whos-afraid-of-virginia-woolfEdward Albee died last week. To my mind he was right up there with Arthur Miller and August Wilson as one of America’s greatest playwrights of the second half of the 20th century. His works were known, as noted in his New York Times (NYT) obituary, as “psychologically astute and piercing dramas explored the contentiousness of intimacy, the gap between self-delusion and truth and the roiling desperation beneath the facade of contemporary”. I would simply call them gut-wrenching. After the first time I saw Who’s Afraid of Virginia Woolf I recall leaving the theater feeling as if I had been psychologically worked over with a wet mop. It was certainly the last time I saw one of his works for weekday entertainment, at least seeing one of his play’s on Friday or Saturday night gave me a day to work off the psychic hangover.

I thought Albee and his type of works would make a very good introduction to a multipart series I will be writing about the Wells Fargo cultural miasma which led to the recent $185MM fines levied by Consumer Finance Protection Board (CFPB) ($100 million), the largest in the agency’s short history. Another $85 million was tacked on by paying $35 million to the Office of the Comptroller of the Currency and $50 million to the City and County of Los Angeles. The total fines were assessed based upon the bank’s conduct of opening over 2 million bank and credit card accounts, usually without customers’ knowledge.

The fraud was all domestic so there were no Foreign Corrupt Practices Act (FCPA) violations. However, the actions which led to this record breaking fine, the actions of Wells Fargo during the violations and thereafter may well be one of the best teaching moments for any FCPA compliance practitioner around a variety of issues related to FCPA compliance. Today I want to look at the sales strategy and compensation structure which led to the scandal.

The sales strategy under which Wells Fargo came to such grief is simple and even benign, cross-selling of products. As noted by Rachel Louise Ensign, writing in a Wall Street Journal (WSJ) article entitled “Banks Simple Strategy Gets Tangled”, “the concept sounds simple enough. If a customer has a checking account, why not sell him a mortgage, wealth management services and credit card as well?” She went on to write, “with banks becoming larger over the past two decades, cross-selling has become a mantra.” You can also think of the cross-selling McDonalds engages in every time you buy a Big Mac when the representative asks you “Would you like french fries with that?”

Yet there are other reasons for engaging in this type of business practice. Each and every time a company has a touchpoint, particularly a commercial touchpoint with a business, it strengthens the relationship. According to Gary Silverman, writing in the Financial Times (FT) in an article entitled “John Stumpf, the Labrador of Main Street , Wells Fargo’s Chief Executive Officer (CEO) “Mr Stumpf’s take on traditional Wells teaching was to promote deeper, more frequent contact with the people it serves. “If there’s one word to describe this company, it’s ‘relationship,’” he told the Financial Times in May. “What we’re trying to do is make sure that every team member, in every interaction with a customer, gets it right. If we don’t get it right, we try to make it right, really quickly.””

So what starts off as a legitimate, legal and beneficial business strategy becomes not only high risk but illegal because of the manner in which Wells Fargo administered its approach to cross-selling. As with any sales initiative, if a company wants to push it, it will set up incentives for the sales team to engage in such behavior. This can be done by increasing commissions around the service or product being emphasized, such as the banks products. Ensign noted, “Banks have tried to create incentives for cross-selling.” At some banks, “Branch employees can get bonuses—sometimes 10% or more of their salaries—when they sell additional products.” Companies can also increase sales by making clear that you will be evaluated on how much you sell a product or service. In other words, whether you receive a bonus, pay raise or even keep your job will be evaluated, in some part, on how much you cross-sell.

You can even have a hybrid of the above, which may be the worst of all worlds. At Wells Fargo, employees were evaluated for continuing employment by supervisors on cross-selling. Yet they did not receive the same financial incentives to make such cross-selling. Branch managers and supervisors could receive bonuses of up to $10,000 per month for meeting cross-selling quotas when employees who hit their monthly quotas, received, in addition to continued employment, $25 gift cards.

Last week Richard Bistrong wrote a piece in the FCPA Blog, entitled “Wells Fargo stretch goals brought out the sandbaggers”, in which he discussed stretch incentives as a process that could lend itself to abuse. While there will always be a dynamic tension between operations, in the form of the sales force, to lower sales projections so that goals set can be more easily met (called: sandbagging) and the corporate office, which wants to set higher goals to generate more overall revenue, I do not think that the Wells Fargo matter is one of such sandbagging.

I think the Wells Fargo case is broader with multiple corporate failures. Emily Glazer and Christina Rexrode, in a WSJ article entitled “Wells Boss Says Staff at Fault for Scams”, wrote of one former employee who said, “a former Wells Fargo teller in Pennsylvania, said of responsibility for the sales tactics, “It was all management: their boss, then their boss, then their boss.” Ms. Bhowmick took early retirement from the bank in 2014 at age 58. “They are putting pressure on employees, and it’s sad,” Ms. Bhowmick added. “People need their jobs.”” When you put people’s job on the line, they will usually do whatever it takes to keep it.

