Johan LomuJonah Lomu died this week. If you have more than a passing interest in sports, you will recognize Lomu as one of the very few game-changers in a sport, his being rugby. I do not pretend to understand the sport very well (except that it involves running, blocking, hitting and tackling – which I do understand), yet I could even tell that he was a true original, a 6 foot 5 inch, 265 lb. behemoth who could run a 4.4 forty. He played for the New Zealand All-Blacks but not in middle as you might expect for a man his size but as winger, really just a wide-out for those who want it translated into American-football.

If you saw the movie Invictus about South Africa’s 1995 Rugby World Cup championship, you will remember the clips of a 20-year old Lomu single handedly destroying England with four tries (read: touchdowns) in the Semi-Finals. Yet South Africa was able to keep him under control to win one of the greatest finals upsets in Rugby World Cup history. Yet even at that youthful age, he had been diagnosed with a rare kidney disease that would eventually lead to his death at the age of 40. Here’s to you Jonah Lomu, to your true greatness and a true original.

I thought about Lomu when reading the comments from the Department of Justice (DOJ) and Assistant Attorney General Leslie R. Caldwell about how the DOJ will consider a company’s actions in any decision on whether or not to prosecute. These comments, changes and clarifications would appear to bookend the process that began with the Yates Memo, released back in September. Earlier this week, Deputy Attorney General Sally Quillian Yates clarified how the DOJ would be evaluating companies going forward.

Stephen Dockery, writing in the Wall Street Journal (WSJ) online publication, Risk and Compliance Report, in an article entitled “U.S. Justice Dept. Changes Corporate Credit Process in Prosecutions”, said that the DOJ explained how the process laid out in the Yates Memo would go into effect. He wrote there “will be two factors prosecutors can use in giving more favorable treatment” when making decisions on whether or not to prosecute. He quoted Yates as saying, “one focused solely on the company’s timely and voluntary disclosure and the second on its cooperation. We made this change to emphasize that while the concepts of voluntary disclosure and cooperation are related, they are distinct factors to be given separate consideration in charging decisions. In recognition of the significant value early reporting holds for us, prompt voluntary disclosure by a company will be treated as an independent factor weighing in the company’s favor.”

Dockery also noted that Yates clarified what might be considered “all relevant facts” from an investigation. Once again he quoted Yates directly, “There is nothing in the new policy that requires companies to waive attorney-client privilege or in any way rolls back the protections that were built into the prior factors. But to earn cooperation credit, the corporation does need to produce all relevant facts – including the facts learned through those interviews.” Dockery also said that Yates noted, “the Justice Department wouldn’t look favorably on companies trying to twist privilege to shield information from investigators.”

Caldwell expanded on these remarks in a speech made on Tuesday of this week, when she said, “In our view, a company that wishes to be eligible for the maximum mitigation credit in an FCPA case must do three things: (1) voluntarily self-disclose, (2) fully cooperate and (3) timely and appropriately remediate.” Regarding point 1, self-disclosure, Caldwell went on to say, “I mean that within a reasonably prompt time after becoming aware of an FCPA violation, the company discloses the relevant facts known to it, including all relevant facts about the individuals involved in the conduct.” Moreover, “To qualify, this disclosure must occur before an investigation—including a regulatory investigation by an agency such as the SEC (U.S. Securities and Exchange Commission)—is underway or imminent. And disclosures that the company is already required to make by law, agreement or contract do not qualify.”

Caldwell also expanded on Yates second prong, ongoing cooperation, she said, “Second, in line with the focus on individual accountability for corporate criminal conduct…companies seeking credit must affirmatively work to identify and discover relevant information about the individuals involved through independent, thorough investigations. Companies cannot just disclose facts relating to general corporate misconduct and withhold facts about the individuals involved. And internal investigations cannot end with a conclusion of corporate liability, while stopping short of identifying those who committed the underlying conduct.” But it means more than simply doing an investigation and turning over the results of the investigation. Full cooperation also “includes providing timely updates on the status of the internal investigation, making officers and employees available for interviews—to the extent that is within the company’s control—and proactive document production, especially for evidence located in foreign countries.”

