One of my favorite words in the context of Foreign Corrupt Practices Act (FCPA) enforcement is dis-link. It a useful adjective in explaining how certain conduct by a company must be separated from the winning of business and more broadly it works on many different levels when discussing the FCPA. This concept of dis-linking was most prominently laid out in Opinion Release 14-02 (14-02). It provided one of the most concrete statements from the DOJ on the unidimensional nature of compliance in the mergers and acquisition context; both in the pre-acquisition and post-acquisition phases.

In this Opinion Release the Requestor was a multinational company headquartered in the United States. The Requestor desired to acquire a foreign consumer products company and its wholly owned subsidiary (collectively, the “Target”), both of which were incorporated and operated in an un-named foreign country. It never issued securities in the United States and had negligible business contacts in the US, including no direct sale or distribution of their products. During its pre-acquisition, due diligence of the Target, Requestor identified several likely improper payments by the Target to government officials of Foreign Country, as well as substantial weaknesses in accounting and recordkeeping. Considering the bribery and other concerns identified in the due diligence process, Requestor also detailed a plan for remedial pre-acquisition measures and post-acquisition integration steps. Requestor sought from the DOJ an Opinion as to whether the Department would then bring an FCPA enforcement action against Requestor for the Target’s pre-acquisition conduct. It was specifically noted that the Requestor did not seek an Opinion from the Department as to Requestor’s criminal liability for any post-acquisition conduct by the Target. 

Pre-Acquisition Due Diligence

In preparing for the acquisition, Requestor undertook extensive due diligence aimed at identifying, among other things, potential legal and compliance concerns at the Target. Requestor retained an experienced forensic accounting firm (“the Accounting Firm”) to carry out the due diligence review. This review brought to light evidence of apparent improper payments, as well as substantial accounting weaknesses and poor recordkeeping. The Accounting Firm reviewed approximately 1,300 transactions with a total value of approximately $12.9 million with over $100,000 in transactions that raised compliance issues. The clear majority of these transactions involved payments to government officials related to obtaining permits and licenses. Other transactions involved gifts and cash donations to government officials, charitable contributions and sponsorships, and payments to members of the state-controlled media to minimize negative publicity. None of the payments, gifts, donations, contributions, or sponsorships occurred in the US, none were made by or through a US entity and none went through a US bank.

The due diligence showed that the Target had significant recordkeeping deficiencies. Further, the records which did exist did not support the clear majority of the cash payments and gifts to government officials and the charitable contributions. There were expenses that were improperly and inaccurately classified. The accounting records were so disorganized that the Accounting Firm was unable to physically locate or identify many of the underlying records for the transactions. Finally, the Target had not developed or implemented a written code of conduct or other compliance policies and procedures, nor did the Target’s employees show an adequate understanding or awareness of anti-bribery laws and regulations.

Post-Acquisition Remediation

The Requestor presented several pre-closing steps to begin to remediate the Target’s weaknesses prior to the planned closing in 2015. Requestor aimed to complete the full integration of the Target into Requestor’s compliance and reporting structure within one year of the closing. Requestor presented an integration schedule of the Target into the acquirer which included various risk mitigation steps, communications and training on compliance procedures and policies, standardization of business relationships with third parties, and formalization of the Target’s accounting and recordkeeping in accordance with Requestor’s policies and applicable law.

DOJ Analysis

The DOJ noted black-letter letter when it stated, ““It is a basic principle of corporate law that a company assumes certain liabilities when merging with or acquiring another company. In a situation such as this, where a purchaser acquires the stock of a seller and integrates the target into its operations, successor liability may be conferred upon the purchaser for the acquired entity’s pre-existing criminal and civil liabilities, including, for example, for FCPA violations of the target. However, this is tempered by the following from the 2012 FCPA Guidance, “Successor liability does not, however, create liability where none existed before. For example, if an issuer were to acquire a foreign company that was not previously subject to the FCPA’s jurisdiction, the mere acquisition of that foreign company would not retroactively create FCPA liability for the acquiring issuer.””

