Blood on the TracksOn this week in 1975, Bob Dylan’s 15th studio album, Blood on the Tracks, reached the Number 1 album slot on the Billboard charts. This was in spite of no song rising above the 31st slot on the single charts. It came out in the final semester of my senior year in high school so its personal nature was very poignant to me. Two interesting facts were that Phil Ramone was an engineer on the recording sessions and Buddy Cage played steel guitar (shout out to Chris Bauer). While I probably enjoyed it because I found it to be the most accessible Dylan album to that point, the critics most generally praised it as well, finding it to be his most reflective. Indeed his son Jakob has been quoted as saying, “When I’m listening to Blood On The Tracks, that’s about my parents.”

Last week we had a second Foreign Corrupt Practices Enforcement Action (FCPA) from the Securities and Exchange Commission (SEC). This one involved the California based entity SciClone Pharmaceuticals, Inc. (SCLN) which was assessed a penalty of $2.5MM, profit disgorgement of $9.42MM and prejudgment interest of $900K for a total penalty of $12.8MM to settle SEC charges that it violated the FCPA when employees in China pumped up sales for five years by making improper payments to professionals employed at state health institutions. The penalty was for the conduct of its Chinese subsidiary, SciClone Pharmaceuticals International Ltd.

Many of the allegations reached back over 10 years, to 2005, when the Chinese subsidiary created a special VIP program for high volume customers called health care professionals (HCPs). According to the SEC Cease and Desist Order, this special program provided “weekend trips, vacations, gifts, expensive meals, foreign language classes and entertainment” to selected VIPs. It was described internally as “luring them with the promise of profit.” Clearly not the tone a Chief Compliance Officer (CCO) would want to see from his or her top salespersons. Oops, SCLN did not have a Chinese compliance officer at the time of the incidents in question because it did not have a compliance function at the company, so I guess that tone issue never came up.

Clearly the VIP program went beyond the pale as it provided for vacations for both the VIPs and their family members. But this program also had less egregious activities such as golf tournaments followed by beer drinking. However, the subsidiary’s conduct became more nefarious in 2007 when it hired “well-connected regulatory affairs specialist (Specialist) to facilitate” the application of certain licenses the company needed to distribute a new product in China.

This Specialist originally intended to send two foreign officials who were responsible for approving this license to Greece for an academic conference related to this new medical product. However visas could not be obtained in time so “the Specialist instead provided them at least $8,600 in lavish gifts.” In addition to the foregoing, the company sent many other Chinese government officials to in the US, Japan and the Chinese resort island of Hainan where “significant sightseeing was involved” in addition to an educational component.

The company even managed to fall prey to the well known Chinese bribery conduit of travel agencies by failing to conduct any due diligence on a number of travel vendors who were used to funnel bribes and improper gifts and trips involving improper sightseeing and tourist expenditures. Then again this may have been intentional given the overall posture of the subsidiary and its parent. Nevertheless it was another compliance program failure.

Finally, as part of SCLN’s internal investigation, after the discovery of all of the above, an “internal review of promotion expenses of employees from 2011 to early 2013. This review found high exception rates indicating violations of corporate policy that ranged from fake fapiao, inconsistent amounts or dates with fapiao, excessive gift or meal amounts, unverified events, doctored honoraria agreements, and duplicative meetings. A portion of the funds generated through the reimbursements were used as part of the sales practices described above that continued through at least 2012.”

Noting the foregoing conduct, the SEC Order held that SCLN did not have the appropriate internal controls in place for any type of FCPA compliance program. Both the subsidiary and parent engaged in false accounting entries by “recording the payments to health care providers as sales, marketing, and promotional expenses.” So SCLN violated both prongs of the Accounting Provisions of the FCPA , those being the accounting and internal controls provisions.

However, SCLN did make a come back which led to the relatively low fine and penalty. As noted in the Order, the company took steps, “to improve its internal accounting controls and to create a dedicated compliance function. These include the following: (1) hiring a compliance officer for its China operations; (2) undertaking an extensive review of the policies and procedures surrounding employee travel and entertainment reimbursements; (3) substantially reducing the number of suppliers providing third-party travel and event planning services; (4) improving its policies and procedures around third-party due diligence and payments; (5) incorporating anti-corruption provisions in its third-party contracts; (6) providing anti-corruption training to its third-party travel and event planning vendors; (7) disciplining employees (and their managers) who violate SciClone’s policies; and (8) creating an internal audit department and compliance department.”

