2016 was more than simply the most robust year in Foreign Corrupt Practices Act (FCPA) enforcement. It was also a record year in Securities and Exchange Commission (SEC) whistleblower awards and additionally the year the SEC literally crashed through the $100 million mark for whistleblower awards under Dodd-Frank. It would therefore seem like a very propitious time for a well-rounded conference focusing solely on this issue. Fortunately for us in the compliance space, Financial Research Associates and Compliance Week have answered the call with the Whistleblowers & Compliance conference to be held in NYC on February 27, 2016. Recently I was able to visit with Conference Chair, Gregory Keating, on the event.

Greg is the Chair of Choate Hall & Stewart LLP’s Labor Employment & Benefits and Whistleblower Defense Groups. In his practice has he three general areas. The first is compliance related and is everything from conducting training for organizations to auditing their existing practices, policies and procedures to assist employers to make sure that everything is setup correctly to insure a transparent environment. Second is in the area of investigations; including those focusing on  alleged wide-spread retaliation or wrongful conduct which whistleblowers bring to light. Third is litigation in the arena of whistleblower retaliation suits that are brought under a growing array of statutes, predominately Sarbanes–Oxley (SOX), Dodd-Frank, the False Claims Act, and others which prohibit against retaliation.

Keating is very excited about the conference. He noted there will be a marquee group of speakers who come from a number of different arenas. There will be government officials from some of the most prominent agencies who have agreed to speak. A group with an in-house perspective from some very prominent multi-national organizations who are wrestling with and analyzing how best to respond to this changing climate, who are going to weigh in and give their perspective. There will be some of the most prominent members of the defense bar, nationally and internationally, in this space. Last, but not least, there will be a number of extremely high profile plaintiff lawyers who practice either in Dodd-Frank or the plaintiff side of retaliation against whistleblowers.

The conference will kick-off with a deep dive into the whistleblower landscape, discussing its importance and why there is such deep water right now. It will canvas the expansion of whistleblower rights and remedies, focusing on recent court decisions that have come out and new legislation that continues to evolve. It will also look at what companies are doing specifically in response in this area.

I asked Keating if he might provide an example and he related that there has been a real proven attack on corporate agreements and policies which have the purpose or effect of muzzling whistleblowers. There have been, in the last year at least, almost half a dozen six figure civil money penalties imposed by  the SEC. The conference will provide some concrete guidance and advise from both the in-house and defense bar perspective on how to avoid that mine field. Additionally, there will be some concrete advice flowing from some very, very recent Department of Labor (DOL) recommended best practices around how to have an effective compliance program, where they focus on the importance in this day and age of training.

A hot topic to be discussed is the current whistleblower retaliation trial of former Bio-Rad General Counsel (GC) Sanford Wadley. The conference will use this trial to consider the rising tide of in-house counsel and compliance professionals as the whistleblower. Keating said that other hot topics that will likely be addressed include whether whistleblowers can take confidential information in direct violation of a confidentiality agreement and, nonetheless, proceed as a whistleblower and whether would-be whistleblowers could engage in other opposition which arguably is unreasonable and whether those whistleblower rights will trump otherwise legitimate company policies. Keating ended by stating “there is a lot in this space that is really sizzling now” and the conference agenda will reflect these very current topics.

The conference will feature government representatives from the SEC, the US Commodity Future Trading and the DOL. This is whistleblowing across the government spectrum and will allow the attendees to identify some of the issues which corporations across America are grappling with and provide some unique insights into how best to protect oneself in this rapidly changing climate.

No doubt to warm my heart as the nuts and bolts guy, there will be several panels dedicated to subjects such as how do you do compliance, including training; drafting and creating effective employment separation, settlement and confidentiality agreements, and in-house audits. Of course there will also be coverage of hotline triage and response, together with presentations on how set up a robust investigation protocol.

In short, if there is only one whistleblower conference you can attend, you should strongly consider this event. It will showcase regulators, the whistleblower defense bar, top corporate in-house compliance practitioner and GC types, and the plaintiff’s bar for whistleblower and retaliation cases. For any compliance practitioner, GC or lawyer, I think this will be a fabulous conference. I hope you will be able to attend.