As none of the payments were made in the US, none went through the US banking system and none involved a US person or entity that this would not lead to a creation of liability for the acquiring company. Moreover, there would be no continuing or ongoing illegal conduct going forward because “no contracts or other assets were determined to have been acquired through bribery that would remain in operation and from which Requestor would derive financial benefit following the acquisition.” Therefore, there would be no jurisdiction under the FCPA to prosecute any person or entity involved after the acquisition.

The DOJ also provided this additional information, “the Department encourages companies engaging in mergers and acquisitions to (1) conduct thorough risk-based FCPA and anti-corruption due diligence; (2) implement the acquiring company’s code of conduct and anti-corruption policies as quickly as practicable; (3) conduct FCPA and other relevant training for the acquired entity’s directors and employees, as well as third-party agents and partners; (4) conduct an FCPA-specific audit of the acquired entity as quickly as practicable; and (5) disclose to the Department any corrupt payments discovered during the due diligence process. See FCPA Guide at 29. Adherence to these elements by Requestor may, among several other factors, determine whether and how the Department would seek to impose post-acquisition successor liability in case of a putative violation.”

Discussion

The DOJ communicated several important messages through 14-02. First it demolished the myths of springing liability to an acquiring company in the FCPA context and buying a FCPA violation, simply through an acquisition; there must be continuing illegal conduct for FCPA liability to arise. Most clearly beginning with the 2012 FCPA Guidance, the DOJ and SEC have communicated what companies need to do in any M&A environment. While many compliance practitioners had only focused on the post-acquisition integration and remediation; the clear import of 14-02 is to re-emphasize the importance of the pre-acquisition phase.

Due diligence must begin in the pre-acquisition phase. The steps taken by the Requestor in this Opinion Release demonstrate some of the techniques you can use in the pre-acquisition phase include (1) having your internal or external legal, accounting, and compliance departments review a target’s sales and financial data, its customer contracts, and its third-party and distributor agreements; (2) performing a risk-based analysis of a target’s customer base; (3) performing an audit of selected transactions engaged in by the target; and (4) engaging in discussions with the target’s general counsel, vice president of sales, and head of internal audit regarding all corruption risks, compliance efforts, and any other major corruption-related issues that have surfaced at the target over the past ten years.

Whether you can make these inquiries or not, you will also need to engage in post-acquisition integration and remediation. 14-02, taken together with the steps laid out in the 2012 Guidance, has provided the post-acquisition actions a compliance professions needs to take after the transaction is closed. If you cannot perform any or even an adequate pre-acquisition due diligence, the time frames you put in place after the acquisition closes will need to be compressed to make sure that you are not continuing any nefarious FCPA conduct going forward.

But it all goes back to dis-linking. If a target is engaging in conduct that violates the FCPA but the target itself is not subject to the jurisdiction of the FCPA, you simply cannot afford to allow that conduct to continue. If you do allow such conduct to continue your company will be actively engaging and participating in an ongoing FCPA violation. That is the final takeaway from this Opinion Release; it is allowing corruption and bribery to continue which brings companies into FCPA grief. Opinion Release 14-02 provided you a roadmap of the steps you can take to prevent such exposure.

Three Key Takeaways

  1. In the M&A context, the key is to dis-link any illegal conduct going forward.
  2. Opinion Release 14-02 provides the clearest roadmap for pre-and post-acquisition compliance actions in the M&A context.
  3. Never forget the Opinion Release procedure. It has been used successfully in two important M&A matters (08-02 and 14-02).

