DawkinsDaryl Dawkins died yesterday. To anyone who followed the National Basketball League (NBA); Dawkins will always be remembered with the brilliant Stevie Wonder-derived moniker – Chocolate Thunder. I will also remember him for three things. First he was one of the very rare high school stars who went straight to the NBA with no college stop and was successful. The second was when he squared off to fight Maurice Lucas of the Portland Trailblazers during the 1977 NBA finals. Let’s just say Dawkins slaps at Lucas did not come close to hitting their mark. Number 3 was his thundering dunks, particularly one in a game against the Kansas City Kings at Kemper Arena on November 11, 1979, Dawkins threw down such a massive dunk that the backboard shattered. Then three weeks later he did it again.

As noted Dawkins was one of a very few high schoolers to NBAers who did even passably well. His contemporary Bill (Pugh) Willoughby had some success with Atlanta and, of course, Moses Malone had a Hall of Fame career, later taking those now Dawkins-less Philadelphia 76ers to the NBA promised land in 1983. I thought about Dawkins and his lack of college seasoning while reading the absolutely disgusting story of Art Briles, the University of Baylor, its football team and the saga of Sam Ukwuachu.

Jessica Luther and Dan Solomon have been following this sorry spectacle. In an article in Texas Monthly, entitled “Silence at Baylor”, they wrote, “That Ukwuachu transferred to Baylor in May 2013 because he had been kicked off the Boise State team for a previous incident of violence involving a female student; that Ukwuachu claimed after the transfer was announced that Baylor’s coaches “knew everything” about what happened in Idaho; and, as indicated by court documents obtained by Texas Monthly, the two programs had some communication regarding Ukwuachu in which Boise State officials expressed reticence about supporting the player’s efforts to get back on the field.”

Art Briles, the Baylor head football coach, claimed that he was never informed from anyone at Boise State about Ukwuachu’s prior incident, even implying they had covered it up. Yet Chris Petersen, then head coach at Boise State and now head coach at the University of Washington, said he had fully disclosed to Briles the details about Ukwuachu. Petersen said in a statement, ““After Sam Ukwuachu was dismissed from the Boise State football program and expressed an interest in transferring to Baylor, I initiated a call with coach Art Briles,” Petersen said. “In that conversation, I thoroughly apprised Coach Briles of the circumstances surrounding Sam’s disciplinary record and dismissal.” It is known that Boise State did not support any waiver that would have allowed Ukwuachu to play immediately for Baylor upon his transfer. In the fall of 2014 Ukwuachu sexually assaulted a female soccer player. Ukwuachu was indicted and convicted this month of second-degree sexual assault. His sentence – 180 days in jail and 10 years probation.

Briles and Baylor have claimed they are really the aggrieved party here because if Coach Petersen or anyone at Boise State had told them that Ukwuachu had been disciplined or dismissed from the Boise State team for sexual assault they would never have given him a full scholarship to Baylor. This means Briles and Baylor would have simply ignored the football facts that Ukwuachu was a Freshman All-American and highly recruited high school athlete. Indeed in early June of this year, Baylor defensive coordinator Phil Bennett said at a luncheon in Fort Worth for the Baylor Sports Network, that he expected Ukwuachu to play this year. This was in the face of a trial scheduled to begin some two months later.

All of this was overlaid by a university which, if not trying to suppress all this news about Ukwuachu, certainly did nothing to alert its student body that a scholarship athlete was on trial for sexual assault. Moreover, according to Luther and Solomon in Texas Monthly, “Meanwhile, the details about the investigation conducted by Baylor that came out during the trial reveal one that was shockingly brief: It involved reading text messages, looking at a polygraph test Ukwuachu had independently commissioned – which is rarely admissible in court – and contacting Ukwuachu, Doe, and one witness on behalf of each of them.”

I thought about all this sorry state of affairs at Baylor in the context of the Foreign Corrupt Practices Act (FCPA) and anti-corruption compliance programs. There is a clear reason why the responsibility should be on any company which wants to employ a third party to act on its behalf to do thorough due diligence on that agent. If this was not the situation, companies would make claims similar to those made by Baylor Coach Briles that “no one told me about Ukwuachu.” If Briles had accepted his responsibility for bringing a player into the university and onto his team, he might have understood the importance of knowing who you are dealing with going forward.