Lessons Learned

Mike Volkov has called the SCLN enforcement action, “A Textbook Case of FCPA Violations for Gifts, Meals, Entertainment and Travel”. I would add that it is the textbook case for CCOs and compliance practitioners to study for lessons learned. The first thing is to review your own compliance program to see if any of these anomalies that SCLN engaged in appear in your Chinese operations or any other high risk areas. Beyond these general reviews, I would suggest a more detailed transaction monitoring and data analytics approach, which would involve:

  • Tracking not only the expenses paid for gifts, travel and entertainment by employees but tying this information back to the foreign government officials who received these benefits;
  • Look to any third parties who may have been involved in any of the foregoing, such as the ubiquitous Chinese travel agencies or the more iniquitous ‘Specialist’ who might be involved in facilitating license approvals;
  • Consider the positions which were lavished with such gifts, entertainment or travel. Did any of these persons make any approvals or decisions which allowed your company to obtain or retain business immediately before or after such treatment?

Finally, consider the thoughts of Scott Lane, Executive Chairman of the Red Flag Group, where he described the line of sight a compliance practitioner needed. Lane described the data points that a CCO or compliance practitioner should have visibility into going forward. By looking down a straight line at all of this information derived from the SCLN enforcement matter, the compliance function can identify measures to improve any high risk issues before they move to FCPA violations. While gifts, travel and entertainment expenses might be on your company’s radar for compliance department pre-approval, if they are spent on one or two government officials who may influence deal making authority regarding your company’s business it may well merit a more detailed analysis.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016

2016Greetings from Venice where my wife and I are spending the next few days so this blog post is my first Travel Edition of 2016. Last week I wrote about my thoughts on some of the significant Foreign Corrupt Practices Act (FCPA) criminal and civil enforcement actions from 2015 and some of the larger corruption stories across the globe. Today I want to peer into the not-to-distant veiled future of 2016 to see where enforcement and compliance may be headed going forward.

Regarding FCPA enforcement first and foremost on everyone’s mind is Wal-Mart. There are currently two versions of the Wal-Mart FCPA investigation. The first was articulated by the Pulitzer Prize winning New York Times (NYT) and its 2012 stories about massive corruption in its Mexican subsidiary, all leading to the subsidiary contributing 20% profit to the company’s bottom line for over five years. The converse version was articulated by the Wall Street Journal (WSJ) in an article from 2015 that basically said there was little evidence of bribery by the company in Mexico, although the company’s internal investigation did turn up some instances of very small bribes being paid in India. At this point it is unclear which version, if either, is correct.

What is clear is that Wal-Mart has spent massively to upgrade its compliance function, with some reports that the costs are north of $600MM. Moreover, Wal-Mart has taken its rightful place as an industry leader in talking about not only compliance but also ethics as part of its overall business strategy going forward. For those who have claimed the Wal-Mart scandal has always been much ado about nothing, they seemingly miss this key point that it is the doing of compliance that leads to more robust compliance. It was only after the NYT broke its story that Wal-Mart brought its compliance program forward into the 21st Century through this massive spending. I somehow doubt the company would be the industry leader in compliance it is today, if the NYT had not broken its story. Whatever the final fine and penalty may be, the creation of a best in class compliance program may well be the final legacy of the Wal-Mart FCPA scandal.

The Yates Memo caused quite a stir when it was announced and in subsequent Department of Justice (DOJ) public commentary throughout the fall and winter. The parameters of its mechanics are still being worked out. However the commentaries have raised some serious questions about how it will all work out in practice. One school of thought says that companies will now rush to throw lower level employees under the bus as soon as possible to protect senior level employees. Another school says that the implication is to demean the importance of an effective compliance program because you do not even get to that issue until you have identified culpable individuals and turned over that information to the DOJ. Yet another school of thought suggests that the focus of internal investigations may change from a root cause analysis to determine what happened so that remedial actions could be brought to bear; to naming names first and foremost, with the issues of underlying cause and attendant remedy to make sure the conduct does not continue or happen again moved to the back burner.