Best of all readers of this blog will receive a discount to the event. You can receive a 15% discount off the regular price by entering the Code CMP 161. For more information on the event, check out the website by clicking here.

leonard-cohenNow I’ve heard there was a secret chord; That David played, and it pleased the Lord

But you don’t really care for music, do you?; It goes like this

The fourth, the fifth’; The minor fall, the major lift

The baffled king composing Hallelujah

Hallelujah; Hallelujah; Hallelujah;Hallelujah

You might say we need him now more than ever. Unfortunately, we lost him last week as Leonard Cohen passed away at age 82. He was truly one of the greatest song writers during my lifetime. Yesterday I presented my views on why I believe that Foreign Corrupt Practices Act (FCPA) enforcement will continue under the new administration. Today, I want to begin a multi-part series (sorry I don’t know how long it will go) about why compliance will not change under a Trump administration. To do so, and to honor Leonard Cohen, I will begin this series through the lens of Cohen’s most famous work Hallelujah. To say it took some time for the song to become the staple and classic that it is today is an understatement.

In an interview on the New Yorker Radio Hour, Cohen said the song had literally over 200 drafts. At one point it had 80 different verses. As noted in the Life of A Song column in the Financial Times (FT) by David Cheal, the song was “an epic, hymnal composition with biblical allusions (David, Bathsheba and Samson are referenced).” He went on to say that “Cohen later said the song took him two years to write.” Yet when it was released in 1984, it was not a hit. It took John Cale to popularize the song when he included it “in a 1991 Cohen tribute album, I’m Your Fan. Shorn of the clunky accoutrements of Cohen’s version, the song was allowed to shine.”

Yet this is not the version that most people are familiar with today as the explosion of the song’s popularity came from a cover by Jeff Buckley in 1994 “whose exquisitely pure tenor voice, recorded with a churchy echo, seemed ideally suited to the song’s religious themes. Since then, “Hallelujah” has become one of the most covered songs ever, up there with Yesterday and My Way.” However, and at this moment of my life and the life of this country, I find the most exceptional version of Hallelujah to have been the version performed by Kate McKinnon in place of the usual opening monologue on the November 12, 2016 episode of Saturday Night Live (SNL), which you can view by clicking here. It certainly lifted me up, which is what I needed about now.

All of the above speaks to what we in the compliance community need to understand now. It is not the end of the world or even the end of compliance. While I am fairly certain that FCPA enforcement will continue I have no doubt that the compliance profession will continue to grow but flourish. The reason is that good compliance is good business and any process which helps businesses to be more efficient and do business more profitably it is not going to diminish in size or importance.

Just as the song went through multiple reviews, versions and was recorded by several artists before it attained its now iconic status, the compliance profession has evolved as well. John MacKessy, writing in the Finance Professionals’ Post, in a piece entitled “Knowledge of Good and Evil: A Brief History of Compliance, noted that the FCPA and Environmental Protection Act (EPA) “prompted companies to develop internal resources that would actively monitor compliance with the laws, rules, and regulations of their industries.” The next step in the evolution of the compliance profession was the defense procurement scandals from the 1980s, where the industries sales of “$400 hammers and $600 toilet seats” to the US government led to the Defense Industry Initiative (DII). This industry led initiative created “a set of principles endorsing ethical business practices and conduct” within the defense industry for its dealings with the US government.

The next step in the evolution of the compliance profession was the 1992 US Sentencing Guidelines which, for the first time, set out what the government would consider for credit in sentencing of organizations. Many tribute these 1992 Sentencing Guidelines for the creation of the modern compliance profession. These guidelines included credit for “the specific elements of an effective compliance and ethics program. Companies that embarked on such programs would be eligible for more lenient sentences. To qualify as “effective,” a company’s compliance program would not only have to establish standards and procedures to prevent and detect criminal conduct, but would have to actively promote a culture encouraging ethical conduct and compliance with the law. The emendation of those guidelines in 2004 reflected the need for corporate boards to demonstrate knowledge of compliance programs and fulfillment of oversight responsibilities as part of monitoring the effectiveness of companies’ compliance and ethics programs.”