It is incumbent that a company evaluates and addresses its risks regarding third parties. This means that an appropriate level of due diligence may vary depending on the risks arising from the particular relationship. So, for example, the appropriate level of due diligence required by a company when contracting for the performance of Information Technology (IT) services may be low, to reflect low risks of bribery on its behalf. Conversely, a business entering into the international energy market and selecting an intermediary to assist in establishing a business in such markets will typically require a much higher level of due diligence to mitigate the risks of bribery on its behalf.

Our British compliance cousins of course are subject to the UK Bribery Act. In its Six Principles of an Adequate Procedures compliance program, the UK Ministry of Justice (MOJ) stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of this principle is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique. The MOJ said that due diligence is so important that “the role of due diligence in bribery risk mitigation justifies its inclusion here as a Principle in its own right.”

The onus put on companies too not only do compliance but to ‘Document, Document, and Document’ that effort provides the incentive needed to comply with the law. If there was not such an incentive, you have would have corporations crying out now like Baylor Coach Briles that it was the responsibility of the school and team which dismissed him to alert them about Ukwuachu’s past misdeeds. Fortunately for FCPA compliance and the greater anti-corruption compliance community, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) do not see things in such a light.

As to Chocolate Thunder, at one point in his career Dawkins said that he was an alien from the Planet Lovetron. Alien or human, I hope you will join me in wishing a smooth trip to the great hereafter to one of the NBA’s most unique characters.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Bobby KeysBobby Keys died last week. What you probably did not know was that Keys was a Texan so we get to claim him. He was the saxophonist for the Rolling Stones and a number of other serious rockers. As Bruce Weber wrote in his New York Times (NYT) obituary, entitled “Bobby Keys, Hard-Living Saxophonist for Rolling Stones, Dies at 70, Keys “was a rock ’n’ roller in every sense of the term. Born (almost literally) in the shadow of Buddy Holly, he was a lifelong devotee and practitioner of music with a driving pulse and a hard-living, semi-law-abiding participant in the late-night, sex-booze-and-drug-flavored world of musical celebrity.”

But Keys was far more than just another rock and roll party animal. He “recorded with a Who’s Who of rock including Chuck Berry, Eric Clapton, John Lennon, George Harrison, Carly Simon, Country Joe and the Fish, Harry Nilsson, Joe Cocker and Sheryl Crow. He toured with Delaney and Bonnie and was recording with them in 1969”. For me his most famous work was with the Stones and his soaring sax solo in Brown Sugar. He worked on the albums “Sticky Fingers, Exile on Main Street, Goats Head Soup and Emotional Rescue”. He also joined the Stones for “almost a dozen tours over more than 30 years.” I was lucky enough to see Keys play with the Stones on their farewell tour last spring. Most interestingly he felt an instant kinship with Keith Richards, about an un-Texan a person as one can imagine.

I thought about Keys, both his life and his relationship with Keith Richards, when I read a couple of recent articles in the Financial Times (FT). The first one was by Luke Johnson and entitled “Trust can seem risky – but its absence is far more perilous.” Johnson said, “For commercial life to function at all, there has to be a general assumption of trust – that partners, staff, suppliers, customers and the authorities will do the right thing by each other. It is impossible to verify every transaction, and check each task: delegation is essential for all operations of scale. Those who are suspicious of everyone have to limit their ambitions, because they assume deceit is endemic. Such a pessimistic approach is a sorry and unprofitable state of human affairs. As Samuel Johnson said: “It is . . . happier to be sometimes cheated than not to trust.””

Trust is certainly important but as President Reagan noted, “Trust but verify”. In a Foreign Corrupt Practices Act (FCPA) or UK Bribery Act anti-corruption compliance program, this means that you need to obtain a full battery of information about any third party with which you might be doing business. Obviously performing due diligence is a well recognized step for any third party management protocol under the FCPA but with certain data and privacy restrictions coming out of locations as diverse as China and the EU, it may be the situation that you cannot perform full due diligence on third parties you may wish to do business with or through.

I have previously written extensively about the need for the management of the third party relationship after the contract is signed. However there are other steps that you can use to help in this process. These include steps one and two, which are the Business Justification and the Questionnaire. Viewed from another angle, they can provide further internal controls to your anti-corruption compliance program.

I believe it should be common sense that you have a business justification to hire or use a third party but it is also an important financial control. If that third party is in the sales chain of your international business it is important to understand why you need to have this particular third party represent your company. This concept is enshrined in the FCPA Guidance, which says, “companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the ser­vices to be performed.” Conversely, if a business representative cannot articulate a reason why you should have a new or another third party representative, your company probably does not need that third party.

