Lee and GrantToday we celebrate one of the most momentous anniversary’s in the history of the United States, for it was on this day in 1865, 150 years ago, that Confederate General Robert E. Lee surrendered his Army of Northern Virginia to Union Commanding General Ulysses S. Grant at Appomattox Courthouse, effectively ending the American Civil War. Fighting continued for several more weeks to come, however with Lee’s surrender the Civil War had, in all intents and purposes, ended.

Lee and his troops were forced to abandon the Confederate capital of Richmond, they were blocked from joining the surviving Confederate force in North Carolina, and were harassed and outrun by Union cavalry, who took 6,000 prisoners at Sayler’s Creek. With desertions mounting daily the Confederates were surrounded with no possibility of escape. On April 9, Lee sent a message to Grant announcing his willingness to surrender and in the afternoon they met at the home of Wilmer McLean and agreed to the terms of surrender.

Although politicians would later change these terms quite dramatically, Grant is said to have told his officers, “The war is over. The Rebels are our countrymen again.”

Later this month, from April 28-30, Hanson Wade is putting on its annual conference in Houston. It is the “Oil and Gas Supply Chain Compliance” conference, now in its 5th year, and once again the list of speakers is simply stunning. It includes the following Chief Compliance Officers (CCOs) and senior compliance folks: Dan Chapman, Cameron; Brian Moffatt, Ethos Energy, Jay Martin, Baker Hughes; Marcel De Chermont, Acteon Group, Jan Farley, Dresser-Rand; John Sardar, Noble Energy and a host of other luminaries in the field of Foreign Corrupt Practices Act (FCPA) compliance. Even if you live outside of Houston, the FCPA compliance talent at this event will rival any other event in the US and for such an event not held in Washington DC or New York City, it is simply outstanding.

Some of the panels and topics for discussion include: Applying Culturally Sensitive Approaches To Deliver A Core Compliance Methodology For A Variety Of Countries And Risks; How to Meaningfully Engage Your Business Operations in Taking Greater Compliance Ownership; Avoid The Risk Of Cavalier Behaviour Across The Supply Chain In The Face Of A Challenging Economic Climate; How To Deliver Cost-Effective, Risk Based, Function Specific Compliance Training; several in-depth presentations on Supply Chain and Third Party due diligence. These are but some of the sessions and there are many other excellent panels, sessions and speakers which I have not mentioned.

Recently the Event’s Chairperson, Dan Chapman, Vice President, Chief Ethics and Compliance Officer for Cameron, talked about some of the issues that will be discussed in this year’s conference. Chapman said, “Supply chain is, in my mind, a critical part of compliance and creating awareness throughout the business as to when and where you should apply compliance principles is a key focus. For me the industry has evolved in recent years, and our organizations tend to now have strong legal teams who understand anti-bribery and corruption legislation. Not only this, they now have the ‘tone from the top’. Where I feel that work needs to be done is practically embedding compliance into operational processes, and becoming a true and valuable partner to the business. With the current state of the oil price, we’re likely set for reduced budgets and increased risk, which makes it more important now than ever to share stories, materials and solutions to effectively mitigate compliance risk while enabling business delivery.”

I will be speaking at the conference on internal controls but I am extremely pleased to be co-leading an in-depth workshop on the third day of the event, with Joe Oringel, guest blogger and Managing Director at VisualRisk IQ. In our workshop, you will learn how to implement a system of data-driven monitoring controls and documents to measure the effectiveness of your compliance program and get you through a Securities and Exchange Commission (SEC) investigation. During our 3 hour session we will go into the weeds on the following:

  • Understanding what internal controls are required under a best practices compliance program;
  • Recognizing what FCPA enforcement actions tell us about internal controls in an anti-corruption compliance program;
  • Getting to grips with what the SEC expects you to have in place;
  • Competently documenting the effectiveness of your internal controls;
  • Understanding best practices and a methodology for the use of data analytics in compliance and ethics organization;
  • Prioritizing business and compliance questions that can be answered with analysis of digital data; and
  • Identifying a learning plan and resources to enhance your team’s data analytics expertise