The next major step was the financial accounting frauds and scandals of the late 1990s and early 2000s including Enron, WorldCom and Tyco. These scandals were so wide-ranging, with senior executive participation, if not directing of the corporate fraud that a new legislative response was required and this response was the passage of the Sarbanes-Oxley Act of 2001 (SOX). Aaron Einhorn, writing in the Denver Journal of International Law & Policy, in an article entitled “The Evolution and Endpoint of Responsibility: The FCPA, SOX, Socialist-Oriented Governments, Gratuitous Promises, and a Novel CSR Code”, said, “sections 302 and 404 of SOX together require corporate executives to state their responsibility for designing internal controls, to create such controls, to assess and evaluate these controls, and to draw conclusions about their effectiveness…” SOX specifically charges executive officers with internal controls duties.” Einhorn ends this section by noting, “internal controls have been transformed from a recitation of general duties lodged upon the corporation as a whole to a statement of specific duties imposed on corporate executives in particular.” This strengthened the compliance professional who was called upon to design these internal controls.

The next major legislation which enhanced the compliance function was the Dodd-Frank Act of 2010, passed in response to the 2008 financial crisis. MacKessy pointed to the downfalls of Bear Stearns and Lehman Brothers as drivers of more compliance because they both “demonstrated the degree to which external risk events can create a loss of confidence resulting in permanent reputational damage and impaired shareholder value.” The legal and legislative response has been that companies should design effective compliance programs which use risk based programs as a basis to design, create and implement effective compliance programs. Joe Howell, Executive Vice President (EVP) for Workiva Inc., has gone further, drawing a straight line from the FCPA to SOX to Dodd-Frank in the development of the compliance function.

All of this means compliance is not going away, no matter what the law enforcement priorities of the new administration. Companies understand that compliance and business ethics have a role in not only driving business strategies and initiatives but that more compliant companies are better run companies and at the end of the day more profitable because they have better controls. MacKessy ends his piece by stating the compliance programs “can provide multiple rewards – from risk mitigation, to reputational enhancement, to business strategy development.”

The compliance profession is where the magic happens in a corporation. Whether it be specific tasks of making sales, vetting relationships or the spade work of creating policies and procedures, it is compliance that drives the discussion of how we should do business. The corporate compliance profession fulfills the business obligation in doing things the right way for, at the end, it will be the compliance profession which implements the requirements of compliance whether those requirements are anti-corruption laws such as the FCPA, the UK Bribery Act, Anti-Money Laundering (AML), export control, anti-trust regulations, or any other regulation that you can name. Equally importantly, the compliance profession is teaching corporations how to evaluate risks and the compliance profession leads that discussion. It is the compliance profession that is the most innovative in not only protecting corporations, but actually helping corporations do business, do business more efficiently, and do business more profitably.

All of this shows compliance has developed over many years and for many reasons. None of this is going away. Tomorrow I will begin to consider the business applications and implication of compliance in more depth (and a couple of numbers from Leon).

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

In this episode, Matt Kelly and I discuss the differences between SOX 404 reporting controls and 302 disclosure controls. We then pivot to a discussion of the potential merging of the COSO 2013 Framework for controls with the COSO ERM Framework currently in the public comment period.

Check out Matt’s blogs posts on these topics:

  1. Of Sox Controls and Earnings Reports, click here.
  2. ERM Framework: Govt. Sector Calls for Unity, click here.

TrainingIn a recent Slate article, entitled “Ethics Trainings Are Even Dumber Than You Think, author L.V. Anderson railed against what she termed box-checking training where companies put on training not to actually train employees but simply to check the box that training has occurred. She also spoke against “dumbed-down nature of most compliance courses”.

Certainly recognizing that inane training is simply that – inane training, Anderson missed the larger picture of what constitutes a best practices compliance program. Training is one part of a larger component of how companies manage their compliance with laws, regulations and, most importantly, the ultimate barometer of their value – their corporate reputation through compliance. The role of compliance in corporations was born in 1992 with the enactment of the US Sentencing Guidelines, which laid out the initial standards for corporate compliance and ethics programs, of which training is one part. It was only after these Sentencing Guidelines were put into effect that corporations moved to create Codes of Conduct to publicly state their values.