The Questionnaire fills several key roles in your overall management of third parties. Obviously it provides key information that you need to know about who you are doing business with and whether they have the capabilities to fulfill your commercial needs. Just as importantly is what is said if the questionnaire is not completed or is only partially completed, such as the lack of awareness of the FCPA, UK Bribery Act or anti-corruption/anti-bribery programs generally. The information provided (or not provided) in the questionnaire will assist you in determining what level of due diligence to perform. But the final requirement of your questionnaire provides an important internal control. It is one of the most basic controls and is what internal control expert Henry Mixon calls the ‘stop and think control’. Your Questionnaire should require a signature that all of the information included is true and correct. It is something else under the ‘pains and penalties for perjury’ but nonetheless it should give anyone signing it outside the United States pause before the put their name on the line.

In his article Johnson ends with the following, “Confidence in the other party is the magic ingredient that empowers an entrepreneurial business to succeed. An absence of trust leads to paralysis. Straight dealing, accountability and transparency are much more about truth and candour than box-ticking and an obsession with regulations. Any partner can betray you and stay within the law if they are assiduous and devious enough. Integrity in your working relationships consists of a broader understanding than the letter of the law. In the end, all that any entrepreneur can do is obey their gut instinct and, perhaps, to follow the example of Charlie Munger, vice-chairman of Berkshire Hathaway and Warren Buffett’s partner, who said: “By the standards of the rest of the world, we overtrust. So far it has worked very well for us”.”

Even if you cannot perform the level of due diligence that you might otherwise like to do because of country or regional regulations, you can still talk to your prospective third party business partner. This can go quite a long way in you determining whether you can trust them. You can visit them in their office to get a better feel for the size of their operations. In addition to talking with the principals of the third party, you can visit with the employees who will work on your account, if it they are different from the principals of the organization.

Just as Bobby Keys and the Rolling Stones had an ultimate level of trust that lasted well over 40 years, you can learn to develop one with your third parties. And just as such trust is absolutely key in making great music, it is also required to make any successful business relationship.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

The Last EmpireI recently read a book review in the Times Literary Supplement (TLS) by Archie Brown, entitled “One into fifteen”, where he reviewed the book “The Last Empire” by author Serhii Plokhy. Plokhy’s book is about the dissolution and final days of the Soviet Union. One of the more interesting precepts from the book is end of the Soviet Union as announced on Christmas Day, 1991, by then Communist Party Secretary Mikhail Gorbachev. Brown wrote, “All too often the dissolution of the Soviet Union is conflated with the end of Communism and with the end of the Cold War. But the book points out that the Politiburo had ceased to be the ruling body of the USSR in March of 1990 and thus it was “entirely fallacious to speak of either Communism or the Cold War as having ended in December 1991. The transformation of the system was a precondition for the demise of the state, with the latter being an unintended consequence of the former. But these were distinctive, albeit interconnected processes.””

I considered ‘interconnected processes’ when I saw the Compliance Insider, Illustrative Case Study Series, entitled “Supplier Risk Management”, in which The Red Flag Group laid out in a visual format how a company can effectively identify and manage risks in its supply chain. The process is dubbed ‘Report, Review and Improve’ and consists of six steps.

Step 1 – Collect information on the suppliers. This step begins with a review and assessment of your own Vendor Master files to make an initial determination if a new or indeed other supplier is needed. If there is a business justification for bringing the supplier into a commercial relationship with your company, then you should gather performance data on the proposed vendor. The article suggests that a technological solution can help to provide risk-rated questionnaires to facilitate the process by building workflows and approvals directly into your questionnaires.

Step 2 – Validate the collected information. This is the investigative step. You should take the information provided to you by the proposed supplier and test it. You can check on references. You should also engage the supplier directly by interviewing the internal staff of the proposed supplier and review documents and records as appropriate. When necessary, you may also wish to consider the use of outside experts or internal consultants for recommendations or validations. This step should end with the creation of a risk score of the data you have gathered. Here a technological solution can assist by automating your analysis of completed questionnaire with a risk-based scoring of the answers to facilitate the validation process.

Step 3 – Rate the risk of the supplier. This is the analysis step where you should “compare the risks against your complete knowledge of the proposed supplier.” You should also compare your assessed risks against industry data and the risk-rank the proposed supplier or suppliers. A technological solution can also help to crunch large amounts of numbers or other data to give a first pass on your risk-ranking which can be further refined if required.