I hope that you can attend this most excellent FCPA conference with the two-day sessions on April 28 and 29 and the workshop day on April 30. Very few FCPA conferences focus on Supply Chain and the information that you will receive at this one will be first rate. Finally, Hanson Wade has allowed me to offer a 20% discount to readers of my blog. You can obtain it by entering the code TFLaw20 when you register online. For the conference brochure and full details regarding the agenda and registration, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

InvestigationsOne of the great things about writing your own blog is that sometimes you can get going on a subject and just explore it. While I think I might sometimes get carried away when I delve into a topic, I certainly learn much while doing so. This week appears to be such a situation where in studying and researching the GlaxoSmithKline PLC (GSK); I find that the case has much more to inform the compliance practitioner. So I am going to try and tie together some of the major lessons learned from the GSK Chinese enforcement action for the remainder of the week and present to you how such lessons might assist you in designing, implementing or upgrading a best practices compliance program. Today I want to look at internal controls, auditing and monitoring.

One of the questions that GSK will have to face during the next few years of bribery and corruption investigations is how an allegedly massive bribery and corruption scheme occurred in its Chinese operations? The numbers went upwards of $500MM, which coincidentally was the amount of the fine levied by the Chinese court on GSK. It is not as if the Chinese medical market is not well known for its propensity towards corruption, as prosecutions of the Foreign Corrupt Practices Act (FCPA) are littered with the names of US companies which came to corruption grief in China. GSK itself seemed to be aware of the corruption risks in China. In a Reuters article, entitled “How GlaxoSmithKline missed red flags in China”, Ben Hirschler reported that the company had “more compliance officers in China than in any country bar the United States”. Further, the company conducted “up to 20 internal audits in China a year, including an extensive 4-month probe earlier in 2013.” GSK even had PricewaterhouseCoopers (PwC) as its outside auditor in China. Nevertheless, he noted, “GSK bosses were blindsided by police allegations of massive corruption involving travel agencies used to funnel bribes to doctors and officials.”

Internal Controls

Where were the appropriate internal controls? You might think that a company as large as GSK and one that had gone through the ringer of a prior Department of Justice (DOJ) investigation resulting in charges for off-label marketing and an attendant Corporate Integrity Agreement (CIA) might have such controls in place. It was not as if the types of bribery schemes in China were not well known. In an article in the Financial Times (FT), entitled “Bribery built into the fabric of Chinese healthcare system”, reporters Jamil Anderlini and Tom Mitchell wrote about the ‘nuts and bolts’ of how bribery occurs in the health care industry in China. The authors quoted Shaun Rein, a Shanghai-based consultant and author of “The End of Cheap China”, for the following “This is a systemic problem and foreign pharmaceutical companies are in a conundrum. If they want to grow in China they have to give bribes. It’s not a choice because officials in health ministry, hospital administrators and doctors demand it.”

Their article discussed the two primary methods of paying bribes in China: the direct incentives and indirect incentives method. Anderlini and Mitchell reported, “The 2012 annual reports of half a dozen listed Chinese pharmaceutical companies reveal the companies paid out enormous sums in “sales expenses”, including travel costs and fees for sales meetings, marketing “business development” and “other expenses”. Most of the largest expenses were “travel costs or meeting fees and the expenses of the companies’ sales teams were, in every case, several multiples of the net profits each company earned last year.””

It would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in Company policies. It should fall to a Compliance Officer to finalize and approve a definition of permissible and non-permissible gifts, travel and entertainment and internal controls will follow from such definition or criteria set by the company. These criteria would include the amount of the spend, localized down into increased risk such the higher risk recognized in China. Within this context, noted internal controls expert Henry Mixon has suggested the following specific controls. (1) Is the correct level of person approving the payment / reimbursement? (2) Are there specific controls (and signoffs) that the gift had proper business purpose? (3) Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls? (4) If controls are not followed, is that failure detected?

Auditing Lessons Learned

Following Mixon’s point 4 above, what can or should be a company’s response if one country’s gifts, travel and entertainment expenses were kept ‘off the books’? This is where internal audit or outside auditors are critical. Hirschler quoted an un-named source for the following, ““You’d look at invoices and expenses, and it would all look legitimate,” said a senior executive at one top accountancy firm. The problem with fraud – if it is good fraud – is it is well hidden, and when there is collusion high up then it is very difficult to detect.”” Jeremy Gordon, director of China Business Services was quoted as saying “There is a disconnect between the global decision makers and the guys running things on the ground. It’s about initially identifying red flags and then searching for specifics.”