The one thing I am confident of at this point is that the Yates Memo will put even more pressure on internal investigations. Companies which may have assigned investigations to internal functionaries, whether in-house lawyers or other investigators, may now have to go to outside counsel much sooner rather than later, if they want cooperation credit going forward. Coupled with the expansion of whistleblower protections and whistleblower complaints to Securities and Exchange Commission (SEC) and other regulators, a company must focus significant resources on putting together a robust investigation protocol and following it.

The announcement of the new DOJ Compliance Counsel was something that had been reported back in the summer. The position was filled by Hui Chen, an ex-DOJer and corporate compliance practitioner, who will evaluate compliance programs for companies under FCPA investigation. She will use articulated metrics to evaluate the state of a company’s compliance program, at the time the incident occurred. The difficulty for any company is that you are always measured at the time of disclosure and review, not the three to five years back when the incident arose so a company is held to a standard which did not exist at the time.

This means there will be even more pressure on Chief Compliance Officers (CCOs) and compliance practitioners to institute a best practices compliance program sooner rather than later. It also means that your program must evolve and you must be able to show evolution and change (i.e. Document, Document, and Document). Further one of the specific metrics is resources so any corporate claim that ‘we spent all we could’ will be very closely scrutinized and if your program does not meet minimum standards, securing any credit for having a compliance program in place will be very difficult to achieve.

I think the first British Deferred Prosecution Agreement (DPA) by the Serious Fraud Office (SFO) under the UK Bribery Act will help the SFO move forward in its enforcement of the world’s most robust anti-corruption law. Not only should the SFO be able to turn back the annual attacks on it and calls to weaken the law but companies clearly now see value in self-disclosure. It could well portend a greater and more aggressive prosecutorial stance by the SFO particularly if SFO Director David Green has his term extended in 2016.

Finally, I think the compliance function will move to become much more integrated into and a more important corporate discipline within every organization of significant size going forward into 2016 and beyond. The 30 day period beginning with the Yates Memo to the Schrems decision by the European Court of Justice invalidating the safe harbor provision for the transfer of certain data from Europe to the US, to the Volkswagen (VW) scandal all make clear the need for not only robust compliance functions but also the elevation of the CCO to the ranks of any Chief Executive Officer’s (CEO’s) key and most trusted advisor.

Donna Boehme and others led the fight make the structural move and to get the CCO function out of the shadow and realm of the General Counsel’s (GC’s) office and the legal department. This debate should be fully closed now after these portentous events. Simply put, the legal function in a corporation is designed to protect the company. The compliance function’s role, as laid out by Roy Snell, is to “prevent, find and fix problems.” Put another way, the role of legal is to tell the truth. The role of compliance is to tell the whole story. VW is never going to pull out of the spiral its is currently in by playing legal games with regulators, states attorneys general or John Q. Public by hiding behind the law. It is only through transparency that VW will regain its prominence. That is one of the reasons that I believe the Wal-Mart FCPA enforcement action is so significant. It demonstrates that as bad as the facts are, may be or were even reported, a company can make a comeback with all three groups by putting in place a robust compliance function.

It is this new importance on the compliance function, the CCO and compliance practitioners that I see as the biggest happening going forward into 2016.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016

SECYesterday, I began a review of Foreign Corrupt Practices Act (FCPA) enforcement actions by the Securities and Exchange Commission (SEC) where there were no parallel Department of Justice (DOJ) enforcement actions. Today I conclude the two-part review by looking at the Bristol Squibb-Myers, Hitachi and Mead Johnson enforcement actions.

Bristol-Myers Squibb: Lessons from Remediation

In October, the SEC announced a FCPA enforcement action against Bristol-Myers Squibb Company (BMS) for the actions of the company’s joint venture (JV) in China, which made cash payments and provided other benefits to health care providers (HCPs) at state-owned and state-controlled hospitals in exchange for prescription sales. The company agreed to a total fine and penalty of $14MM, which included the return of $11.4 million of profits plus prejudgment interest of $500,000 and payment of a civil penalty of $2.75 million.