Step 4 – Implement risk management controls. The article posits that this step should include the conducting of background due diligence and integrity analysis by screening against known watch lists, sanctions lists and those of politically-exposed-persons (PEPs). A technological solution can help this step by managing the request and delivery of due diligence reports, aid in the reviewing, approving and tracking of completed reports and ensure ongoing compliance with automated daily reviews of such lists. Another suggested component of this step is to meet with your internal and external stakeholders to convey expectations. From this point you should be ready to enter the contracting phase, with appropriate compliance terms and conditions. To the extent required, you should also create and manage your compliance policy for the supplier at this stage as well.

Step 5 – Assess and monitor the supplier. In any relationship with a third party in the compliance world, this step is where the rubber hits the road and you have to manage the relationship. The article discusses custom eLearning that can allow you to quickly and efficiently create training programs for your suppliers based upon your compliance regime and not hypothetical training based on legal standards. A technological solution can also assist you in obtaining online certifications to certify that your supplier is in compliance with your company’s business requirements and internal controls. Finally such a solution can help to automate the process going forward to ensure that certification updates are provided, executed and tracked. But more than the ongoing certifications and training, you will need to monitor the transactions you engage in with a supplier. This may entail reviewing a large amount of data through transaction monitoring but it may also entail going to visit a supplier and going through the deep dive of an audit.

Step 6 – Continuous reporting, review and monitoring. All of this information you obtained must be fully documented. Of course, it must be documented to produce to a regulator if the government comes calling. However, this information can also be used to improve the supplier relationship and perhaps even your vendor system. One of the most interesting suggestions was to create a ‘Virtual Data Room’ dedicated to your suppliers. Not only would the creation of such a stored environment enable you to call up information requested by a regulator on short notice, you would also have it in an accessible format for supply chain process improvements. The article suggests trying such techniques as implementing performance incentive programs which can push compliance culture and behavior changes based upon the data you collect. Interesting the clothing company Levi Strauss instituted just such a policy for suppliers in the area of corporate social responsibility, it announcing it earlier this week.

If you do not subscribe to The Red Flag Group’s Compliance Insider publication, I suggest that you do so. It is one of the very best periodicals around on the building blocks of compliance. The six steps it has laid out for process of identifying and managing your supplier compliance risks under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act demonstrates the thesis of Plokhy’s book reviewed in the TLS; that it is interconnected processes which usually mark change and management. In the case of the former Soviet Union, it may be been drawn by more human factors but there are now a variety of technological tools available to assist your facilitation of this process under any anti-bribery or anti-corruption compliance regime.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

RiskThe GlaxoSmithKline PLC (GSK) corruption matter in China continues to reverberate throughout the international business community, inside and outside China. The more I think about the related trial of Peter Humphrey and his wife, Yu Yingzeng for violating China’s privacy laws regarding their investigation of who filmed the head of GSK’s China unit head in flagrante delicto with his Chinese girlfriend, the more I ponder the issue of risk in the management of third parties under the Foreign Corrupt Practices Act (FCPA). In an article in the Wall Street Journal (WSJ), entitled “Chinese Case Lays Business Tripwires”, reporters James T. Areddy and Laurie Burkitt explored some of the problems brought about by the investigators convictions.

They quoted Manuel Maisog, chief China representative for the law firm Hunton & Williams LLP, who summed up the problem regarding background due diligence investigations as “How can I do that in China?” Maisog went on to say, “The verdict created new uncertainties for doing business in China since the case hinged on the couple’s admissions that they purchased personal information about Chinese citizens on behalf of clients. Companies in China may need to adjust how they assess future merger partners, supplier proposals or whether employees are involved in bribery.”

I had pondered what that meant for a company that wanted to do business in China, through some type of third party relationship, from a sales representative to distributor to a joint venture (JV). What if you cannot get such information? How can you still have a best practices compliance program around third parties representatives if you cannot get information such as ultimate beneficial ownership? At a recent SCCE event, I put that question to a Department of Justice (DOJ) representative. Paraphrasing his response, he said that companies still need to ask the question in a due diligence questionnaire or other format. What if a third party refuses to answer, citing some national law against disclosure? His response was that a company needs to very closely weigh the risk of doing business with a party that refuses to identify its ownership.

The more that I thought about that answer the more I became convinced that it was not only the right answer under any type of FCPA compliance program but also the right response from a business perspective. A company must know who it is doing business with, for a wide variety of reasons. The current situation in China and even the convictions of Humphrey and Yu do not change this basic premise. You can ask the question. If a party does not want to disclose its ownership, you should consider this in any business relationship going forward.