There are legitimate reasons to hold medical conferences, such as to make physicians aware of products and the latest advances in medicine, however, this legitimate purpose can easily be corrupted. Hirschler quoted Paul Gillis, author of the China Accounting Blog, for the following “Travel agencies are used like ATMs in China to distribute out illegal payments. Any company that does not have their internal audit department all over travel agency spending is negligent.” Based on this, GSK’s auditors should have looked more closely on marketing expenses and more particularly, the monies spent on travel agencies. Hirschler wrote, “They [un-named auditing experts] say that one red flag was the number of checks being written to travel agencies for sending doctors to medical conferences, although this may have been blurred by the fact that CME accounts for a huge part of drug industry marketing.”

Another issue for auditing is materiality. If GSK’s internal auditors had not been trained that there is no materiality standard under the FCPA, they may have simply skipped past a large number of payments made that were under a company’s governance procedure for elevated review of expenses. Further, if more than one auditor was involved with more than one travel agency, they may not have been able to connect the dots regarding the totality of payments made to one travel agency.

Ongoing Monitoring

A final lesson learned for today is monitoring. As Stephen Martin often says, many compliance practitioners confuse auditing with monitoring. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks.

Here I want to focus on two types of ongoing monitoring. The first is relationship monitoring, performed by companies such Boston-based Catelas, through software products. It was reported in a Wall Street Journal (WSJ) article, entitled “Glaxo Probes Tactics Used to Market Botox in China”, that internal GSK emails showed the company’s China sales staff were instructed by local managers to use their personal email addresses to discuss marketing strategies related to Botox. The Catelas software imports and analyzes communications data, like email, IM, telephony and SMTP log files from systems such as Microsoft Exchange Servers and Lotus Notes. The software then leverages social network analysis and behavioral science algorithms to analyze this communications data. These interactions are used to uncover and display the networks that exist within companies and between the employees of companies. Additionally, relationships between employees and external parties such as private webmail users, competitors and other parties can be uncovered.

The second type of monitoring is transaction monitoring. Generally speaking, transaction monitoring involves review of large amounts of data. The analysis can be compared against an established norm which is derived either against a businesses’ own standard or an accepted industry standard. If a payment, distribution or other financial payment made is outside an established norm, thus creating a red flag that can be tagged for further investigation.

GSK’s failure in these three areas now seems self-evident. However, the company’s foibles can be useful for the compliance practitioner in assessing where their company might be in these same areas. Moreover, as within any anti-corruption enforcement action, you can bet your bottom dollar that the regulators will be assessing best practices going forward based upon some or all of GSK’s miss-steps going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

IMG_1213One of the challenges for any Chief Compliance Officer (CCO) is how to influence the conduct and actions in a corporate environment, particularly as compliance is viewed as non-revenue generating and usually does not exist simply to protect the company, which is how the legal department is often viewed. Folks like myself who came into compliance from the legal function tend to think of a top-down approach where compliance is centralized at the corporate officer, usually in the United States. But because the role is very different than that of a General Counsel (GC), a CCO needs to bring another skill set to bear to do his or her job. In a session at the SCCE 2014 Compliance and Ethics Institute, SCCE Chief Executive Officer (CEO) Roy Snell and Jenny O’Brien, CCO at United Health Care, talked about the techniques that a CCO can use to influence decision making in a company in order to do business in compliance and ethically.

Snell began the session with some basic questions about why there are positions such as a CCO and why there is a compliance function within an organization. After all, departments like legal and internal audit have existed in business organizations for up to at least a few hundred years. He posed two questions that I found interesting “Why are we here?” and “What did those who came before us to fail to do?” He listed some of the scandals from the late 90s and early 00s such as Enron, WorldCom, HealthSouth, Adelphia and others where he believed that the problems, which led to the disintegration of these organizations, were well known within the companies themselves. So the situation was not that people did not find the problems, the issue was that the people inside these organizations did not fix the problems. Snell believed that the persons who could and would have stood up to raise questions or say this should stop lacked some skill or ability to influence others to make the right decision. He concluded that such business and ethical collapses were a failure of influence.

