Today we honor folk-rocker Donovan and his signature song Sunshine Superman, which was profiled in the Wall Street Journal (WSJ) column Anatomy of a Song. The song was a love paean by the singer to “Linda Lawrence, his love interest, the song was recorded in December 1965 and released in July ’66, climbing to #1 in September.” When she first heard the song, while living in Los Angeles she “was home with my best friend Cathy when “Sunshine Superman” came on the radio. At the end, Cathy just looked at me, “Oh my God,” she said, “he still loves you.”” The fairy tale came true in 1971 when they were married.

Yet it was not the romantic angle on the song that intrigued me but the production. Donovan had written it for an acoustic guitar. His producer wanted a more mystic feel so he brought in “Tony Carr’s conga, Spike on acoustic bass and John Paul Jones on electric bass.” Even more amazingly he added a Jimmy Page electric guitar solo later so as Donovan noted, he had one-half of Led Zepplin on his song. It was this interconnectedness in the song’s production which caught my eye and introduces today’s look at the Wells Fargo Independent Directors of the Board of Wells Fargo & Company Sales Practices Investigation Report issued Monday. As I noted yesterday, there are multiple lessons to be garnered by the compliance practitioner from this matter. Today I want to turn to the corporate disciplines of Human Resources (HR), Internal Investigations and Audit as control function failures. I will save my special wrath for the law department and corporate risk management for Thursday.

Donovan’s Sunshine Superman leads as the demonstrative example of the interconnectedness of the Wells Fargo control failures. For the bank, it all started with the decentralized nature of the business units and the control functions which grew up to provide the support for them. The fraudulent conduct engaged in by Wells Fargo was euphemistically called “sales integrity” by the bank and that language was carried over into the investigative report. This decentralized nature did not allow HR to have visibility into the scope and nature of the fraud. This was despite the fact, “Almost all sales integrity cases and issues touched upon some facet of the HR function, including with respect to employee terminations, hiring, training, coaching, discipline, incentive compensation, performance management, turnover, morale, work environment, claims and litigations.” Yet, even within the HR function there was no effort to track or report on the fraud issues.

The second general issue was the deference given to the business units. Of course, the Community Bank unit was making tons of profit for the company but I am sure that had nothing to do with the fact the entire company seemed to employ an ostrich as its symbol. But it was even worse, as the Report noted, “This culture of deference was particularly powerful in this instance since Tolstedt was respected for her historical success at the Community Bank, was perceived to have strong support from the CEO and was notoriously resistant to outside intervention and oversight.”

Finally, was the ‘transactional’ approach to each issue around the fraud. Every control function managed to focus “on the specific employee complaint or individual lawsuit that was before them, missing opportunities to put them together in a way that might have revealed sales practice problems to be more significant and systemic than was appreciated.” The Report specified that HR had all the relevant information but failed to connect the dots. More pointedly, you cannot connect the dots if you are not looking to do so.

The problem at HR was two-fold. The first was that corporate HR had no oversight into problems of sales fraud because it had no oversight into the business unit. The Report stated that Community Bank “was not accustomed to involving Corporate HR in its discussions and decisions and was generally protective and defensive in keeping control of HR-related activities within the line of business.” The business unit controlled or cowed the Community Bank HR, even though the business unit HR was well aware of the sales fraud issues, from as far back as 2002 and “participated in efforts to stem the sales practices.” Yet during this entire period they never had the authority or resolve to do anything.

Internal Investigations was also aware of the sales fraud, apparently as far back as 2002. At least Internal Audit (IA) was not cowed by its reporting to the business unit. IA reported to various corporate functions including Audit, corporate HR and corporate Risk. Rather amazingly in 2004, “Internal Investigations was involved in the work of a sales integrity investigations task force, which also included representatives of Community Bank HR, Community Bank management and the Law

Department.” Internal Investigations called termed the fraudulent sales practices “gaming” and they prepared a report around their findings. The Internal Investigations report pointed to unrealistic sales goals and that employees felt they could not meet the goals without gaming the system. Presciently, the report “warned of the reputational risks for Wells Fargo, specifically, “[i]f customers believe that Wells Fargo team members are not conducting business in an appropriate and ethical manner, it will result in loss of business and can lead to diminished reputation in the community.”” Recall this Internal Investigations report was issued in 2004.

The report also specified there was an “incentive to cheat based on the fear of losing their jobs for not meeting performance expectations.” Internal Investigations also identified another data point which was disregarding. Demonstrating how the bank viewed terminated and departed employees, the company actively fought ex-employee attempts to obtain state of California employment benefits. The Internal Investigations report stated, “Wells Fargo had been losing unemployment insurance cases involving sales integrity terminations, in which judges “made disparaging comments” about the sales incentive system.” Finally, the report even benchmarked competitors which “significantly reduced their sales incentive employee terminations after revising their sales incentive programs.” The report ended by recommending “that Wells Fargo consider similarly reducing or eliminating sales goals for employees and removing the threat of employee termination if goals were not met.”