BMS was slow to remediate gaps in internal controls over interactions with HCPs and monitor potential inappropriate payments to them that were identified repeatedly in annual internal audits of BMS China between 2009 and 2013.” Kara Brockmeyer, Chief of the Enforcement Division’s FCPA Unit, was quoted in the Press Release for the following,  “Bristol-Myers Squibb’s failure to institute an effective internal controls system and to respond promptly to indications of significant compliance gaps at its Chinese joint venture enabled a widespread practice of providing corrupt inducements in exchange for prescription sales to continue for years.”

The company extensively remediated its compliance program in the face of these deficiencies. The Order set out may of the steps taken by BMS to enhance its anti-bribery and general compliance training and policies and to strengthen its accounting and monitoring controls relating to interactions with HCPs, including travel and entertainment expenses, meetings, sponsorships, grants, and donations funded by its Chinese business unit. Many of these can be useful actions that a Chief Compliance Officer (CCO) or compliance practitioner can use as a benchmark against their compliance program.

The measures taken include: numerous steps to improve the internal controls and compliance program at BMS China. Examples cited in the Order included (1) a 100% pre-reimbursement review of all expense claims; (2) the implementation of an accounting system designed to track each expense claim, including the request, approval, and payment of each claim; and (3) the retention of a third-party vendor to conduct surprise checks at events sponsored by sales representatives. The company terminated over ninety employees and also disciplined an additional ninety employees, including sales representatives and managers of the company, who failed to comply with or sufficiently supervise compliance with relevant policies. In addition, BMS replaced certain BMS China officers as part of an overall effort to enhance “tone at the top” and a culture of compliance. Finally, BMS revised the compensation structure for BMS China employees by reducing the portion of incentive-based compensation for sales and distribution, eliminated gifts to HCPs, implemented enhanced due diligence procedures for third-party agents, implemented monitoring systems for speaker fees and third-party events, and incorporated risk assessments based on data analytics into its compliance program.

This enforcement action continued the clear trend of SEC only FCPA enforcement actions for internal controls violations of the Act. CCOs need to heed this very clear message and determine what gaps exist in their compliance internal controls. Most interestingly, although a corporate monitor was not required, there was a quite rigorous schedule laid out under which the company had to report to the SEC its continued progress on implementation of a best practices compliance program going forward. Further, the company was required to submit to the Commission staff a report within 180 calendar days of the entry of the Order and then again at 270 days, a complete description of its remediation efforts, its plans for any future enhancements or improvements to its policies and procedures for ensuring compliance with the FCPA and other applicable anti-corruption laws.

Hitachi: No Good Deed Goes Unpunished

In September, the SEC announced resolution of a FCPA enforcement action involving Hitachi Ltd (Hitachi). Hitachi agreed to a penalty of $19MM in a separate and also uncontested final judgment. Perhaps the most interesting aspect of the Hitachi matter is that it involved bribery of a political party, the African National Congress (ANC). This portion of the enforcement action stands as a stark reminder that political parties are covered by the FCPA just the same as government officials. The FCPA Guidance states: “The FCPA’s anti-bribery provisions apply to corrupt payments made to (1) “any foreign official”; (2) “any foreign political party or official thereof ”; (3) “any candidate for foreign political office”; or (4) any person, while knowing that all or a portion of the payment will be offered, given, or promised to an individual falling within one of these three categories.” Although the statute distinguishes between a “foreign official,” “foreign political party or official thereof,” and “candidate for foreign political office,” the term “foreign official” in this guide generally refers to an individual falling within any of these three categories.

Also of interest is the jurisdictional basis of the enforcement action. Hitachi is a Japanese corporation. Yet, according to the Compliant “At the time of the violations, and from at least January 1, 2005 until April 26, 2012, Hitachi’s American Depositary Shares (“ADSs”) – representing shares of common stock – were registered with the Commission under Section 12(b) of the Exchange Act [15 U.S.C. § 781] and were listed and traded on the New York Stock Exchange. Hitachi was an issuer of securities in the United States and filed reports on Form 20-F with the Commission pursuant to Section 13(a) of the Exchange Act [15 U.S.C. § 78m].” Thereafter Hitachi delisted its ADRs from registration. This jurisdictional prong once again emphasizes the breadth and scope of FCPA enforcement. Further, many foreign companies may be inadvertently subjecting themselves to US jurisdiction through such registrations.