This led into his presentation with O’Brien about techniques for a CCO to employ to help influence decision-making within an organization. They labeled them as the “Seven Steps of Influence” and they are as follows:

  1. Collaboration. O’Brien emphasized that as a CCO you need to know your company’s business. If you are new to an organization she said you must take time to learn the business. You should sit in on sales meetings and, when appropriate, you should go out on sales call. Channeling her inner Atticus Finch, she characterized this as walking in the shoes of the business leaders you are assisting. By doing so, you will not only understand the products and services that your company offers but also the challenges that your business development team will face out in the world.
  2. Here O’Brien emphasized that she has to work constantly at active listening, which is listening, thinking and then speaking, and not just jump into the middle of a conversation, talk to people in a manner that will address their concerns. When you do speak you should be prepared to make the case for the compliance proposition that you are trying to get across. She noted that as a CCO or compliance practitioner, you should strive to be relevant in every interaction you have with your senior management peers. O’Brien said that sometimes it means speaking up at meetings or other forums but sometimes it means listening. You should try to develop a rapport with your business team and this rapport can lead to trust building.
  3. Relationships. Snell opened his remarks on this topic by intoning that by relationships he did not mean inter-personal relationships. He believes that it is mainly through relationships with other functions in an organization that a CCO or compliance practitioner can best bring influence to bear. It all begins with building trust with others within your organization. Invest time to find others in your organization that you want to work and with those with whom you desire to build relationships. Snell believes that some of the more key relationships that a CCO or compliance practitioner can develop are with the audit function, the legal department, Human Resources, IT and corporate communications. Snell said that when one of these groups offered to help him move the ball forward in compliance he always viewed it as a positive and wanted to work with these and other corporate groups. He did not view it as a turf war at all. The only thing that he said he requested were the terms of working together. Of those, he said the most important was that if another group in the company took on some project related to compliance, such an internal audit, that the group finish whatever they take on.
  4. Humility. O’Brien believes that humility is important because it empowers. Moreover, it can empower others to expand the circle of influence and get others in a corporation to influence an ever-expanding circle on behalf of compliance. The CCO does not need center stage. She reiterated her belief that business units should solve compliance issues, as compliance is really just another business process. Further, through such influence where you can get the business unit resources to solve a compliance problem, you will hold down the costs of the compliance function. She ended by noting that it is not about being right but about moving the compliance ball forward in the right direction.
  5. Negotiation. Here Snell said that negotiation should not be about the dichotomy of winning and losing an argument or debate. A CCO should strive to redefine what a win might look like or what a win might consist of for a business unit employee. He said that when faced with such a confrontation, he would try to determine what both sides wanted then give them something else in addition to what they thought they wanted. He provided the example of a CCO quietly listening and when the room is just right and all the participants are worn out, you, as the compliance practitioner, throw out an idea where the apparent loser in the argument receives even more than they thought they were asking for in the requesting. A CCO can be considered a mediator not just simply an enforcer or Dr. No from the Land of No. He ended by saying that as a compliance practitioner you need to learn the art of compromise.
  6. Triple ‘C’. What do the three C’s stand for? Calm, cool and collected. O’Brien believes that all company employees, up and down the chain, are watching the CCO. For this reason, she said that as a compliance practitioner you should be poker faced. To this end she keeps the sign “Keep Calm and Carry On” in her office. She believes that the Triple C’s are important because organizations look to the CCO to solve complex issues with simple solutions. When faced with a compliance issue or an obstacle you should endeavor to keep everything on an even keel and never let them see you sweat.
  7. Credibility. The final of the seven pillars was that the CCO role needs to be adequately scoped and that the accountabilities need to be clearly defined. Put another way, what is your job scope as the CCO and what is the function of the compliance department? What is your accountability to decide the resolution to an issue? Snell agreed with O’Brien that there should be business unit ownership for every issue that comes into the compliance department. Yet, as a CCO, you must demonstrate your value as a non-revenue function. This may require you to get out of your office and put on a PR campaign for compliance. Finally, Snell ended by saying that a CCO needs to guard their independence in job function and reporting. You must make clear that you will have independent reporting up to the Board or Audit Committee of the Board.