The Humphrey and Yu conviction do not prevent you from asking the question about ownership. Their convictions mean that you may not be able to verify that information through what many people thought was publicly available information, at least publicly available in the west. I was struck by one line in the Areddy and Burkitt article, “It’s not just that the tactical business practices need to change; it’s the mind set” quoting again from Maisog.

I breakdown the management of third parties under the FCPA into five steps, which are:

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

The due diligence step is but one of these five. Further due diligence is performed in large part to verify the information that you receive back from a proposed third party. So what if you can longer use avenues previously open to you in markets such as China? Perhaps there are other ways to manage this issue. Areddy and Burkitt also interviewed Jerry Ling, a partner at Jones Day, for the following “companies will need to analyze Chinese accounting documents themselves and conduct more in-person interviews with anyone they want to know more about in China.”

Ling’s point dovetails directly into what I heard from the DOJ representative. There is nothing about the Chinese law, or any other country’s law, which prevents you from asking some basic questions that are found in the Step 2 Questionnaire cited above. You can always ask who the owners of a company are, whether they are direct or beneficial. You can always ask if a company, its owners or its senior management have been involved in any incidents involving bribery and corruption and you can always ask if the company has a Code of Conduct and/or compliance program and whether its owners or senior management are aware of the FCPA and have had training on it.

Assuming the company will answer your questionnaire, the difficulty you may find yourself in now is verifying the information that you receive. In Ronald Reagan parlance, you may trust but you may not be able to verify it. Ling said in the WSJ article that “The challenge now for clients is that it’s hard to get good information.”

However, due diligence is but one step in the management of any third party in a FCPA compliance program. Just as when risk goes up and you increase your management around that risk, the situation is similar in here. Putting it another way, if you cannot obtain private information such as personal identification numbers during the due diligence process, you can put greater management around the other steps that you can take. Further, there has been nothing reported which would suggest that publicly filed corporate licenses or other information that might show ownership can no longer be accessed. Court records and public media searches also seem to still be available.

But what if you simply cannot determine if the information you are provided regarding ownership is accurate or even truthful? You can still work to manage the relationship through your commercial terms by setting your commission or other pay rates at a reasonable amount of scale. If you are dealing with a commissioned sales representative, you can probably manage this area of the relationship by setting the commission in the range of 5%. You can also manage the relationship by reviewing invoices to make sure there is an adequate description of the services provided so that they justify whatever compensation the third party is entitled to receive under the contract. You may also want to schedule such a third party for an audit ahead of other parties to help ensure adherence to your compliance terms and conditions.

There may be times when you cannot verify the true or ultimate beneficial owner of a third party. That does not have to be the end of the analysis. If that situation arises, you may want to see if there are other risk mitigation tools at your disposal. Put another way, if such a red flag arises, can it be cleared? Can it be managed? If your company is looking a major deal for multi-millions and your agent will receive a six or seven figure commission, the risk of not knowing with certainty may be too great because in such a case, an unknown owner could be a government official who has awarded the contract. But if your agent receives a considerably smaller commission and hence there is a considerably small amount of money to constitute a bribe, you may be able to manage that risk through a close and effective relationship management process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

BacallYesterday we honored Robin Williams whom we lost earlier this week. Today we honor Lauren Bacall. She will always be a part of that great team of Bogey and Bacall. Most of us were introduced to her in the movie To Have and Have Not. I thought she was one of the most sultry and sexy icons of the 40s screen sirens. As Manohla Dargis wrote in her article for the New York Times (NYT) entitled, “That Voice and the Woman Attached,” that “When she opened her mouth in “To Have and Have Not” — taking a long drag on a cigarette while locking Humphrey Bogart in her gaze — she staked a claim on the screen and made an immortal Hollywood debut. But in 1944 at the exquisitely tender age of 19, she was also projecting an indelible screen persona: that of the tough, quick-witted American woman who could fight the good fight alongside her man.” She later married Bogart and together they were certainly Hollywood, if not American royalty, going forward. And she probably did more for the art of whistling than any person on Earth.

Yesterday I wrote about the Foreign Corrupt Practices Act (FCPA) investigation into certain transactions in Venezuela by Derwick Associates (Derwick) and a US company ProEnergy Services (ProEnergy). ProEnergy supplied turbines that Derwick resold to the Venezuelan government and then installed in that country. I wondered if US companies now need to become more concerned with not only who they do business with but how their customers might be doing business. In the parlance, you may now need to ramp up your ‘Know Your Customer’ information to continue throughout a seller-purchaser relationship.