 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

All Hail Rock and Roll as Check Berry died over the weekend. According to his New York Times (NYT) obituary “While Elvis Presley was rock’s first pop star and teenage heartthrob, Mr. Berry was its master theorist and conceptual genius, the songwriter who understood what the kids wanted before they knew themselves. With songs like “Johnny B. Goode” and “Roll Over Beethoven,” he gave his listeners more than they knew they were getting from jukebox entertainment.” His guitar work was phenomenal and the bottom line is a quote from John Lennon who said, ““If you tried to give rock and roll another name, you might call it ‘Chuck Berry’.””

Last week I interviewed Susan Divers, Senior Advisor at LRN Corporation, on the company’s 2016 Ethics and Compliance Program Effectiveness Report (Report). The Report was a fascinating review of the evolution of compliance and considering the input was compiled before the release of the Department of Justice (DOJ) Evaluation of Corporate Compliance Programs (Evaluation) sometime in February, eerily omnipresent. I found the survey spoke not only to the issue of doing compliance as opposed to simply having a compliance program in place but also to give solid advice by which a Chief Compliance Officer (CCO) can use to benchmark a corporate compliance program. The Report also provides a framework for the creation of a values based organization. I found the Report to be so important towards moving a company to operationalizing a corporate compliance program that I am devoting a multi-part blog post series to it this week. My podcast with Susan Divers will post on Wednesday of this week in the FCPA Compliance Report series on this site.

The Report on the dichotomy between having a compliance program in place and actually doing compliance or as the DOJ said in the Evaluation, operationalizing compliance. In preparation for the Report, LRN reviewed multiple surveys regarding compliance program effectiveness and with one exception, according to Divers they all “focused on components of programs. In other words, they focused on the inputs.” They asked such facile questions as “Do you have a code? Do you do training? Do you have tone at the top? In effect, it was a checklist approach and nobody was really focusing on outputs, which is how are you changing behavior and what are the things that actually change behavior?”

This approach certainly answers the critics of Foreign Corrupt Practices Act (FCPA) enforcement who claim that the FCPA is not effective because there continue to be companies that violate the law. The clear answer is that companies have not accepted their responsibility to comply with the law by operationalizing compliance. The DOJ and Securities and Exchange Commission (SEC) have both consistently made clear the requirement to do compliance not simply put a paper program in place. As far back as 2004 with Opinion Release 04-02, the DOJ laid out the foundations of operationalizing compliance. This was brought forward in 2012 with the FCPA Guidance. As the Report  stated, former “SEC chair Mary Jo White noted that her agency expected senior management and boards of directors to “imbue the organization from top to bottom with corporate culture demanding compliance with the law and the highest ethical standards. We are not talking here about a check the-box compliance program or nice sounding code of conduct. The goal is much deeper.””

The LRN survey focused on the operationalization of compliance by looking at what makes a compliance program effective. One of the key findings was that effective compliance is not simply having policies and procedures in place but rather “values-based workplace cultures are significantly more effective at influencing employee behavior than those solely oriented toward rules or procedures. E&C programs that define their approach as values-based scored highest on LRN’s new Program Effectiveness Index (PEI) and on all key outputs including level of C-suite support, cross-functional integration, middle management engagement, and code of conduct and policy accessibility.”

Most interestingly, a key indicia of an effective compliance program was trust. Divers said, “We looked at that, we looked trust, and we looked at really whether people are in fact, walking-the-walk, not just talking-the-talk. Again, rather than focus on, “Do you have this, do you have that, how many policies to you have”, we looked at the degree of which the workplace is characterized by trust, by respect, and by integrity.” I found this a unique way to review companies but also consistent with the Evaluation when the DOJ specifically talked about organizational justice in Prong 8 by inquiring into whether there was consistency in the application of discipline for Code of Conduct or FCPA violations.

Divers noted that when making an assessment on trust, “It’s not so straight forward or easy. You can’t just ask a question and say, which people tend to do on the employee survey, “Do you feel comfortable speaking up?” Some of the questions we asked were a little more subtle and based on years of doing this kind of work, of analyzing cultures. One is employees in my company questioned decisions when they conflict with our values. Another is employees in my company hesitate to speak up during team meetings because they worry how their managers will react.”