Snell concluded by reminding us all that influencing is not a one-time activity. It is ongoing. Tying back to his original question of why the compliance function exists in the quantum it does today, he said that he believes a CCO or compliance practitioner exists to help influence a company to build a better business environment by acting more ethically and responsibility. By moving the ball forward in this manner, it may well lead to a country’s economy to be trusted which could well lead to greater economic development.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Yesterday, I reviewed the conduct which Weatherford International Limited (Weatherford) engaged in over a period from 2002-2011 in connection with its Foreign Corrupt Practices Act (FCPA) investigation, noted the deficiencies in its compliance program and its internal controls and even how the company intentionally impeded the investigations of both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC). Today, I want to look at how the company changed course in mid-stream during the investigation, brought in a top-notch and well respected lawyer as its Chief Compliance Officer (CCO), created a best-in-class compliance program; all of which saved the company millions of dollars in potential fines and penalties.

  1. I.                    DOJ Fine Calculation

To resolve the criminal aspects of this case, Weatherford agreed to pay an $87.2 million criminal penalty as part of a Deferred Prosecution Agreement (DPA) with the DOJ. There was also another $65.6 million paid to the SEC. However the figure paid to the DOJ was at the very bottom range of a potential criminal penalty. The range listed in the DPA was from $87.2 to $174.3 million. In coming up with this range under the Federal Sentencing Guidelines, it is significant for the actions that Weatherford did not receive credit for during the pendency of the investigation. The company did not receive a credit for self-reporting. The company only received a -2 for its cooperation because prior to 2008 the company engaged in activities to impede the regulators’ investigation.

So the fine range could have been more favorable to the company. But the key is that Weatherford received the low end of the range. How did they do this?

A.     New Sheriff in Town

One of the key things Weatherford did was bring in Billy Jacobson as its CCO and give him a seat at the table of the company’s Executive Board. He was a Federal Prosecutor in the Fraud Section, Criminal Division, US Department of Justice. He also served as an Assistant Chief for FCPA Enforcement Department so we can assume he understood the FCPA and how prosecutors think through issues. (Jacobson also worked as a State Prosecutor in New York City, with my former This Week in FCPA co-host Howard Sklar, so shout out to Howard.) Jacobson was not hired directly from the DOJ but after he had left the DOJ and had gone into private practice. There is nothing that shows credibility like bringing in a respected subject matter expert and giving that person the tools and resources to turn things around.

But more than simply bringing in a new sheriff, Weatherford turned this talk into action by substantially increasing its cooperation with the government, thoroughly investigating all issues, turning over the results to the DOJ and SEC and providing literally millions of pages of documents to the regulators. The company also cleaned house by terminating officers and employees who were responsible for the illegal conduct.

B.     Increase in Compliance Function

In addition to establishing Jacobson in the high level CCO position, the company significantly increased the size of its compliance department by hiring 38 compliance professionals and conducted 30 anti-corruption compliance reviews in the countries in which Weatherford operates. This included the hiring of outside consultants to assess and review the company’s compliance program and beefing up due diligence on all third parties, including those in the sales and supply chain, joint venture (JV) partners and merger or acquisition (M&A) candidates. The company also agreed to continue to enhance its internal controls and books and records to prevent and/or detect future suspect conduct.

If you have ever heard any of the current Weatherford compliance professionals speak at FCPA conferences, you can appreciate that they are first rate; that they know their stuff and the company supports their efforts on an ongoing basis.

C.     Best in Class Compliance Program

During the pendency of the investigation, Weatherford moved to create a best practices compliance program. They appear to have done so and agreed in the DPA to continue to maintain such a compliance program. Under Schedule C to the DPA, it set out the compliance program which the company had implemented and continued to keep in place, at least during the length of the DPA. It included the following components.