The learning point for this blog post is risk assessment and risk management. If you put a selling system in place that says if you do not meet your quotas, you are history; that is the message your employees will take home. It really does not matter what the CEO says the culture is or what he or she aspires it to be. Do I think CEO Stumpf ordered this draconian a system from on high? Not much chance of that as he was quoted, by Glazer and Rexrode, as saying “the bank doesn’t want a dime of income that’s not properly earned.”

This is why a risk assessment must look beyond simply what is being sold to how it is being sold. Tomorrow we will consider the culture of Wells Fargo and how you, as compliance practitioner, might use the bank’s failing to improve your own corporate culture.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

 

 

 

This Week in FCPA-Episode 19, the International Edition

Show Notes for Week ending August 26, 2016

  1. John Kerry: Corruption is ‘root cause’ of terrorism, on FCPA Blog.
  2. Eric Ben-Artzi Op-Ed piece on why he turn down his whistleblower award, as featured in the Financial Times.
  3. Lessons from History-the Tudors on compliance, from the FCPA Compliance Report.
  4. FedEx trial debacle for the DOJ, and Paul Pelletier’s recommendation to fix recent spate of ill-fated and advised DOJ prosecutions, as featured in the FCPA Blog.
  5. Hallmarks 1-5 of the Ten Hallmarks of an Effective Compliance Program, as featured in the FCPA Compliance Report.

Henry VIIII am on assignment in Oxford on a two-week study course, focusing on the Tudors. For the first week we focused on Richard III to the end of Henry VIII’s reign. Although Richard III was not a Tudor, we began with him to study the ‘bad rap’ of negative publicity he received from the Tudor court, specifically Sir Thomas Moore and most particularly Shakespeare’s play, Richard III.

In the career of Henry VIII, we discussed the role of Thomas Cromwell and the series of steps leading up to the split from Rome to obtain his divorce from Catherine of Aragon and his dissolution of the Catholic Church in England to create the Church of England. One of the questions initially posed by our tutor, Janet Dickinson, was whether there was an overarching plan to take these steps or if they were made more on an ad hoc basis in response to events on the ground.

The consensus of our group was the steps taken were in response to the changing and evolving circumstances not only in England but also on the Continent, both in Rome and in the wider sphere of European politics. Initially it appeared the Pope was inclined to grant Henry his annulment but that solution was foreclosed when greater European politics intervened. This intervention was the invasion of Italy by the Spanish King Charles V, who was the nephew of Catherine of Aragon. Charles was disinclined to allow the Pope to grant Henry an annulment of the marriage of his aunt to Henry.

Making Henry the head of the Church of England was only one part of the break from Rome. The second part was the dissolution of the Catholic monasteries and passing of Catholic Church land to the English crown, as head of the Church of England. We may never know who initially came up with these ideas, whether it was Cromwell, another advisor or even if Henry himself came up with some or all of the plans. It does seem relatively clear that Cromwell developed the legal arguments supporting the legal claim for Henry to head up the church in England.

Yet, even at this point there was no clear plan to dissolve the Catholic Church’s property in England to the English crown. This move appears to have come in response to an attempt to clarify religious doctrine after the break with Rome. These widespread popular and clerical uprisings found support among the gentry and even the nobility; all culminating in the Pilgrimage of Grace.

If you are a loyal reader of this blog, you know that I am in the midst of a two-week series on the Ten Hallmarks of an Effective Compliance Program, as it was first laid out in the 2012 FCPA Guidance. I find the series of events I outlined above, from our first week of study of the Tudor period of English history, illustrate a key theme of compliance programs. It is that compliance programs must be flexible and have the ability to evolve. Simply put, it is not in the business interest of US companies (or others subject to the Foreign Corrupt Practices Act (FCPA)) to have a static compliance program. Compliance programs must have the flexibility to respond to a wide variety of factors, including changing market conditions both inside a corporation and on the ground.

Moreover, companies need to have the flexibility to design, create and implement a compliance program that manages the risks they face. As companies mature in their compliance function, they can begin to manage more, additional and further sophisticated risks. For instance, audits of third parties should not begin when your compliance program is made operational. It should wait an appropriate period of time so that you have enough information to review and study.

Additionally chronological developments drive more and greater compliance. Transaction monitoring is one clear area that has achieved significant growth in the past few years alone. If a static approach to compliance had been advocated by the Department of Justice (DOJ) this development might have never occurred.

Finally, the times of Henry VIII informs us that companies need to be ready to respond to events on the ground. Not only must companies have a compliance response to new products or service and entry into new markets; they must respond to new and more sophisticated ways to fund bribery and corruption. The sad fact is that the funding of bribery and corruption occurs from internal funds from a company; whether it is mis-labeling marketing expenses or charitable donations, burying commission payments in unauthorized discounts or making subsidiary financial statements so complicated that home office auditors cannot read them; businesses need to respond to the ever changing landscape. The monies to fund bribes come from the company itself, thus there is always a fraud upon the company by its own employees.