The Report found there are three systems influencing individual and organizational behavior: governance, culture and leadership. Governance refers to formal structure, rules and policies. Culture refers to norms, traditions, habits and mindsets. Leadership refers to how managers behave, as well as the source of authority and how it is exercised.” The Report delineated three dominant archetypes and assessed the impact of each on organizational performance.

The first was an organization which the Report characterized was run with “blind obedience.” This was described as “Power-based, task-driven organizations that operate through command-and control-based principles and policing, and which place little emphasis on building enduring relationships among colleagues, with customers, or within society. Employees are coerced to do as they are told under the threat of punishment or adverse consequences. Such organizations focus on short-term goals.”

The second was an organization led through “informed acquiescence” which was defined as “Rules-based, process-driven organizations that operate through hierarchy, policy and 20th-century “good management” practices. Employees are motivated by performance-based rewards and expected to fulfill the expectations of their roles. Long-term goals are identified but are often set aside in favor of short-term success.”

The final type of organization was called “self-governance” and was defined as “Purpose-inspired, values-based organizations that are led with moral authority and operate with a set of core principles and social imperatives. Employees are inspired by a desire for significance and encouraged to act as leaders regardless of role. Such organizations are focused on long-term legacy and sustainable performance.”

Tomorrow I will consider what a CCO can do to move towards a more values based compliance program through operationalizing compliance throughout the organization.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

Cuba 5I continue my exploration of some of the issues around doing business in Cuba, from the Foreign Corrupt Practices Act (FCPA) perspective. Today I want to consider the types of ownership structures that are currently in place and the FCPA issues deriving therefrom. At this time there are three recognized forms of investment: (1) Joint Ventures (JVs); (2) Foreign Capital Company; and (3) International Association Agreement.

Joint Ventures

The first thing to note about JVs in Cuba is that the best you can get is 49% ownership, with the government controlling the remaining 51%. In Cuba, a JV is a separate legal entity that is registered with the government. It is a different legal entity from the two partners and issues shares to its partners. To create a JV you will be required to obtain the authorization of the competent government ministry or state body. The legal documents required are an Association Agreement and Articles of Incorporation.

Foreign Capital Company

This is a separate Cuban domiciled and created corporation, which once again must receive a state license to be created. It must be legally created in Cuba and cannot simply be a branch of an existing foreign corporation. It must issue registry shares to create a legal person who can do business in Cuba. Standard corporate governance documents must be created but this allows the full range of business activities to be conducted both in Cuba and abroad by the Cuban Corporation.

International Association Agreement

This form of entity is more akin to a teaming agreement or some other form of dual participation that is something less than a JV. A foreign company or person might contribute some monies on a project or other basis where they could accrue shares but it is not a capital share. It does not involve the creation of a new corporate entity but is validated by the filing of a public deed and is entered into the Business Register.

Of course, you will have to open a bank account in Cuba. The Central Bank of Cuba heads the Cuban banking system and it consists of nine commercial banks, 15 non-banking institutions and 10 representative offices of foreign banks in the country. Foreign entities are entitled to have accounts and indeed once an investment is approved, the foreign entity is required to open a demand deposit account to receive funds that might come into the company.

I have gone through a somewhat detailed explanation of corporate and business venture structures to re-emphasize the key theme of this week’s blog post. At all times, for all business relations in Cuba, you need to assume you are dealing with government officials. This is true whether they work for a ministry issuing a license to do business in Cuba, a government enterprise doing business in the country or even at a bank. They are all going to be covered by the FCPA.