Doug Cornelius, in a post on his Compliance Building blog, entitled “Proposed Regulations on Customer Due Diligence”, discussed “The U.S. Treasury Department’s Financial Crimes Enforcement Network has proposed revisions to its customer due diligence rules. Of course, the proposed rule would affect financial institutions that are currently subject to FinCEN’s customer identification program requirement: banks, brokers-dealers, and mutual funds.” While, investment advisers and private fund managers are not specifically mentioned in the proposed new regulation, Cornelius noted, “FinCEN suggested that it may be considering expanding these customer due diligence requirements to other types of financial institutions.” In other words, this new proposed regulation would not be directly applicable to a large number of US commercial enterprises doing business outside the United States.

However, the proposed regulation did provide some insight into how US companies, not otherwise subject to it, might think about ways to approach such an inquiry. Referencing an inquiry into anti-money laundering issues (AML) Cornelius wrote that AML programs should have four elements:

  1. Identify and verify the identity of customers;
  2. Identify and verify the identity of beneficial owners of legal entity customers;
  3. Understand the nature and purpose of customer relationships; and
  4. Conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.

Clearly any FCPA based due diligence would focus on point 2. Cornelius zeroed in on it when he wrote “The definition of “beneficial owner” is proposed as have two prongs”:

  • Ownership Prong: each individual who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, owns 25% or more of the equity interests of a legal entity customer, and
  • Control Prong: An individual with significant responsibility to control, manage, or direct a legal entity customer, including an executive officer or senior manager (g., a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer); or (ii) any other individual who regularly performs similar functions.

He also noted, “For identifying ownership of an entity, FinCEN has proposed a form of certification.” But he found such a “certification to be overly simplistic. It only asks for individuals with ownership in the entity. This would clearly miss ownership of the account holder by other entities who could be “bad guys.” The certification also only requires one senior officer.  That makes it too easy to appoint a straw man as executive officer to hide the underlying control by a “bad guy.”” But the FinCen proposed notice itself states “these existing core requirements are already laid out in the BSA [Bank Secrecy Act] as minimum requirements”.

I was equally interested in points 3 and 4. Under point 3, an entity subject to the regulation needs to “Understand the nature and purpose of customer relationships”. The proposed regulation further explained “to gain an understanding of a customer in order to assess the risk associated with that customer to help inform when the customer’s activity might be considered “suspicious.”” Such an inquiry could help a business to “understand the relationship for purposes of identifying transactions in which the customer would not normally be expected to engage. Identifying such transactions is a critical and necessary aspect of complying with the existing requirement to report suspicious activity and maintain an effective AML (or anti-corruption compliance) program.”

The final point 4 relates to ongoing monitoring. Once again consider the position of the US Company, ProEnergy, in the referenced FCPA investigation. What can or should it have done in the way of ongoing monitoring of its customer. The proposed regulation states “industry practice generally involves using activity data to inform what types of transactions might be considered “normal” or “suspicious.”

Furthermore, FinCEN understands that information that might result from monitoring could be relevant to the assessment of risk posed by a particular customer. The proposed requirement to update a customer’s profile as a result of ongoing monitoring (including obtaining beneficial ownership information for existing customers on a risk basis), is different and distinct from a categorical requirement to update or refresh the information received from the customer at the outset of the account relationship at prescribed periods”. Lastly the proposed regulation states, “Finally, as noted above with respect to the obligation to understand the nature and purpose of customer relationships, monitoring is also a necessary element of detecting and reporting suspicious activities”.

There does not have to be a direct bribe or other corrupt payment made by a US company to have liability under the FCPA. FCPA enforcement is littered with companies that have paid bribes through third parties. However, as the Fifth Circuit said in Kay v. US, “[W]e hold that Congress intended for the FCPA to apply broadly to payments intended to assist the payor, either directly or indirectly,” [emphasis mine]. ProEnergy would seem to be at the far edge of potential FCPA liability but if it knew, had reason to know, or even perhaps should have known about some nefarious conduct by its customer, it does not take too many steps to get to some FCPA exposure. The proposed FinCEN rules on customer due diligence for financial institutions might be a good starting point for other commercial entities to consider.

If all of the above is a bit too heavy for a Friday, well view this clip on how to whistle by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014