Finally Caldwell added a third prong which Yates did not discuss, that being remediation. She noted that remediation includes a “company’s overall compliance program as well as its disciplinary efforts related to the specific wrongdoing at issue. For example, when examining remediation we consider whether and how the company has disciplined the employees involved in the misconduct. We also examine the company’s culture of compliance including an awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated.”

This is where the new DOJ Compliance Counsel comes into the picture. Caldwell said, “We look forward to her insights on issues such as whether the compliance program truly is thoughtfully designed and sufficiently resourced to address the company’s compliance risks and whether proposed remedial measures are realistic and sufficient.” I was interested to read that Caldwell also said this new person would also “be interacting with the compliance community to seek input about ways we can work together to advance our mutual interest in strong corporate compliance programs.” While her remarks this week did not go into the detail she did in her previous speech outlining the metrics the new Compliance Counsel will use in evaluating corporate compliance programs, Caldwell clearly referenced those standards as well.

The Yates remarks clarifying how “businesses will get an extra shot at favorable treatment based on their disclosure of wrongdoing to the government” and Caldwell’s speech further laying out the parameters and what will be expected in the form of a corporate compliance programs should be welcome news to every Chief Compliance Officer (CCO) and compliance practitioner. These two pieces of information, coupled with Caldwell’s earlier remarks on the Compliance Counsel metrics, lay out for you, with the most precision yet, how to move forward towards obtaining the best possible outcome if you are embroiled in a Foreign Corrupt Practices Act (FCPA) investigation. If your management wants to know what credit it will receive and the roadmap of how to get the best possible result, the DOJ has laid it out for you.

I further believe these series of remarks serve as a bookend to the information announced in the Yates Memo in September. That Memo set forth the expectations for prosecutors in white-collar cases, including FCPA matters, to prosecute more individuals. You see what substantive cooperation means and how your compliance program will be evaluated. The DOJ has laid it out for you in plain back and white.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015


Jonathan MarksEd. Note-I continue my series of blog posts on thought leaders in the compliance space today with an interview of Jonathan Marks, a Managing Director at Navigant

  1. Where did you grow up?

I was born in New York City, raised in the Bronx, and moved to Bucks County, Pennsylvania where I live today with my family.

  1. Where did you go to college, what did you study and how did it influence your career going forward?

I am a proud graduate of Bloomsburg University of Philadelphia, where I studied accounting.

I was hired by Coopers & Lybrand (Philadelphia Office) in my junior year of college, and joined the audit practice where I was exposed to fraud and misconduct cases. Audits were like giant puzzles to me, and I love puzzles, but I also love reading people and their behavior. The psychology of people and what makes them commit fraud is a fascinating topic.

  1. How did your work lead to your current expertise on the FCPA and anti-corruption compliance?

Back in the 1990’s I worked on a global fraud risk assessment for a company and identified the lack of control over various expenses. This led to a review of business practices in the U.S. The results were, not surprisingly, very revealing and I was asked to work with in-house counsel on assessing risk globally. At that time, the FCPA Act was not high profile as it is today. I had a suspicion that FCPA issues were lurking within many organizations, and I began to advise my clients more proactively about corruption issues. My experience showed me that an organization couldn’t possibly build an effective compliance program without first having a good governance framework and a thorough global fraud risk assessment that extended beyond the enterprise. I eventually developed a FCPA Compliance Action Plan and began to use the plan to help my clients build or assess their compliance programs.

  1. You have long been active in the IIA and ACFE, both locally and nationally. What have your roles been, and how has that been an adjunct to your practice?