But more than just understanding what all of your interactions will be with government officials, you should think about the types of corporate structures you want to put in place to protect yourself. As is stated in the FCPA Guidance, “Although the FCPA’s accounting requirements are directed at “issuers,” an issuer’s books and records include those of its consolidated subsidiaries and affiliates. An issuer’s responsibility thus extends to ensuring that subsidiaries or affiliates under its control, including foreign subsidiaries and joint venture partners, comply with the accounting provisions.” This means a US company is responsible for the actions of its JV partners. If you only have a 49% interest, you may not be in a position to control the JV governance or actions.

Similarly, under the International Association Agreement you will have very little ability to control the actions of the entity you are contributing into. This means that in both the JV and this structure, a lengthy and intense dialogue will need to ensue over your expectations not simply that there is no place for bribery and corruption but there will be affirmative compliance with the FCPA. You will also need to put on FCPA training for the JV leadership or your investment partner. Finally, while ongoing monitoring may seem problematic, it will be necessary. You will need to have a formal FCPA compliance program, consisting of policies and procedures in place for a JV or foreign capital company.

The key is going to be your documentation. As every interaction will involve a foreign official under the FCPA, every time you entertain, treat to dinner or meet with a foreign official there should be a record. Before your business folks exclaim, “What an order, I can’t go through with it”; remind them that documentation is a good business practice and indeed will facilitate the business sales process. Moreover any expenses incurred should be recorded for tax reporting purposes.

At some point you will also most probably face the issue of travel by Cuban officials to view your products or sites in the US or other countries. The travel issues seems to bedevil US companies to this day regarding travel of Chinese officials to the US. Yet, to comply with the FCPA, travel for foreign officials is a straightforward exercise with guidelines that have been in place for several years so it really should not be that difficult to comply with the FCPA in the area of bringing Cuban government officials to the US or other locations outside of Cuba. Indeed there have been two Department of Justice (DOJ) Opinion Releases, 07-01 and 07-02, which lay out the requirements that will help to keep you out of FCPA hot water in this area.

Finally, and most importantly, is the Compliance Evangelist mantra, “Document, Document, and Document”. Whatever your engagement is with Cuban officials commit it to paper. If it is travel, gifts or entertainment, catalogue every expense so you can show to any regulator who comes knocking that you are in compliance with the FCPA. The reason is simple, if you do not have appropriate documentation, a regulator reviewing you may well conclude there is a FCPA violation, with no demonstrative evidence to the contrary.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Scaling the WallI recently wrote about the stupidity of General Custer and the defeat of his Calvary at Little Bighorn as a lead in for the failure to adequately assess and then manage risks in a Foreign Corrupt Practices Act (FCPA) compliance program. I received the following comment from a reader:

As a military history buff, I note that your comments on risk assessment reflect a very limited view of the battle. The Sioux made superb use of reconnaissance, fire and maneuver. The cavalry’s underestimation of the military skills of their Indian enemies were immediately assessed and dealt with aplomb and considerable skill. The great lesson to be learned from the Battle of the Little Big Horn is that there is great opportunity in exploiting the tactical stupidity of the overconfident. Reminds me of Napoleon and Prince Alexander at the Platzen Heights of Austerlitz. 

This comment made an excellent point that risk assessment and risk management are not simply to be viewed as negatives or a drag on business. These concepts are also valid in aiding companies to do business by exploitation of strategic risk. This point was driven home most clearly in the recent book by well-known risk management guru Norman Marks, entitled World-Class Risk Management. 

Marks’ thesis on this issue is that “It is essential that management take enough risk! If they take no risk, the organization will fail. So risk management is about taking the right risks for the organization at the desired levels, balancing the opportunities on the upside and the potential for harm on the downside” [emphasis in original]. I once heard former Chairman of Citigroup, John Reed say the reason a car has brakes is not to make it safer but so that you can drive faster. It is the same concept. FCPA compliance programs are often viewed as brakes on doing business. At best they slow things down and at worst the Chief Compliance Officer (CCO) is Dr. No from the Land of No.