The bribery schemes themselves were notable only for their blantantness. Yet, the enforcement action pointed up the oft-times difficulty in providing corporate social responsibility and distinguishing it from outright corruption in certain countries. As noted in a Financial Times (FT) article, entitled “Hitachi reaches deal over S Africa ‘payments’”, businesses “operating in South Africa are encouraged to take on black business partners under the ANC’s policy of black economic empowerment (BEE), intended to redress economic imbalances created by apartheid.” Yet, critics claim that there is a “blurred line between business and politics in the awarding of state tenders” in South Africa. However, the ANC front group was charged “only approximately $190,819 stake which returned to it over $5MM in “dividends” and another $1MM in a “success fee” for contracts to Hitachi worth “about $5.6bn.””

Listed at the end of the SEC Press Release were the groups that assisted the SEC in investigating and bring the enforcement action. They included, “the Justice Department’s Fraud Section, the Federal Bureau of Investigation, the Integrity and Anti-Corruption Department of the African Development Bank, and the South African Financial Services Board.” Brockmeyer also singled out the “assistance we [the SEC] received from the African Development Bank’s Integrity and Anti-Corruption Department and hope this is the first in a series of collaborations.”

For the compliance practitioner, the Hitachi SEC enforcement action provides a valuable reminder that the FCPA covers more than foreign government officials and officials of state owned enterprises. Political parties are also covered so that if part of your corporate social responsibility includes payments to political party front groups, your company could get into FCPA hot water. For foreign companies that have subjected themselves to FCPA jurisdiction, intentionally or otherwise, the message is even starker. The SEC (and Department of Justice (DOJ)) will leave no stone unturned to root out bribery and corruption, even if done by non-US subsidiaries, with no apparent ties to the US.

Mead Johnson: The Importance of Your Internal Investigation

Rather than violations of internal controls, this enforcement action turned on violations of the accounting provisions of the FCPA. According to the Cease and Desist Order, “certain employees of Mead Johnson China improperly compensated HCPs, who were foreign officials under the FCPA, to recommend Mead Johnson’s infant formula to, and to improperly provide contact information for, expectant and new mothers.” One of Mead Johnson’s sales channels in China was through distributors. To facilitate this illegal conduct, funding to the distributors, called the “Distributor Allowance”, was diverted to make illegal payments.

This tactic was clearly a violation of the company’s books and records obligations under the FCPA. By doing so, Mead Johnson was able to hide its payments to doctors and HCPs from not only regulators but the company’s shareholders as well. As the Cease and Desist Order noted, the company’s “records were incomplete and did not reflect that a portion of Distributor Allowance was being used contrary to Mead Johnson’s policies.”

In an interesting twist Mead Johnson, based on an allegation of potential FCPA violations in China, performed an internal investigation on its China unit in 2011 and came up with no evidence. Somewhat dryly the SEC noted that the company did not make any self-disclosure around these allegations and “did not thereafter promptly disclose the existence of this allegation in response to the Commission’s inquiry into this matter.”

Marc Alain Bohn, writing in the FCPA Blog, said, “if a company has decided against voluntarily disclosing allegations of misconduct — something it has no affirmative obligation to do — it is critical for the company to conduct a thorough and well-documented internal investigation that is clear-eyed about the investigation results and can be defended to the agencies in the event the government ever becomes aware of the allegations.” He went on to note, “Investigations that lack sufficient depth, resources, or forethought can pose significant risk because they increase the likelihood that something critical will be overlooked, potentially permitting misconduct to continue unabated. They may also give the appearance that a company is not truly committed to compliance or is more concerned with sweeping misconduct under the rug.”

There are several lessons to be learned from the Mead Johnson enforcement action. Performing an investigation, finding no FCPA violations only to have a regulator sitting on your shoulder and later finding such evidence is never good. The SEC also reaffirmed its clear intention to continue to enforce the accounting provisions of the FCPA, with or without a parallel DOJ enforcement action. Companies must also take heed on their internal controls. Clearly certain China business unit employees had developed a work-around of the compliance internal controls by requiring the distributors to use their allowances to pay bribes. Internal controls must not only exist but they must be effective. That means you have to test their effectiveness, not simply tick the box that you have put them in place.