These Sentencing Guidelines provide a very general outline of what would constitute an effective compliance program. In the latest amendments to the Sentencing Guidelines, in 2010, the stated purpose of training is to “(6) Training – Conduct effective training programs and otherwise disseminate information to ensure that the board of directors, high level personnel and other employees with substantial authority receive information about the standards, procedures, and other aspects of the compliance program”.

One of the most significant areas of the law, where the government has provided specific guidance on compliance programs including training, is the 2012 publication entitled “FCPA – A Resource Guide to the U.S. Foreign Corrupt Practices Act”, which was issued jointly by the Criminal Division of the Department of Justice (DOJ) and the Enforcement Division of the Securities and Exchange Commission (SEC). This FCPA Resource Guide provided the government’s views on what constituted an effective compliance program under the Foreign Corrupt Practices Act of 1977 (FCPA) in the form of the Ten Hallmarks of an Effective Compliance Program.

Hallmark No. 5, Training and Continuous Advice, which says, in part, “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been com­municated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” This Hallmark goes on to state that training should be appropriate for the risk of the persons being trained and tailored to the situations they might find themselves at risk in for their company.

Whether you consider the language of the Sentencing Guidelines or the much more specific FCPA Resource Guide, the proper context to review ethics and compliance training is as a part of an overall holistic approach to compliance and ethics, compliance can be seen in its proper role as a communication tools. The reason a company puts on compliance training is not to solely stop unethical or non-compliant conduct. The role of training is to communicate the standard of values the company wants to set forth.

The training itself should be tailored to risks involved with those employees receiving the training. My wife works at a major oilfield service company in Houston, as an SAP integration specialist in the IT department. The risk that she could engage in non-compliant, unethical behavior, that could put her company at legal risk, is relatively low. So basic training for her on the company’s ethical values is an appropriate reminder.

However, in the same company there are thousands of employees who are in positions oversees which are at much higher risk for non-compliant behavior, particularly under the FCPA. For those employees more focused, specific and in person training is the preferred method. So more than simply asking is something illegal, such training would focus on the specific requirements under the law, what an employee should do if a foreign government official demands a bribe and how to seek help or report such conduct through the company hotline.

Training is not and never has been the all-encompassing way to stop illegal or even non-compliant, unethical conduct. It should be seen as a part of the overall corporate compliance program. Enron is the prime example that simply having one part, the Enron gold standard Code of Conduct and even training on that Code of Conduct, is not enough. It all starts at the top with the tone from the top. If your top management are crooks, in the case of all the former Enron senior managers who are now convicted felons, that speaks to the tone management creates. No rule, regulation, company policy or certainly compliance training should get in the way of the next deal.

Yet even after management sets an appropriate tone, that tone must be communicated to the employees. A corporate Code of Conduct sets out the general values and the policies and procedures lay the specifics of how employees can comply with laws, regulations and ethical concepts. After this communication, a company must set out appropriate incentives and discipline (carrots and sticks) to reinforce these behaviors. Finally, there should be internal controls baked into to all of this, which not only reinforces these concepts but also allows a corporate compliance department to monitor compliance to hopefully prevent any incidents before they become violations and detect them if they occur.

Anderson does get one thing right. If a company is putting on training simply as “just a form of legal ass-covering” then it is probably the type of company which does not put a high value on doing business either (1) ethically or (2) in compliance with existing laws. That alone puts a company in the Enron zone for compliance. Next, I will take a look at her claims about the dumbing down of compliance training.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Head ScratchingWhat is the interplay of two different pieces of legislation enacted almost 25 years apart in response to widely different crisis? In the case of the Foreign Corrupt Practices Act (FCPA) and Sarbanes-Oxley Act (SOX) quite a bit. Many have speculated that the passage of SOX was one of the contributing factors to the explosive growth in FCPA enforcement actions after 2004, basically because of the SOX 404 reporting requirement. However, the development of these two laws by regulators may move well beyond where the legislators who enacted them may have intended their initial reach.

The FCPA was passed in 1977 in response to US companies’ blatant use of bribery and corruption to secure business outside the US. SOX was passed in response to the financial fraud engaged in by companies such as Enron and WorldCom in the late 1990s and early 2000s. Both laws focused on robust internal controls as a part of the solution going forward. So we have the FCPA to prevent foreign bribery and SOX to prevent accounting fraud as was perpetrated by the likes of Enron and WorldCom.