However, as Marks points out in his chapter entitled “What is Risk and Why is Risk Management Important?”, it is a serious flaw to only see risk as a negative and indeed to limit risk management to the negative. He wrote, “Treating risk as only negative and overlooking the idea that organizations need to take risks in pursuit of their objectives. Effective risk management enables an organization to exploit opportunities and take on additional risk while staying in control and thereby, creating and preserving value.” He goes on to explain that a company should “understand the uncertainty between where we are and where we want to go so that we can take the right risks and optimize outcomes”.

These outcomes should be determined through an organization determining its risk appetite. Here Marks commented on the definition found in the COSO 2013 Framework for risk appetite by saying it is “the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.” As pointed out by the comment to my blog post on risk assessment and risk management, I focused on risks that were not properly assessed and not properly managed, leading to catastrophic results. But the comment pointed out that when properly used a risk assessment can lead to better management of risk and allow a company to take greater risk because it can manage the scenario more effectively. Marks stated this concept as “think of risk as a range: the low end is the minimum level of risk you are willing to take because you have the ability to accept risk, and recognize that taking the risk is essential to achieving your objective. The high end is the maximum level of risk you can afford to take.”

In the FCPA context, I think this is most clearly seen in the area of third party risk management. There are five steps to the lifecycle of third party management: (1) business justification; (2) questionnaire; (3) due diligence and its evaluation; (4) contract with compliance terms and conditions; and (5) post-contract management. If circumstances are such that you cannot fully perform all five steps to your satisfaction, this puts pressure on the remaining steps. In other words, while your risk may go up if one cannot be fully performed, it may well be that the additional risk can be mediated in another step.

The robustness of your third party risk management program can give you the ability to move forward and use third parties for a business advantage. Say you want to hire a royal family member from a certain foreign country as a third party representative. While at first blush this might seem to be prohibited under the FCPA, there are two Opinion Releases that hold that the mere hiring of a royal family member does not violate the FCPA. In Opinion Release 10-03 the Department of Justice (DOJ) reviewed the following factors of whether a Royal Family Member is a foreign governmental official, the factors were: “(i) how much control or influence the individual has over the levers of governmental power, execution, administration, finances, and the like; (ii) whether a foreign government characterizes an individual or entity as having governmental power; and (iii) whether and under what circumstances an individual (or entity) may act on behalf of, or bind, a government.”

Then in Opinion Release 12-01, the DOJ went further and added a duties test to what was believe to be a status test only. After initially noting that “A person’s mere membership in the royal family of the Foreign Country, by itself, does not automatically qualify that person as a “foreign official”” the DOJ goes on to reiterate its long held position that each question must turn on a “fact-intensive, case-by-case analysis” for resolution. The DOJ follows with a list of factors that should be considered. They include:

  1. The structure and distribution of power within a country’s government;
  2. A royal family’s current and historical legal status and powers;
  3. The individual’s position within the royal family; an individual’s present and past positions within the government;
  4. The mechanisms by which an individual could come to hold a position with governmental authority or responsibilities (such as, for example, royal succession);
  5. The likelihood that an individual would come to hold such a position;
  6. An individual’s ability, directly or indirectly, to affect governmental decision-making; and the (ubiquitous)
  7. Numerous other factors.

Additionally the DOJ recognized some of the risk management techniques that had been put into place by the company requesting the Opinion. These risk management techniques were having a robust anti-corruption compliance program and requiring one from the third party that had employed the royal family member. There was full transparency by the US Company in hiring the royal family member. The compensation was disclosed, was within a reasonable range and was appropriate for the services delivered to the company and the contract between the parties had appropriate FCPA compliance terms and conditions.