I see no evidence or even reason for SEC only FCPA enforcement to slow down in 2016. I would suggest you initiate a review of your internal compliance controls sooner rather than later.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016

SEC2015 continued the trend of Foreign Corrupt Practices Act (FCPA) enforcement actions brought by the Securities and Exchange Commission (SEC) with no parallel Department of Justice (DOJ) enforcement action. As you might expect, these SEC enforcement actions turned on violations of the Accounting Provisions of the FCPA, either the books and records provisions or the internal controls provisions. In this two-part series to begin the New Year I take a look at five SEC enforcement actions and use them to point where enforcement may be going in 2016 and what the Chief Compliance Officer (CCO) or compliance practitioner should take away from the enforcement action. Part I will focus on BNY Mellon and BHP and Part II will look at the Bristol Squibb-Myers, Hitachi and Mead Johnson enforcement actions.

BNY Mellon: Hiring of Children and Relatives

In August, the SEC announced a resolution with the Bank of New York Mellon Corporation (BNY Mellon) for FCPA violations. This was the first enforcement action around the now infamous Princesslings and Princelings investigation where US companies hired the sons and daughters of foreign government officials to curry favor and obtain or retain business.

While JPMorgan Chase has garnered the most attention around this issue, probably because of its notorious spreadsheet tracking of sons and daughters hires to develop business in China, there are multiple US companies under scrutiny for similar conduct. The FCPA Blog has reported that Credit Suisse, Goldman Sachs, Morgan Stanley, Citigroup, and UBS are all under investigation by the SEC for their hiring practices around the sons and daughters of foreign government officials. BNY Mellon has the honor of being the first company to reach resolution on this issue.

There is nothing illegal around the hiring of a close family member of a foreign governmental official. It does however present a higher risk for indicia of bribery and corruption and violation of the FCPA. A higher FCPA risk means you need to evaluate that risk more closely and manage that risk accordingly.

The obvious starting point for the hiring of a close family member of a foreign governmental official is whether the candidate is qualified for the position. If they are not qualified it is ‘Full Stop’ at that point. In the case of BNY Mellon there was no evidence any of the candidates had the academic background, credentials, leadership traits or intangible skills to meet the bank’s normal internship hiring criteria. As with any other anomaly granted in a company’s normal process, there must be a documented reason for the exception, review by appropriate authority of the exception and documentation as to why the exception was granted. None of these steps were present in the BNY Mellon matter. Put another way, if you are hiring a family member or close relative of a foreign government official for any reason other than merit, it had better be a darn good one and be well documented as to the decision-making calculus with appropriate senior management oversight.

But your risk management does not stop simply with the hiring process. If the foreign governmental official is the person who made the request for the hiring of the family member, this is a Red Flag not to be overlooked. Your analysis needs to be on the role of that foreign governmental official in awarding new business to your company or in retaining old business. If the foreign governmental official has direct or even strong indirect control over such business relations, this may present such a direct conflict of interest, this may be a risk that you cannot manage. A good rule of thumb here is whether there is full transparency in the hiring with the foreign government involved with your company. In the case of BNY Mellon, they did not want anyone in the Sovereign Wealth Fund to know BNY Mellon had hired the son or nephew. That is a clear sign that transparency is lacking and someone, somewhere is engaging in unethical conduct, if not breaking the law.

Finally, if you do decide to move forward and hire the close family member, you need to assign that new hire to work that is not associated with the business relationship between your company and the foreign government involved. Just as in the lifecycle of third party management, managing the relationship after a contract is inked is in many ways the most critical element; the same is true in the employment relationship involving close family members of foreign government officials.

Ultimately, you need to have internal controls to ensure effective compliance going forward. You cannot have customer relationship managers making the calls on hiring which over-ride the Human Resources (HR) procedures. There must be not only HR review but also mechanisms to flag for compliance review such hires. Lastly, there needs to be sufficient senior management oversight because this is such a high-risk proposition.

BHP: High-Risk Hospitality

In May came the release of the SEC FCPA enforcement action involving BHP Billiton Ltd. (BHP), which revolved around the company’s hospitality program for the Beijing 2008 Olympics. Every CCO and compliance practitioner should study this enforcement action in detail so that they can craft appropriate compliance internal controls for high dollar entertaining for big time sporting events. For any company that may be planning high dollar hospitality spends for the 2016 Brazil Olympics, this enforcement action lays out what you should and should not do in your compliance program. But this holds true for any major sporting event such as the Super Bowl, World Cup or you name the event.