I love giving back to the profession! A few years ago, I served as the President of the Philadelphia Chapter of the IIA, and I currently serve on the Board in various capacities. I also serve on the faculty of the ACFE, and have taught and spoken at numerous conferences and chapter events.

Interacting with professionals who share my passion for investigating and fighting against fraud enable me to share diverse perspectives with my clients. I am always challenged to rethink my beliefs and methodologies in order to provide my clients with the most innovative and practical approaches to mitigating their risk to fraud and to other potential issues.

  1. What are some of the common mistakes that you still see from an internal controls/internal auditing in the FCPA/anti-corruption space?

Most company executives still don’t understand the waterfall model or sequential design process of governance, risk and compliance. Moreover, the fraud risk assessments I have reviewed for multinational companies are generally not thorough or do not adequately address corruption! It is so important for companies to understand that by investing a little time into their compliance programs, they can save themselves a lot of headaches down the road.

There is a real opportunity for companies to up their game with respect to designing effective internal controls. The Internal Audit function should conduct regular testing of higher-risk compliance-sensitive accounts, using technology to mine data and perform analytics.

  1. You have consistently talked about a best practices compliance program as having both a prevention and detection function. Do you find that message is resonating more with companies?

I think most companies want to believe, or talk themselves into believing, that their compliance programs are best in class and include a preventive and detective component. In reality, that’s not the case. I call this “perfect place” syndrome. Others or the realists know they are far from best in class, but have identified gaps in their program and have put a plan in place to remediate those gaps and enhance compliance throughout the organization.

  1. You recently moved to Navigant, what do you hope to accomplish professionally with this move?

I am thankful for every opportunity I have been given professionally. Navigant experts have deep industry knowledge across Financial Services, Healthcare, Energy, and Construction and the requisite expertise to enable companies to defend, protect and create value. I belong to a team of dynamic forensic accountants, compliance professionals, and litigation experts who are adept at tackling today’s most complex accounting, legal and regulatory issues. My goal is to bring companies multifaceted solutions to their most critical compliance and legal challenges.

Jonathan Marks can be reached at

Fox on RadioToday I conclude my month long HorrorFest Tribute to Val Lewton, who for too long has been in the shadows between the great Universal Pictures monster movies of the 1930s and the Hammer Films of the 1950s. As noted by Cal-Berkeley in its Lewton films retrospective, his films should by praised “for a cluster of creepy cheapies he produced in the early forties, notable for heavily shadowed psychic landscapes, arousing unease through an excess of archaic suggestion.” Originally a scriptwriter, Lewton went from anonymous labors at MGM to working for David O. Selznick on Gone with the Wind and finally to the head of the horror unit at RKO in 1942. Little did the world know that their enfant terror would transform formulaic ideas and impoverished means into a well-crafted surplus of psychological enthrallment.

Beginning with Cat People and I Walked with a Zombie, Lewton overwhelmed a poverty-stricken mandate – to make seventy-five-minute features for $150,000, using titles supplied by the studio – by assembling a remarkable coven of collaborators who could conjure his eerie vision: directors Jacques Tourneur, Mark Robson, and Robert Wise; writers Ardel Wray and DeWitt Bodeen; and cinematographer Nicholas Musuraca. Where most low-budget horror films of the era tried to illustrate the lurking horror, Lewton produced pictures “left instead inky insinuations that beckoned primeval folklore, reptilian instinct, and emotional monstrosities.” If you have never seen any Lewton films, I urge you to curl up on a cozy couch and watch some this Halloween Weekend.

Val Lewton’s films inform today’s post. About this time last year I sat down with Compliance Week Editor Matt Kelly and told him about a vision I had for the compliance practitioner. Compliance Week had just published my book Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, what I would humbly call the best one volume work on how to design, create and implement a best practices compliance program. But I told Matt that I envisioned a series of shorter books and eBooks, from 30 to 50 pages long, which dove into specific subjects in much greater detail that I could do in a one-volume book such as Doing Compliance.