I had initially thought that the import of Opinion Release 12-01 was creative lawyering to create a new test around the hiring of royal family member and foreign government officials. However re-reading it in light of the comment to my earlier blog post and of Marks’ book, it can also be seen as an example of how using risk management can be a positive for a business going forward. I would posit to CCOs or compliance practitioners there may be ways to do business in compliance with the FCPA if you think of using your FCPA compliance program as a way to better manage risk to do business rather than simply saying something will violate your compliance program without thinking through how such a compliance risk could be managed effectively.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Dis-linkOne of my favorite words in the context of Foreign Corrupt Practices Act (FCPA) enforcement is dis-link. I find it a useful adjective in explaining how certain conduct by a company must be separated from the winning of business. But it works on so many different levels when discussing the FCPA. Last week I thought about this concept of dis-linking when I read the second Opinion Release of 2014, that being 14-02. One of the clearest ways that the Department of Justice (DOJ) communicates is through the Opinion Release procedure. This procedure provides to the compliance practitioner solid and specific information about what steps a company needs to take in the pre-acquisition phase of due diligence. However, 14-02 directly answers many FCPA naysayers long incorrect claim about how companies step into FCPA liability through mergers and acquisitions (M&A) activity.

From the Opinion Release it was noted that the Requestor is a multinational company headquartered in the United States. Requestor desired to acquire a foreign consumer products company and it’s wholly owned subsidiary (collectively, the “Target”), both of which are incorporated and operate in a foreign country, never issuing securities in the United States. The Target had negligible business contacts in the US, including no direct sale or distribution of their products. In the course of its pre-acquisition due diligence of the Target, Requestor identified a number of likely improper payments by the Target to government officials of Foreign Country, as well as substantial weaknesses in accounting and recordkeeping. In light of the bribery and other concerns identified in the due diligence process, Requestor also detailed a plan for remedial pre-acquisition measures and post-acquisition integration steps. Requestor sought from the DOJ an Opinion as to whether the Department would then bring an FCPA enforcement action against Requestor for the Target’s pre-acquisition conduct. It was specifically noted that the Requestor did not seek an Opinion from the Department as to Requestor’s criminal liability for any post-acquisition conduct by the Target.

Improper Payments and Compliance Program Weaknesses

In preparing for the acquisition, Requestor undertook due diligence aimed at identifying, among other things, potential legal and compliance concerns at the Target. Requestor retained an experienced forensic accounting firm (“the Accounting Firm”) to carry out the due diligence review. This review brought to light evidence of apparent improper payments, as well as substantial accounting weaknesses and poor recordkeeping. The Accounting Firm reviewed approximately 1,300 transactions with a total value of approximately $12.9 million with over $100,000 in transactions that raised compliance issues. The vast majority of these transactions involved payments to government officials related to obtaining permits and licenses. Other transactions involved gifts and cash donations to government officials, charitable contributions and sponsorships, and payments to members of the state-controlled media to minimize negative publicity. None of the payments, gifts, donations, contributions, or sponsorships occurred in the US, none were made by or through a US person or issuer and apparently none went through a US bank.

The due diligence showed that the Target had significant recordkeeping deficiencies. Nonetheless, documentary records did not support the vast majority of the cash payments and gifts to government officials and the charitable contributions. There were expenses that were improperly and inaccurately classified. It was specifically noted that the accounting records were so disorganized that the Accounting Firm was unable to physically locate or identify many of the underlying records for the tested transactions. Finally, the Target had not developed or implemented a written code of conduct or other compliance policies and procedures, nor did the Target’s employees show an adequate understanding or awareness of anti-bribery laws and regulations.

Post-Acquisition Remediation

The Requestor presented several pre-closing steps to begin to remediate the Target’s weaknesses prior to the planned closing in 2015. Requestor aimed to complete the full integration of the Target into Requestor’s compliance and reporting structure within one year of the closing. Requestor has set forth an integration schedule of the Target that included various risk mitigation steps, dissemination and training with regard to compliance procedures and policies, standardization of business relationships with third parties, and formalization of the Target’s accounting and record-keeping in accordance with Requestor’s policies and applicable law.

