2.0If there was one theme from Compliance Week 2016 it was the continued evolution of the Chief Compliance Officer (CCO) role and the compliance profession. Long gone are the days when someone is sent over from a legal department into the compliance department or worse, some lawyer who is just given the title of CCO and this is considered to be a best practice or even sufficient. In the opening keynote presentation, representatives from the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) made clear they expect a CCO to know more than simply the laws of anti-corruption, they must actually work to do compliance in an organization. A key metric of doing compliance is the independence of the CCO and compliance function.

The conference was bookended by the keynote session “The Maturing of a Profession: The Rise of Compliance 2.0” which laid out the structural changes that have occurred for the CCO and compliance profession as a whole over the past 10 years or so. The starting point for the compliance profession was when the Sentencing Guidelines were made effective in the early 1990s. Because this function was borne out of essentially a criminal law enactment, in the form of the Sentencing Guidelines, it seemed to make sense at the time to respond with a legalistic approach such as having a General Counsel (GC) also be the CCO or having the compliance function in the legal department. The response to the accounting scandals of the early 2000s led to the passage of the Sarbanes-Oxley Act (SOX), which mandated more robust compliance programs, thereby enhancing the role of the CCO. There were later updates to the Sentencing Guidelines, which also helped to change the structure of compliance.

As with most legalistic approaches, such as those to the Sentencing Guidelines, it began by corporations setting out their internal rules and regulations; first in the form of a Code of Conduct and certainly after Opinion Release 04-02 in 2004 with the implementation of a written compliance program in the form of policies and procedures. Then training, incentives and punishments were put in place. Of course such an approach did not take into account third parties and perhaps that is why the majority of Foreign Corrupt Practices Act (FCPA) cases over the past 12 years have involved third parties.

Yet now the above structure is no longer sufficient. That is reason for the nomenclature of Compliance 2.0 as a true structural change has occurred moving the compliance function out from under the legal department and separating the CCO from the GC. What are the changes in this structural component? The final keynote of Compliance Week 2016 presented five key transformations.

  1. Empowerment

Here the CCO is empowered by charter or Board direction to carry out their duties. A CCO does not have to ask the GC for permission as they are more generally reporting directly to the Board or the Audit Committee of the Board. Further, the CCO position is now a senior corporate level role, often in the C-Suite. In the corporate world titles and position matter and if your position is seen as being on the level of the corporate brass it will give you more weight to carry the day.

  1. Independence

The key change here is the independence of the mandate of compliance from that of the legal department. The legal department has and always will exist to defend the company. It is asked to opine on whether a particular act is legal; in other words can we do it, not should we do it? The compliance function exists to prevent, detect and remediate problems, in other words fix things. The compliance function also differs from the legal function in that it has a non-discretionary escalation of issues through its unfiltered access to a company’s Board of Directors, through a direct reporting line.

  1. Seat at the table

Here the key is that compliance is seen as collaborative with legal and not subordinate. Yet this takes work and agreement by both legal and compliance to carve out their respective roles so that toes are not stepped on or even worse in the corporate world, feelings are not bruised. It also entails both the CCO and the compliance function being involved in the company’s strategic planning meetings so that compliance can be proactive and not simply reactive. Of course this means involvement in risk management meetings, operational reviews and budget reviews, as that is where the corporation sets its priorities.

  1. Line of sight

This is probably the biggest change in the structure of compliance. The CCO and compliance function should be able see into the business functions directly, not through the eyes or even the lens of the legal department. Yet it also means compliance should work towards an understanding through the integration of compliance risk areas for review, with unfettered access to information. It also means the business functions need to report up to compliance through regular reporting channels. Finally, all of this, by necessity requires the tearing down of silos so that compliance has visibility up and down the chain in this line of sight.

  1. Resources

As was made clear by both Andrew Weissmann from the DOJ and Stephen Cohen from the SEC in the opening keynote, the resources made available to the CCO and compliance function are becoming a more key metric for regulatory review. Fortunately this is also a key structural change moving to Compliance 2.0. Resources most generally mean two things: budget and head count.

For budgeting the change in Compliance 2.0 is that the compliance function has its own standalone budget, which should be sufficient to fulfill the compliance mandate. I think that it is beyond obvious to state that a strong compliance budget is always less expensive than a FCPA fine and penalty so the investment is sound. Head count is the corporate term for staffing but here it is more than simply bodies. It requires true subject matter experts (SMEs) either through professional experience or internal training. It also means compliance personnel reporting up to the CCO. If a company uses non-compliance department compliance champions, these folks should at least have dotted line reporting to the CCO.