BHP had a paper program that appeared robust. As laid out in the SEC Cease and Desist Order, “BHPB developed a hospitality application which business managers were required to complete for any individuals, including government officials, whom they wished to invite.” Yet, an effective compliance program does not end at that point. Now would be an appropriate time to recall that high risk does not mean you cannot engage in certain conduct. High risk means that to have an effective compliance program, you have to manage that risk. A basic key to any effective compliance program is oversight or a second set of eyes baked in to your process. BHP formally had this oversight or second set of eyes in the form of an Olympic Sponsorship Steering Committee (OSSC) and Global Ethics Panel Sub-Committee.

Where BHP failed was that “other than reviewing approximately 10 hospitality applications for government officials in mid-2007 in order to assess the invitation process, the OSSC and the Ethics Panel subcommittee did not review the appropriateness of individual hospitality applications or airfare requests. The Ethics Panel’s charter stated that its role simply was to provide advice on ethical and compliance matters, and that “accountability rest[ed] with business leaders.” Members of the Ethics Panel understood that, consistent with their charter, their role with respect to implementation of the hospitality program was purely advisory. As a result, business managers had sole responsibility for reconciling the competing goals of inviting guests – including government officials – who would ““maximize [BHPB’s] commercial investment made in the Olympic Games” without violating anti-bribery laws.”

But there was more than simply a failure of oversight by BHP. The Cease and Desist Order noted that not all of the forms were filled out with the critical information around a whether a proposed recipient might have been a government official. Even more critically missing was information on whether the proposed recipient was in a position to exert influence over BHP business. Moreover, BHP did not provide training to the business unit employees who ended up making the call as to whether or not to provide the hospitality on payment of travel and hospitality for spouses. The Cease and Desist Order stated that BHP “did not provide any guidance to its senior managers on how they should apply this portion of the Guide when determining whether to approve invitations and airfares for government officials’ spouses.” Finally, there were no controls in place to update or provide ongoing monitoring of the critical information in the forms.

All of this led to the SEC stating the following, “As a result of its failure to design and maintain sufficient internal controls over the Olympic global hospitality program, BHP invited a number of government officials who were directly involved with, or in a position to influence, pending negotiations, efforts by BHPB to obtain access rights, or other pending matters.” Perhaps it was stated most succinctly by Antonia Chion, Associate Director of the SEC’s Division of Enforcement, in the SEC Press Release announcing the enforcement action when she said, “A ‘check the box’ compliance approach of forms over substance is not enough to comply with the FCPA.”

Stay tuned for Part II tomorrow…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016

7K0A0246As Houston, TX, is the epicenter of Foreign Corrupt Practices Act (FCPA) enforcement, most energy companies in my hometown have mature compliance programs or at least more mature than in other industries, which have not gone through a full FCPA sweep. This has brought much knowledge about the doing of compliance into these organizations. But just as compliance programs can become more mature and compliance practitioners more sophisticated in their approaches to FCPA compliance, the FCPA regulators can be more sophisticated in their knowledge and understanding of what constitutes a best practices FCPA compliance program.

Most interestingly, one of those areas is training on a FCPA compliance program as there has recently been renewed discussion by Department of Justice (DOJ) and Securities and Exchange Commission (SEC) representatives on the issue of training and testing the effectiveness of a best practices FCPA compliance program. Chief Compliance Officers (CCOs), compliance practitioners and corporate compliance functions need to understand that the DOJ and SEC are clearly signally that simply testing and having employees sign a certification they took the training is no longer sufficient. The regulators want companies to demonstrate the effectiveness of their FCPA anti-corruption training.

I was therefore interested to see a recent article on training in the MIT Sloan Management Review, entitled, “Aligning Corporate Learning with Strategy, by Shlomo Ben-Hur, Bernard Jaworski and David Gray. While noting that there has been an explosion of training options available in the corporate world and advances around the science of learning relating to the emotional centers of our brains; it is the emphasis on the “strategic alignment of learning rather on how learning is delivered” which is the key differentiator for effective employee development.