DOJ Analysis

The DOJ noted black-letter letter when it stated, ““It is a basic principle of corporate law that a company assumes certain liabilities when merging with or acquiring another company. In a situation such as this, where a purchaser acquires the stock of a seller and integrates the target into its operations, successor liability may be conferred upon the purchaser for the acquired entity’s pre-existing criminal and civil liabilities, including, for example, for FCPA violations of the target. However this is tempered by the following from the 2012 FCPA Guidance, “Successor liability does not, however, create liability where none existed before. For example, if an issuer were to acquire a foreign company that was not previously subject to the FCPA’s jurisdiction, the mere acquisition of that foreign company would not retroactively create FCPA liability for the acquiring issuer.””

This means that because none of the payments were made in the US, none went through the US banking system and none involved a US person or entity that this would not lead to a creation of liability for the acquiring company. Moreover, there would be no continuing or ongoing illegal conduct going forward because “no contracts or other assets were determined to have been acquired through bribery that would remain in operation and from which Requestor would derive financial benefit following the acquisition.” Therefore there would be no jurisdiction under the FCPA to prosecute any person or entity involved after the acquisition.

The DOJ also provided this additional information, “To be sure, the Department encourages companies engaging in mergers and acquisitions to (1) conduct thorough risk-based FCPA and anti-corruption due diligence; (2) implement the acquiring company’s code of conduct and anti-corruption policies as quickly as practicable; (3) conduct FCPA and other relevant training for the acquired entity’s directors and employees, as well as third-party agents and partners; (4) conduct an FCPA-specific audit of the acquired entity as quickly as practicable; and (5) disclose to the Department any corrupt payments discovered during the due diligence process. See FCPA Guide at 29. Adherence to these elements by Requestor may, among several other factors, determine whether and how the Department would seek to impose post-acquisition successor liability in case of a putative violation.”

Discussion

Mike Volkov calls it ‘reading the tea leaves’ when it comes to what information the DOJ is communicating. However, sometimes I think it is far simpler. First, and foremost, 14-02 communicates that there is no such thing as ‘springing liability’ to an acquiring company in the FCPA context nor such a thing as simply buying a FCPA violation, simply through an acquisition only, there must be continuing conduct for FCPA liability to arise. Most clearly beginning with the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) have communicated what companies need to do in any M&A environment. While many compliance practitioners had only focused on the post-acquisition integration and remediation; the clear import of 14-02 is to re-emphasize importance of the pre-acquisition phase.

Your due diligence must being in the pre-acquisition phase. The steps taken by the Requestor in this Opinion Release demonstrate some of the concrete steps that you can take. Some of the techniques you can use in the pre-acquisition phase include (1) having your internal or external legal, accounting, and compliance departments review a target’s sales and financial data, its customer contracts, and its third-party and distributor agreements; (2) performing a risk-based analysis of a target’s customer base; (3) performing an audit of selected transactions engaged in by the target; and (4) engaging in discussions with the target’s general counsel, vice president of sales, and head of internal audit regarding all corruption risks, compliance efforts, and any other major corruption-related issues that have surfaced at the target over the past ten years.

Whether you can make these inquiries or not, you will also need to engage in post-acquisition integration and remediation. 14-02 provides you with some of the steps you need to perform after the transaction is closed. If you cannot perform any or even an adequate pre-acquisition due diligence, the time frames you put in place after the acquisition closes may need to be compressed to make sure that you are not continuing any nefarious FCPA conduct going forward. But it all goes back to dis-linking. If a target is engaging in conduct that violates the FCPA but the target itself is not subject to the jurisdiction of the FCPA, you simply cannot afford to allow that conduct to continue. If you do allow such conduct to continue you will have bought a FCPA violation and your company will be actively engaging and participating in an ongoing FCPA violation. That is the final takeaway I derive from this Opinion Release; it is allowing corruption and bribery to continue which brings companies into FCPA grief. Opinion Release 14-02 provides you a roadmap of the steps you and your company can take to prevent such FCPA exposure.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014