Matt was intrigued enough to ask me to explain further what I had in mind. I told him I wanted to have a 10 volume series of ‘Fox on Compliance’ topics, available through Compliance Week that could sit on the shelf of any compliance practitioner and provide specific, detailed information about a wide variety of subject matter of interest to any Chief Compliance Officer (CCO) or compliance practitioner. I told him I also wanted to have each book available in an eBook version for those who utilize that format. I wanted to do a book a quarter for 2+ years so that there would be a library of 10 available. Matt gave me the green light and we set off. Shortly thereafter Aarti Maharaj came onboard with Compliance Week and we three have worked to come up a series that can help anyone interested in the doing of compliance.

The first book was CCO 2.0 | Internal Marketer and Soft Skills Required. In this book I discuss that we are now in the age of the Chief Compliance Officer 2.0. Not only has there been an explosion in growth in the profession but also I believe there has been a dramatic shift in the perception of what anti-corruption/anti-bribery compliance is and how a company benefits from having programs which comply with laws such as the US Foreign Corrupt Practices Act (FCPA) or UK Bribery Act in place. No longer is compliance the province of lawyers or the legal department but it is now seen as a standalone function which requires a set of skills far different than the typical skills used by in-house lawyers in a corporate legal department, which I call soft skills. I wanted to put together a short book that provides the compliance practitioner with some of the most current ideas on the types of skills that you might need and, equally importantly, how to market your function within the corporate environment.

The second book was Internal Controls in an FCPA Compliance Program. In this volume I discuss the rise in internal controls enforcement around the FCPA. Internal controls have long been an overlooked requirement under the FCPA. In this work, I present a clear guide to navigating the complexities of internal controls. I also discuss the operational realities that compliance practitioners must take into account, the degree of regulations and the extent of government interaction that exist in the design of a company’s internal controls. Finally, I deconstruct the hotly debated topic of internal controls by taking a closer look at the law itself and how it fits as a “critical component” of a best practices anti-corruption program.

Recently Compliance Week released the third book in my series. It is entitled A Guide to Effective Internal Investigations. In this volume I detail what you should do if a call, e-mail, or tip comes into your office because an employee is reporting suspicious activity somewhere across the globe; where the activity might well turn into a FCPA issue for your company. I write about what your company should have in the way of a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of how that allegation is communicated. I detail how you should initiate the triage and investigation process that will determine, in many instances, how the company will respond to misconduct as it relates to the FCPA. I also go into some of the considerations you will need in order to make an informed decision on whether or not to self-disclose, evidentiary concerns in any internal investigation and what happens when in-house counsel turns whistleblower.

I have additional books coming out in future quarters. And just as there were some great horror moments in the relatively small and (for Hollywood) inexpensive movies produced by Val Lewton, I think you will find these short books and eBooks packed with lots of substantive information that you can use in your compliance practice going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015

InvestigationsWhom to suspend during any Foreign Corrupt Practices Act (FCPA) investigation is always a delicate question to answer. Unfortunately there is never an easy answer. As the Volkswagen (VW) emission-testing scandal continues to reverberate, it continues to bring up some very knotty questions, which have bedeviled the Chief Compliance Officer (CCO) or compliance practitioner in many areas. Today there is an example around internal investigations.

In an article in the Wall Street Journal (WSJ) entitled “Scope of VW Suspensions Grows”, William Boston reported on the ongoing internal investigation by the company’s outside counsel Jones Day. Boston noted that VW had “suspended a larger number of engineers than previously acknowledged, following a recommendation from the law firm conducting” the investigation. The article went on to state, “Jones Day urged suspension of anyone who could have been involved in the scam – from high level decision makers to ordinary engineers – to prevent possible perpetrators from tampering with the evidence”.

