions are designed to protect investors in addition to working towards preventing, detecting and remediating bribery and corruption.

In addition to these basic legal requirements, which are all set out in the FCPA and violation thereof could lead to criminal or civil exposure; there will be the costs. The FCPA Professor has identified “three buckets” of costs relating to an alleged FCPA violation. The first is the pre-resolution investigative and remediation costs, the second is the fine and penalty assessment and the third is the post-resolution implementation costs. It is generally recognized that buckets one and three can be up to two to six times the amount of the fine and penalty.

But with the FIFA scandal, there will be another huge factor for companies to consider and that is the negative publicity. This scandal is the largest worldwide corruption case ever brought. It is also the highest profile corruption case ever brought. It will command attention for years to come. If any US companies are linked to bribery and corruption at FIFA, their name will be dragged through the international press ad nauseum. If there are leaks about information on companies before they investigate or get out ahead of any allegations, which may spill into the press, it will certainly not look good.

For a taste of this you can look to the accounting firm KPMG, who is the auditor for FIFA. In a story originally reported by Francine McKenna at the Wall Street Journal (WSJ) and later reported by the New York Times (NYT), KPMG has blessed FIFA’s books since at least 1999. In the NYT piece, entitled “As FIFA case grows, focus turns to its auditors”, Lynnley Browning wrote that the KPMG audits “only heightens the puzzling disconnect between the different pictures that are emerging of FIFA as an organization: riddled with bribes and kickbacks in the view of prosecutors yet spotless according to the outsider most privy to its internal financial dealings.” How well do you think KPMG will come out of this?

The bottom line is that any US company or any other entity subject to the FCPA had better take a close look at its dealings with FIFA, regional soccer federations such as CONCACAF and national soccer federations. A full review is in order starting with who you did business with and how you did business with them. As Mike Brown would say, “follow the money” and see where it went, if you can account for it and if it was properly recorded on your company’s books and records. Finally, now would be a very propitious time to review your internal controls; for even if you had a robust paper system of internal controls like BHP Billiton did, if it is simply a check-the-box exercise or even worse you do not follow the internal compliance controls you have in place, you should begin remediation now.

As to why Americans should care about US companies engaging in corruption, that answer would seem to be straightforward. Companies which engage in bribery and corruption mislead investors and diminish the marketplace of information to base investments upon. If a company is engaging in bribery and corruption, they never report it in their books and records; they always try to hide it so that it cannot be detected. Usually poor internal controls exist, which can allow bribery and corruption to exist or even the possibility of it, once again demeaning the value of a company if that company cannot assure its investors that funds will be paid out with the approval of management. Further, contracts or other business obtained through bribery and corruption presents a false picture of the true financial health of a company as it allows profits obtained through illegal means to be booked as legitimate. Finally, if a company is engaging in bribery and corruption, the financial cost to the company can be astronomic. There is only one Wal-Mart that can sustain hundreds of millions dollars spent to investigate allegations of bribery and corruption and remediate any issues. Avon spent north of $500MM on its pre-resolution investigation and remediation. All of this does not even get to the issue of inflated stock values and the inevitable shareholder derivative litigation. Lastly, there is reputational damage. If a company is willing to engage in bribery and corruption as a part of a business strategy do you want to invest in the organization?

As an American should I care about US companies involved in the FIFA corruption scandal? If the facts reported in the FT are close to correct, I would certainly think so. If monies were paid by a ‘sportswear’ company in the form of marketing fees to Traffic or even a flat $40MM payment to a Traffic affiliates Swiss bank account, this is something which should not be tolerated.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015