  1. High level commitment from company officials and senior management to do business in compliance with the FCPA.
  2. A substantive written anti-corruption compliance code of conduct.
  3. Written policies and procedures to implement this code of conduct.
  4. A robust system of internal controls, including accounting and financial controls.
  5. Risk assessments and risk reviews of its ongoing business.
  6. No less than annual assessments of its overall compliance program.
  7. Appropriate oversight and responsibility of a Chief Compliance Officer.
  8. Effective training for all employees and relevant third parties.
  9. An effective compliance function which can provide guidance to company employees.
  10. A robust internal reporting system.
  11. Effective investigations of any reported compliance issue.
  12. Appropriate incentives for employees to do business ethically and in compliance.
  13. Enforced discipline for any employee who violates the company’s compliance program.
  14. Suitable due diligence and management of third parties and business partners.
  15. A correct level of pre-acquisition due diligence for any merger or acquisition candidate, including a risk assessment and reporting to the DOJ if the company uncovers and FCPA-violative conduct during this pre-acquisition phase.
  16. As soon as practicable, Weatherford will integrate any newly acquired entity into its compliance regime, including training of all relevant new employees, a FCPA forensic audit and reporting of any ongoing violations.
  17. Ongoing monitoring, testing and auditing of the company’s compliance function, taking into account any “relevant developments in the field and the evolving international and industry standards.”

D.    Monitor

Weatherford also agreed to an external monitor. However, the term of the monitor is not the entire length of the three-year DPA; the term of the monitor is only 18 months. The monitor’s primary function is to assess the company’s compliance with the terms of the DPA and report the results to the DOJ at least twice during the terms of the monitorship. After this 18 month term the DOJ will allow the company to self-report to the regulators. It should be noted that the term of the external monitor can be extended by the DOJ.

II.                Conclusion

It certainly has been a long, strange journey for Weatherford. I should note that I have not discussed at all the Oil-For-Food aspect of this settlement, which was an additional $100MM penalty to the company. However, with regard to the FCPA aspects of the matter, there are some very solid and telling lessons to be drawn from this case. First and foremost is that cooperation is always the key. But more than simply cooperating in the investigation is that a company should take a pro-active approach to putting a best-in-class compliance program in place during, rather than after the investigation concludes. Also, a company cannot simply ‘talk-the-talk’ but must come through and do the work to gain the credit. The bribery schemes that the company had engaged in and the systemic failures of its compliance program and internal controls, should serve as a good set of examples for the compliance practitioner to use in assessing a compliance program.

The settlement also sends a clear message from both the DOJ and SEC on not only what type of conduct will be rewarded under the US Sentencing Guidelines, but what they expect as a compliance program. One does not have read tea leaves or attempt to divine what might be an appropriate commitment to compliance to see what the regulators expect these day.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Where’s the ball? That iconic question was asked by Oakland A’s center fielder Chris Young to Houston Astro left fielder Robbie Grossman near second base late Wednesday night, as Grossman was returning to the dugout after robbing Young of a game-winning walk-off home run by literally catching Young’s shot after it was over the left field fence. Grossman obliged Young as he passed second base, opening up his glove with a big grin on his face, to show that he did indeed have the ball. (For a clip of Young’s shot and Grossman’s catch, click here. Young’s question “Where’s the ball?” is at the 23 second mark.)

I thought about that question when I read an article in the Financial Times (FT), entitled “China drug bribe probes broaden”, where reporters Patti Waldmeir, Jamil Anderlini and Andrew Jack wrote that Chinese authorities are widening their probe of western pharmaceutical companies. In one example cited it was stated that the government of Shanghai “told hospitals to look for corruption in the purchasing and prescribing of drugs, as well as in clinical trials conducted with hospital participation.” This broadening also included investigations of doctors. Separately the State Administration for Industry and Commerce announced that it would investigate “bribery, fraud and anti-competitive practices in a range of industries that touch the lives of consumers, from drugs and medical services to school admissions.”

Whether the focus on the corruption by western companies is based on politics, nationalism, the rising cost of domestic drugs or any other reason, it really does not matter, however, it could mean that in addition to investigation and potential enforcement by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC); the Chinese themselves may take up the task. If that is the case there will most probably be cooperation between the various investigative agencies involved. All of that means more pain for the companies involved.

Over the past couple of days Mike Volkov has provided information to the compliance practitioner to assist in this new world order in China. In a blog post, entitled “China and Compliance Solutions: Choking Off the Money Supply” and webinar, entitled “How to Avoid Corruption Risks in China”, Volkov gave some specific suggestions for the compliance professional to utilize in the current enforcement environment in China. In his webinar, he said that western companies operating in China need to understand that the cost of compliance will exceed other countries. While there is certainly an upside in revenues from China business, it also involves greater compliance costs and risks. Companies need to construct enhanced compliance controls and implement aggressive monitoring programs, demand adherence to strict documentation policies and to integrate non-Chinese controls and personnel into China operations to supervise and monitor the local operations.