I have laid out these structural changes in some detail so that you can benchmark your compliance program to see if there are gaps, which you might wish to remediate from a structural perspective. For those of you who did not feel there has not been enough evolution of the compliance function; not to worry as there is a lot more to talk about in Compliance 3.0. Stay tuned…

 

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Chief-Compliance-OfficerAt the Opening Session of Compliance Week 2016, Stephen L. Cohen, Associate Director of Enforcement, Securities and Exchange Commission (SEC) and Andrew Weissmann, Chief of the Department of Justice (DOJ) Criminal Division’s Fraud Section, spoke about their views of what constitutes an effective compliance program under the Foreign Corrupt Practices Act (FCPA). Compliance Week’s Editor-in-Chief Bill Coffin moderated the panel. The majority of the discussion was around the Chief Compliance Officer (CCO) position; specifically the independence of the position, the authority the CCO has in an organization and the resources made available to the CCO.

Weissmann related that many presentations are made to the DOJ in the context of Filip Factors presentations, where a company generally presents evidence of the effectiveness of its compliance program at the time of the incident that led to the criminal investigation. He said that one of the things he thinks is important is how a CCO talks about the company’s compliance program.

He began by noting the initial straw poll showed that 65% of those responding to the first poll said their compliance program could probably pass DOJ muster or needs work. Weissmann viewed this as a positive sign because it demonstrated to him the ongoing evolution a company’s compliance program. He said he would often specifically delve into how a risk assessment had been done and then use that information as a springboard to inquire into whether it actually predicted the FCPA violation(s). It was not surprising to hear Weissmann basically say McNulty Maxim No. 3 (what did you do when you found out about it?) when he said that he would inquire into the company’s response and whether the response was then integrated that into the compliance function.

Cohen also said that he encourages CCOs to come and meet with him early in the SEC investigatory process. He did acknowledge that outside counsel usually hated the idea, obviously because they lose complete control, which they seek to maintain. Yet Cohen thinks that it helps him because it gives him a window into whom he is dealing with in the process. Additionally, as the CCO is generally more attuned to remediating problems, rather than simply protecting the company like outside counsel, a different view can often be obtained through such meetings. I would note from the CCO perspective, this is very valuable as it gives you the ability to begin to win an ally for your remediation program early on in the process.

One of the specific areas that Cohen wants to know about is what are the resources that have been made available to the CCO and what is the level of CCO independence? He is concerned about whether the CCO is appropriately valued and supported in the organization. He specifically asks if the CCO is on the Executive Leadership Team (ELT) or other top group of C-Suite executives. He would also inquire into whether the CCO had visibility into the transaction(s) that may have become the problem issue(s). Not necessarily whether there was a bribe authorized but if the transaction warranted someone violating the FCPA to get the deal done, did the compliance function have visibility into the matter? It is all Cohen’s way of trying to ascertain whether the CCO and compliance function have standing in company to get things done.

Weissmann was asked about individual liability for CCOs under the FCPA. I found this question propitious given my blog posts earlier this week. He said that the DOJ not going after CCOs for criminal liability unless they are a part of bribery scheme or some cover-up. He reiterated that the DOJ is trying to reduce the risk of criminality for violations under the FCPA and indeed that was one of their goals in hiring its new Compliance Counsel, Hui Chen. Chen enables the DOJ to be more robust in evaluating compliance programs of companies that come before the DOJ. He also noted that this new position works to heighten the power of CCO within companies as it gives them a specific advocate at the DOJ during enforcement actions.

Cohen took another approach to responding to the inquiry about CCO liability. He said that he believed there had been approximately 8000 SEC enforcement actions over past 10 years in regulated space involving CCOs. Of all of those cases, only five had involved individual liability actions brought against CCOs. These were along the lines of the FINRA action against Linda Busby I detailed yesterday, where the CCO had a clear regulatory responsibility to implement or enhance a compliance program and failed to do so. Cohen also made the point again that these five SEC enforcement actions were all in regulated industries only, not FCPA cases.