Internal Investigations did not fail as a control but when their report was forwarded to the then head of the unit, the Chief Auditor, he buried it. While he did report raw numbers to more senior management, he did not include any information on the root cause of the problem. Think about this final point in the context of the Department of Justice’s (DOJ) recently released Evaluation of Corporate Compliance Programs and its emphasis on root cause analyses.

IA comes in for discussion as this corporate function was (1) well aware of the problem, (2) did not believe it to be “an urgent problem” requiring IA to do anything, and most amazingly (3) thought the internal controls in place were working as they were turning up problems which were not the problem of IA to address. IA viewed controls as detect only, not to prevent or provide data to remediate.

The Report stated, “Audit witnesses also said that, as the third line of defense, Audit’s job was to ensure that the control environment established by the first (business) and second (Risk) lines of defense was appropriate. Audit personnel indicated that their focus was on testing the operation of specific processes and the processes’ effectiveness at managing the risks they were designed to control, but that they did not generally investigate root causes of risks; according to the witnesses, that task rests with the business, which they said has greater familiarity with the risk environment, better access to operational data and both proximity to and responsibility for its employees’ actions.”

If it seems like the inmates were running the asylum, remember those folks over in the Community Bank business unit were making money hand over fist for the bank. But the Report also demonstrates the interconnectedness of not only the sales fraud but its actual knowledge by multiple corporate functions with Wells Fargo. As none of these functions took responsibility for doing anything it appears the true culture of the bank was NMP as in Not My Problem. 

To listen to a YouTube version of Donovan signing Sunshine Superman, click here.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017

In this episode Matt Kelly and myself take a deep dive into SOX 404(b), what it requires and how companies comply with the reporting requirements set out in this statute. We consider the recent announcements from Congressman Jeb Hensarling to amend this section to exempt companies under the $500MM who wish to go public from its reporting requirements. We consider the corporate and audit response currently in place for 404(b) and how this response is now well embedded in not only corporate controls but also in reporting. We discuss the importance of internal controls over the time frame since the enactment of SOX and how any change may not be well received by institutional investors and private equity funders.

For a more detailed discussion, see Matt’s blog post entitled, “Tale of Sound & Fury: The 404(b) Debate”.

In this episode I visit with WSJ MarketWatch reporter Francine McKenna on the recently concluded Taylor Bean litigation against PwC and what it might mean for the Big 3 going forward.

oscar-meyer-wienerLast week a true American original died when Richard Trentlage passed away. If you do not know his name you certainly know signature contribution to American culture, the Oscar Meyer Weiner Song. Rather amazingly Trentlage wrote the jingle in response to a contest sponsored by the Oscar Meyer Wiener Company for a new theme in 1962 and did so in an hour. According to his  obituary in the New York Times the song “debuted in 1962 a3 and became the company’s signature advertising tune in 21 English speaking countries until 2010.” Moreover the “song became a part of the fabric of American culture, with airings on the children’s television show ‘Captain Kangaroo’, on the cartoon ‘The Jetsons’ and on an episode of the ‘The Simpsons’ in 1990. The song and its writer were true American originals.

Another original was in the news last week when the UK pharmaceutical giant GlaxoSmithKline PLC resolved its outstanding Foreign Corrupt Practices Act (FCPA) issues with its settlement with the Securities and Exchange Commission (SEC) by agreeing to pay $20 million civil penalty when China-based subsidiaries spent millions of dollars on pay-to-prescribe schemes for several years to pump up sales. Even more amazingly the company received a declination from the Department of Justice. I say even more amazingly because at the time of the conduct at issue, GSK was under a Corporate Integrity Agreement, the pharma equivalent of a Deferred Prosecution Agreement. The CIA required GSK not only to obey laws (and to pay bribes) but have a functioning compliance program in place, which the company obviously did not give one whit about, at least in China.

For those who have long forgotten our friends over at GSK (hum the Oscar Meyer Wiener theme now) they were four or five major corruption scandals ago, way back in the summer of 2013 when news broke that the Chinese  government had accused the company of five years of institutional bribery and corruption. Senior GSK business unit leaders were arrested and GSK claimed to be shocked, just shocked that anyone would accuse it of bribery and corruption, especially after just paying the US government $3bn for false labeling products. Yet the corruption continued even after being reported by an anonymous whistleblower (cleverly monikered GSK Whistleblower) the company was not able to turn up any indicia of bribery and corruption in its China business in six months of looking.

As lightly as GSK apparently took these allegations, the Chinese authorities took them very seriously and in a few months of investigation turned up the massive and pervasive bribery scheme. They put numerous senior GSK China employees under house arrest and even managed to illicit a confession or two on public television.