The goal of any best practices compliance program is to prevent, detect and remediate. To achieve this the DOJ and Securities and Exchange Commission (SEC) give companies a wide latitude to achieve these goals. The FCPA Guidance says “each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.”

I have long been drawn to the lessons of history and what they teach us in the present day in the field of compliance. The reason the events of the 1520s and 1530s can and do resonate today are that they are based on the actions of people. I find these lessons build into how companies should think about compliance in the 21st century.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Roman Numbers 1-10.2One cannot really say enough about risk assessments in the context of anti-corruption programs. Since at least 1999 the DOJ has said that risk assessments that measure the likelihood and severity of possible Foreign Corrupt Practices Act (FCPA) violations identifies how you should direct your resources to manage these risks. The FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.

What risks should you assess? The FCPA Guidance states, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”

These factors provide guidance into some of the key areas that the DOJ apparently believes can put a company at higher FCPA risk. One approach to putting these amorphous guidelines into place was detailed by David Lawler, in his book “Frequently Asked Questions in Anti-Bribery and Corruption”. He broke the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Sector Risk, (4) Transaction Risk and (5) Business Partnership Risk.

  1. Company Risk – High risk companies involve some of the following characteristics:
  • Private companies with a close shareholder group;
  • Large, diverse and complex groups with a decentralized management structure;
  • An autocratic top management;
  • A previous history of compliance issues; and/or
  • Poor marketplace perception.
  1. Country Risk – this area involves countries, which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. Obviously the most recent, Transparency International Corruption Perceptions Index can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.
  1. Sector Risk – these involve areas that require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:
  • Extractive industries;
  • Oil and gas services;
  • Large scale infrastructure areas;
  • Telecoms;
  • Pharmaceutical, medical device and health care; and/or
  • Financial services.
  1. Transaction Risk – this risk takes a look at the financial aspects of a payment or deal. This means that it is necessary to think not only about where your money is ending up but what is the source of the funding. Indicia of transaction risk include:
  • High reward projects;
  • Involve many contractor or other third party intermediaries; and/or
  • Do not appear to have a clear legitimate object.
  1. Business Partnership Risk – this prong recognizes that certain manners of doing business present more corruption risk than others. It may include:
  • Use of third party representatives in transactions with foreign government officials;
  • A number of consortium partners or joint ventures partners; and/or
  • Relationships with politically exposed persons (PEPs).

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries into your risk analysis, it should be acceptable for your starting point.

How Should You Assess Your Risks? 

One of the questions that I hear most often is how does one actually perform a risk assessment? Mike Volkov has suggested a couple of different approaches in his article “Practical Suggestions for Conducting Risk Assessments.” Here Volkov differentiates between smaller companies which might use some basic tools such as “personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices” from larger companies. Such larger companies may use these basic techniques but may also include a deeper dive into high risk countries or high risk business areas. If your company’s sales model uses third party representatives, you may also wish to visit with those parties or persons to help evaluate their risks for bribery and corruption that might well be attributed to your company.

It is suggested that you combine the scores or analysis you obtain from the corruption markers you review; whether it is the DOJ list or those markers under the UK Bribery Act, and from there create a “rudimentary risk-scoring system that ranks the things to review using risk indicators of potential bribery.” This ensures that high-risk exposures are done first and/or given more time. As with all populations of this type, there is likely to be a normal or ‘bell curve’ distribution of risks around the mean. So 10-15% of exposure falls into the relative low-risk category; the vast majority (70-80%) into the moderate-risk category; and the final 10-15% would be high risk.

How do You Evaluate a Risk Assessment?

Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. Finally, through this risk matrix you should be able to assess relative remediation requirements. One way to do so was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations”, in which she looked at the risk evaluation process used by Timken Company (Timken).

Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks.

 The ‘Likelihood’ factors to consider include: the existence of internal controls, written policies and procedures designed to mitigate risk; leadership capable to recognize and prevent a compliance breakdown; compliance failures or near misses; and training and awareness programs. The Priority Rating factors are the product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit-monitoring plan going forward. A variety of tools can be used, such as continuous controls monitoring with tools like those provided by the Red Flag Group (RFG), relationship-analysis based software or other analytical based tools. But you should not forget the human factor. This means not only training but ongoing communication with employees to guard against the most significant risks coming to pass and to keep the key messages fresh and on top of the mind. RFG also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The keys to this approach are the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the method set forth by the DOJ in its FCPA Guidance and in the UK Bribery Act’s Adequate Procedures. The DOJ has made clear that it wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model described is a reasoned approach and can provide the articulation needed to explain which steps were taken.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

To listen to my podcast on this Hallmark, click here.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016