This final statement emphasizes a key consideration in a FCPA investigation, which is to tie down the evidence. White collar practitioner and FCPA counsel Mara Senn has said that “probably from the government’s perspective, the most important aspect of setting up an investigation in a way that makes them feel comfortable, is ensuring that all data is locked down.” However, if you are worried about evidence tampering you may have a bigger problem on your hands.

Pointing up the difficulties in making such a blanket sweep an un-named source, who provided this information to Boston, was quoted as saying “We had to suspend everyone in this area to get them out of the way of this process. This is necessary for the investigation, but it’s really hard for us because we are now missing their professional knowledge and experience.”

This issue brings up another point that Senn has discussed, around when to suspend or discipline an employee during an internal investigation. Senn related, “That is a very case-by-case difficult question to answer, but in general, I think it’s better to keep them around for as long as you may need them. Once they’ve been fired or otherwise disciplined, really, even if you keep them around, they’re going to be less cooperative with you and possibly, if you fire them, not cooperative at all. You can require them to be cooperative in the termination agreement, but obviously in practice, cooperation can mean a lot of different things.”

In view of the recent Schrems decision by the European Court of Justice (ECJ), I also wonder how the investigation will fair with the German based employees? Obviously there will be data that in the US would be deemed company-owned but in Europe it may well be private to the employee being investigated. This problem became even greater with the recent decision by Privacy Regulators from 28 EU nations that backed the ECJ’s Schrems decision that invalidated the Safe Harbor regime. As reported by Jo Sherman in the FCPA Blog, “that closed the legal pipeline by which data has flowed freely from the EU to the U.S. for the last 15 years. The rationale for the court decision and the subsequent backing of the EU Data Protection Authorities is that the surveillance powers of the U.S. government are considered to be too excessive and disproportionate, and can override the data protections for EU citizens under the Safe Harbor framework.”

As well known UK data privacy expert Jonathan Armstrong has stated, “that the only way at this point was to obtain the consent of the person being investigated. However the obtaining of such consent raises a host of other problems. He said, “Can I really get consent in an internal investigation? Can I go along, speak to my Austrian agent and say, “Peter, I just need you to sign this form to transfer your data to the US”? Now, for consent to be valid the European legislation it has to be fully explained, it has to be honest, it can’t be deceptive. I’ve got to say to him, “I want you to sign this form because I want to investigate you. I want to run a full FCPA investigation; you’re the prime suspect. I want to take a look at your emails and I have to inform you that by the way, you have the right not to consent and if you don’t consent there’s no way I can investigate you. Could you sign the form, please?”” As Armstrong went on to note, “What answer is he likely to give in an internal investigation and how would the US authorities feel if I go and tip off the main suspect that he’s under investigation?”

Yet there is another concern for the Jones Day investigators going forward. Sherman stated in the FCPA Blog, “EU Data Protection Authorities are already prepared to bring enforcement actions early next year against EU-U.S. data transfers that were previously protected by the Safe Harbor framework but are now considered to potentially violate privacy rights of EU citizens.” So the lawyers might put themselves at risk if they violate the privacy rights of Europeans in a manner that would not offend US law enforcement authorities.

Yet regarding any use of the evidence that you might gather, Armstrong put it more starkly when he said, “you’re going to get no sympathy from the bribery prosecutors, bribery regulators if you mess this up. The SFO [Serious Fraud Office] has already lost the case, allegedly, on the way in which the US firm involved conducted the investigation. They will have, rightly I think, no sympathy at all for people whose investigations are themselves conducted unlawfully. It’s going to need a lot of careful thought to structure data transfers, even to structure interviews. How do you move those interview notes about, how do you look at emails, all of this stuff is going to be absolutely critical not only so that you don’t break data privacy data protection laws, but also tipping off witness, you know, interfering with the scene of an investigation, et cetera, et cetera. All of these things are critical.” I would only add whatever level of sympathy you might receive from the SFO, it is likely to be distinctly lower at the Department of Justice (DOJ) or Securities and Exchange Commission (SEC).

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015