All of this led to a secret trial in August 2014 where the company was fined approximately $490MM and the four top executives of GSK China were convicted. The non-Chinese citizens were deported. There was even a sex tape aspect to the matter but it was somewhat tangential to the case and (apparently) not a part of the SEC enforcement action. Most interestingly the SEC Order did not mention the fine paid in China and it is not part of the Order, although surely the SEC took it into account. At least I hope so.

Yet the SEC enforcement was not without some interest. The Order noted, “Between at least 2010 and June 2013, employees and agents of GSK’s China-based subsidiary and a China-based joint-venture engaged in various transactions and schemes to provide things of value to foreign officials, including healthcare professionals (“HCPs”), in order to improperly influence them and increase sales of GSK products in China.  This misconduct was facilitated in part by the use of collusive third parties that ostensibly provided legitimate travel and other services. The funds used for the improper inducements were frequently obtained under the guise of, and falsely recorded in GSK’s books and records as, legitimate travel and entertainment expense, marketing expense, speaker payments, medical associations payments, and promotion expense. Throughout this period GSK failed to devise and maintain a sufficient system of internal accounting controls and lacked an effective anticorruption compliance program. The deficiencies in GSK’s internal accounting controls and compliance program also led to instances of similar improper conduct in connection with sales in other countries in which GSK operates.”

Yet we learned more in the SEC Order about GSK China’s bribery scheme. One emphasis was the China business unit wide pervasiveness of the corruption. The Order noted that bribes were actually written into sale plans for the company, stating, “a 2013 work plan submitted by a sales representative to a regional sales manager described the intent to pay, among other things, an HCP RMB 20/box of prescribed product every month, and deliver appropriate gifts on each holiday in exchange for a guarantee of more than 40 boxes of prescribed product every month.”

There was also some attempt to investigate the conduct of the China business unit but they all failed uncover the systemic bribery of GSK China. One set of investigations noted, “During this period, local internal audit and compliance reviews identified controls deficiencies and evidence of some mechanisms that were used to fund the improper payments, but they were treated as isolated instances rather than signs of a larger problem.”

Even more damning was the following, “As early as 2010, internal audit identified problems related to sales and promotions staff practices in China. Among other findings it noted: [d]uring 2010, several new policies governing commercial activities such as grants and donations and sponsorships were introduced. The significant changes, combined with the high staff turnover, contribute to an environment where many commercial and medical staff do not understand how to apply policies or the rationale behind them. This was evidenced by approval of non-compliant activities, a lack of clarity on which policy to apply for activities such as grants, and weaknesses in documentation to support the legitimate intent of activities such as advisory.”

One wonders whether the internal audit staff was simply not competent to properly identify the bribery and corruption or if they simply knew not to look with any more depth or seeing their findings as “signs of a larger problem.” However given the finality of these resolutions with the SEC and DOJ, it is doubtful there will be any further investigations going forward as to GSK’s China issues.

Nevertheless the matter continues to present multiple lessons to be learned for the compliance practitioner. Assuming one wants to actually find nefarious conduct, stop it and then remediate it, GSK in China presents several lessons on what to look for and how to move forward. The SEC Order also re-emphasizes the bribery schemes used by the company. What the SEC Order and DOJ declination may ultimately symbolize is the end of a long and sordid affair for the company.

One might also consider the damage the scandal did to the parent company and the legacy of the soon-to-retire chief executive Sir Andrew Witty. While the scandal did not reach either the corporate parent in England and certainly not Sir Andrew, the $490MM fine in China and the $20MM fine in the US, pale beside the true cost to GSK, which was its sales targets in China. GSK had targeted the over $30 bn Chinese medical product and services market to be 20% of GSK total revenue by 2020. That strategy is now in tatters as the Chinese prosecution made GSK a non-entity in the Chinese health care market. Any transaction involving GSK involving a Chinese health care provider, invites government scrutiny. It is far easier for health care providers to purchase pharmaceuticals, health care products and medical services from companies which have not gone through such a prosecution.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016






This Week in FCPA-Episode 19, the International Edition

Show Notes for Week ending August 26, 2016

  1. John Kerry: Corruption is ‘root cause’ of terrorism, on FCPA Blog.
  2. Eric Ben-Artzi Op-Ed piece on why he turn down his whistleblower award, as featured in the Financial Times.
  3. Lessons from History-the Tudors on compliance, from the FCPA Compliance Report.
  4. FedEx trial debacle for the DOJ, and Paul Pelletier’s recommendation to fix recent spate of ill-fated and advised DOJ prosecutions, as featured in the FCPA Blog.
  5. Hallmarks 1-5 of the Ten Hallmarks of an Effective Compliance Program, as featured in the FCPA Compliance Report.