Joe Howell, Executive Vice President of Workiva, has said that the FCPA and SOX are closely tied to one another. He believes that SOX is, in many ways built on a pedestal that Congress created in the FCPA. Further, he sees a clear lineation to Dodd-Frank, which he also believes in many ways, relies on much of the work done in the other areas internal controls to require that financial institutions to have sufficient controls. He said, “In my personal view, it not only is not a stretch to draw a line from the Foreign Corrupt Practices Act of 1977 to the Sarbanes-Oxley Act of 2002 up to Dodd-Frank of 2010.

As noted by Aaron Einhorn, writing in the Denver Journal of International Law & Policy, in an article entitled “The Evolution and Endpoint of Responsibility: The FCPA, SOX, Socialist-Oriented Governments, Gratuitous Promises, and a Novel CSR Code”, “Comparison of the FCPA’s and SOX’s internal controls provisions reveals the trend towards placing greater responsibilities on corporations.” While “The FCPA’s internal controls provisions, initially drafted thirty years ago, simply declare that issuers must design and maintain internal controls, but does not require evaluation or analysis.”

However, “sections 302 and 404 of SOX together require corporate executives to state their responsibility for designing internal controls, to create such controls, to assess and evaluate these controls, and to draw conclusions about their effectiveness. While the FCPA places responsibility for internal controls upon the corporation in general, SOX specifically charges executive officers with internal controls duties.” Einhorn ends this section by noting, “internal controls have been transformed from a recitation of general duties lodged upon the corporation as a whole to a statement of specific duties imposed on corporate executives in particular.”

This interplay between the FCPA and SOX around internal controls is such that Professor Stephen Bainbridge, the William D. Warren Distinguished Professor of Law at the UCLA School of Law, stated, in blog post entitled “Did Wal-Mart lawyers violate their Sarbanes-Oxley section 307 duties? Did Wal-Mart violate SOX 404?”, “How could Wal-Mart have provided a positive assessment of their internal controls in light of these problems? (around its Mexico subsidiary operations as reported in the New York Times).” He based this question on a requirement found under SOX §404 that a company must not only acknowledge its responsibility for establishing and maintaining a system of internal controls and procedures for financial reporting and an assessment, but also report on the effectiveness of the company’s internal controls.

Karen Cascini and Alan DelFavero, in an article entitled “An Assessment of the Impact of the Sarbanes-Oxley Act on the Investigation Violations of the Foreign Corrupt Practices Act”, said, “Section 404 “requires management to annually disclose its assessment of the firm’s internal control structure and procedures for financial reporting and include the corresponding opinions by the firm’s auditor”. More particularly, “while the FCPA required public companies to institute effective internal controls to stop the bribes and make executives accountable, SOX 404 goes further, but has similar goals.”

Yet, the FCPA has language around internal controls that reads:

(B) devise and maintain a system of internal accounting controls suf­ficient to provide reasonable assurances that –

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with manage­ment’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the exist­ing assets at reasonable intervals and appropriate action is taken with respect to any differences; [emphasis supplied]

Since the Smith and Wesson (S&W) FCPA enforcement action from 2014, the Securities and Exchange Commission (SEC) has more aggressively pursued companies for violations of internal controls under the FCPA. In its administrative order, the SEC stated: “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” (It should be noted that S&W did not ‘admit or deny’ any of the allegations made against it, the company simply consented to the entry of the order.) All of this was laid out in the face of no evidence of the payment of bribes by S&W to obtain or retain business. This means it was as close to strict liability as it can be without using those words.

Yet the question remains what is ‘reasonable’? It cannot mean material as there is separate language in the FCPA about materiality so it must be assumed that if Congress intended internal controls to only have a materiality standard, Congress would have so said. However, there is no such definition for reasonable so the standard is open.

This is where I have come to believe that SOX has influenced the SEC interpretation of the FCPA. There is no reasonable or any other standard laid out in SOX. Perhaps the SEC has taken that interpretation and decided the reasonable assurances standard of the FCPA is only met if the internal controls present in a company are robust enough to demonstrate that no bribery and corruption has occurred as an affirmative finding. This may not have been where Congress intended when the FCPA was passed back in 1977 but it appears that is where we are now.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016