Volkov identified third party risks as the greatest risk because companies have a limited ability to control the outgoing of their monies much more than companies usually do of their own. Some of the key questions that need to be explored in the due diligence process include what specific services will the third parties be used for and have you verified that the potential agent can deliver those services? You need to care that there is an absence of relationship between your Chinese employees and third party. You also need to inquire about how the third party came to the company’s attention? So, for instance, does it have an internal sponsor in your company? Volkov notes that not only must audit rights be secured by western companies; they need to exercise those rights. Lastly, he advises that any unjustified expenditures have to be aggressively pursued both through the audit process and into the investigative process, if needed.

Volkov believes that a key control involves focusing on internal expenditure. Unfortunately, he notes that external auditors often rely on Chinese affiliates, who he believes are “notorious for bending to company resistance to auditing standards and inquiries.” Therefore companies need to require their external auditors to install quality controls. Companies should also demand strict adherence to auditing standards. He suggests that there should be both forensic auditing and transaction testing to review individual receipts and transactions. Lastly, he suggests that money should only be doled out through strict supervision by a non-Chinese controller.

In his blog post, Volkov drills down into some specific protections that a company can take to control its cash outlays in China to try and prevent some of the more well-known bribery schemes. He believes that “The strategy for compliance is then to focus on access to the money which the bribe payor needs to complete the bribe. Resources and controls need to be allocated and designed based on this analysis and focus.” He provides two scenarios where bribery and corruption can occur and two possible strategies to combat such actions.

In the first scenario, a company employee obtains company money by fraud and then pays a government official. Under this scenario, a company employee uses a fake invoice(s), which is typically required in China to satisfy tax authorities. The fake invoice, which may involve another party as the recipient of the payment, is a means by which to “steal” the money from the company and use it for an improper purpose. This was the bribery scheme used by Eli Lilly’s employees in China where employees submitted false expense accounts and used the difference to fund their bribery scheme.

Volkov’s prescription for this is that the company’s compliance function must ensure that internal financial controls are scrupulously followed, so that any potential fake invoice is identified in advance.  He believes whether the offender is an ex-pat or a local employee it is important to enforce such rules, it is an issue which can be debated and the outcome will depend on the personal and the specific situation facing the company. The reason would seem rather self-obvious; that is, if no one is watching the invoicing process, verifying the accuracy of the invoice and ensuring that the payment is justified, money will slip out from the company for bribes. But, then again, maybe not given the paucity of Foreign Corrupt Practices Act (FCPA) enforcement actions in China. This means the focus of internal controls should include not only fake invoices but systems, procedures and forms to ensure that only approved and appropriate payments are made.

Under his second scenario, Volkov cites the situation where a company employee enlists the assistance of an agent to make direct payments to a foreign official to ensure that the government official purchases the company’s product or service. The company employee knows that the third party is used (or will be used) for legitimate and improper payments. The company employee knows that some of the invoices submitted by the third party are for legitimate services and some are for non-existent services and used to finance bribe payments. Sounds sort of like GlaxoSmithKline PLC’s (GSK) China operation to me.

To help counteract this second bribery and corruption scenario, Volkov recommends that “China-focused compliance strategy to reduce illegal money flows through third parties requires enhanced resources and controls to conduct due diligence, monitoring of money payments, justification for every payment, and enhanced monitoring elements. Each payment has to be fully justified, documented and corroborated. Monitoring techniques have to include detailed transaction testing and in-depth compliance and financial audits.” He once again cautions that the objective is to concentrate compliance on the movement of each dollar, confirm the legitimacy, and look for any signs of potential funding of bribery through the third party.

We started out with the question of “Where’s the Ball?” Just as Chris Young thought it was prudent to verify that indeed the Astros outfielder had caught his near game-winning, walk-off home run; you need to be prepared to ask some direct questions in your Chinese operations. If you do not see the ball or you do not get direct answers, my suggestion is that you gear up and get some people in place who can do so. Otherwise you might end up like our friends at GSK.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013