The authors believe there should be a more strategic business view of training and a more proactive stance on the delivered value of training and development. For the CCO or compliance practitioner they present some solid suggestions for ways to make FCPA compliance training more effective. Since we know the regulators are watching and may well look at the effectiveness of your FCPA training, now may be a good time for you to consider it. The authors present four learning practices that they believe can serve as a model for implementing a corporate learning strategy. I have adapted them for a FCPA compliance program.

Mapping the [CEO] agenda

Here the authors believe that it all starts with a strong emphasis from the very top of the organization that training is “mission-critical”. Something as simple and straightforward as “We will do business ethically and in compliance with the FCPA” stated by the Chief Executive Officer (CEO) can be used to cultivate the desired behavior. If leaders know they will be graded, evaluated and assessed on how they do business within the constraints of the company’s compliance program, they will be more apt to embrace learning it going forward. As the CCO you need to have such principles clearly articulated and even an opening line or opening video to your training.

But the CCO and compliance practitioner have a role in delivering the right type of training. You need to understand that to bridge what might be a compliance skills gaps in your training group your compliance training needs to go through an assessment. You could think of something along the lines of a risk assessment but in the compliance training assessments you determine what issues employees want and need addressed. By using these tools you can map the compliance training agenda and then move to “operationalize the [compliance] learning agenda through the portfolio of [compliance] learning and development activities.”

Aligning learning and development resources

Your next step is to take stock of your training resources by taking a “learning inventory”. What tools do you have in place for compliance training? From here the next step is to review your learning infrastructure; how do you deliver the training? Do you use live training? If so who puts on the training? Is it internally outsourced to your Human Resources (HR) function or does the compliance department perform compliance training? Do you outsource to a third-party provider? If the training is not live, in what media do you employ? Has the training been translated into local languages? If so has that translation been vetted to ensure accurateness?

Another set of inquiries should be made into the efficacy of your current compliance training. Is it aligned with your current compliance initiatives? Have there been changes to your program or updated/new risks since your last compliance training was developed and deployed? How have you tested the effectiveness of your compliance training in the past, if at all? What have you done to validate your training under the COSO 2013 Framework Update?

Gaining buy-in for the learning agenda

The days of FCPA training being a slow recitation of the law, written by lawyers for lawyers, have long since passed. Here the authors advocate buy-in on the training from a wide variety of sources but specifically including the CEO. The reason is so that vision will be shared during the training. Making the training business specific is obviously an important factor. The authors provided a quote from Eivind Slaaen, Senior Vice President (VP) for HR at Hilti AG, which I thought summarized this approach quite well. She said, “We’ve stopped treating learning as stand-alone and see this more as a journey,” says Slaaen. “Rather than thinking you can teach people what they’re supposed to know in a couple weeks of training, we’re pulling the line [management] in as a partner — so you need to convince others to be a part of that journey.”

The authors also suggested some clear goals for the agenda. They suggested (1) does the learning agenda support the compliance goals going forward as they apply to the business unit?; (2) is the training clear on how doing compliance will affect the business unit going forward?; (3) did compliance involve the key influencers and key stakeholders in championing the agenda?; and (4) is the learning linked to and does it respond to changing compliance and business needs?

Activating the learning agenda

Continuous improvement is not simply a by-word in compliance but is now mandatory. The same should be true for your compliance learning portfolio. This means that as your compliance program matures or your organization develops new risks, your training needs to reflect this as well. The authors said, “Programs and learning initiatives that do not advance the ball toward business goals should be eliminated or brought into line with business needs. Sometimes this requires bringing in different learning personnel with the relevant expertise and instructional design skills to meet the new objectives. The company’s learning agenda should be the “North Star” for all corporate learning and development — the set of orienting principles against which program design choices are tested.”

I found this article very interesting and provided a different manner in which the compliance professional could think about training and learning. Even if such bespoke training is not rolled out on a company wide basis, it could certainly be used for management or high-risk employees to provide more focused and useful FCPA compliance training. Moreover, it is developing a mind set from the very top levels of the company on down about the expected behaviors. I certainly see such learning as something the DOJ and SEC will see as innovative in the compliance space.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2015