On the question of CCO independence, Weissmann believes this is one indicia of an effective compliance program. He reiterated yet again the DOJ’s stated position that it does not concern itself with whether the CCO reports to the General Counsel (GC) or reports independently, but he is more concerned about whether the CCO has the voice to go to the Chief Executive Officer (CEO) or Board of Directors directly, without going through the GC first. Even if the answer were yes, Weissmann would want to know if the CCO has ever exercised that right.

Finally, Weissmann turned to the operationalization of compliance. Echoing the remarks of the DOJ Compliance Counsel last fall, he wants to know if the if business unit of a company is responsible for at least a part of compliance. Put in the manner of Chen, is compliance operationalized within your organization? Weissmann had an interesting angle on the real problem for a CCO if compliance is not embedded into the business; that problem is that the CCO simply becomes a policeman, telling the business unit what it cannot do. Or as I would say, being Dr. No from the Land of No.

Cohen had several questions he would ask to determine the level of CCO independence within an organization. First and foremost, is the CCO a part of the senior management or the C-Suite? Is the CCO part of regular meetings of this group? He also wanted to know who could terminate the CCO so he might inquire to see if it was the CEO, the Audit Committee of the Board or did the CCO termination require approval of the entire Board? Most importantly, could a person under investigation or even scrutiny by the CCO fire the CCO? If the answer is yes, the CCO clearly does not have requisite independence.

In addition to the foregoing, Cohen had some additional questions he would consider. The first was who could over-rule the decision by a CCO within an organization? He would also inquire into who is making the decisions around salary and compensation for the CCO? Is it the CEO, the GC, the Audit Committee of the Board or some other person or group?

The remarks of Weissmann and Cohen demonstrated the continued evolution in the thinking of the DOJ and SEC around the CCO position and the compliance function. Their articulated inquiries can only strengthen the CCO position specifically and the compliance profession more generally. The more the DOJ and SEC talk about the independence of, coupled with resources being made available and authority concomitant with the CCO position, the more corporations will see it is directly in their interest to provide the position in their organizations.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Mister Ed

A horse is a horse, of course, of course,

and no one can talk to a horse, of course.

That is, of course, unless the horse is the famous Mister Ed.

Those lines were the opening verse to the theme song of the TV comedy Mr. Ed, which we celebrate today with the passing of (non-horse) star Alan Young who died this past week. While the name Mr. Ed may not mean much to the current television watching audience, his role as Wilburrrr, the foil of that universally famous talking horse Mr. Ed, should bring a few smiles to faces out there. Mr. Ed had an initial run from 1961-1966 on CBS and then reintroduced itself to an entire new audience on Nickelodeon network on the ubiquitous Nick at Nite in the 1980s and 1990s.

Mr. Ed and his ongoing antics and shenanigans seemed a good introduction to the this issue of individual liability of a Chief Compliance Officer (CCO) in the financial services industry and whether that individual liability may bleed over into the wider anti-corruption compliance world. For when should a CCO have liability and should the regulators, whether in the financial services industry or in the broader anti-corruption world of the Foreign Corrupt Practices Act (FCPA), have such individual liability? While the financial services world is regulated by both the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) they have specific regulations requiring companies they regulate to have anti-money laundering (AML) compliance programs, the FCPA does not have any such requirements, either written directly into the statute or by interpretation therefrom.

In late 2014, SEC Enforcement Chief, Andrew Ceresney, gave a speech where he laid out the three areas of potential individual liability for a CCO. He said that CCOs should be concerned: (1) where there is actual willful misconduct with participation in the illegal activity; (2) when they have helped misleading regulators; and (3) where there is the clear responsibility to implement compliance programs or policies and a wholly fail to carry out those responsibilities. I do not think there would be any debate that a CCO who engages in illegal conduct should be sanctioned or one who wholly fails to engage in the statutorily mandated duties of position. However, if regulators are going to move into evaluating the specific compliance program implementation and execution by CCOs, that would provide a sea-change in enforcement and potential personal liability for CCOs.

Last year there were two SEC individual enforcement actions against CCOs in the financial services industry. The two enforcement actions were styled Blackrock Advisors LLC and Bartholomew A. Battista (Blackrock) and SFX Financial Advisory Management Enterprises, Inc. and Eugene S. Mason (SFX). The Blackrock case involved an internal conflict of interest which led to a $12MM fine paid by the company. The company had a conflict of interest policy. However, according to the Cease and Desist Order, the CCO liability turned on “BlackRock’s CCO, Battista was responsible for the design and implementation of BlackRock’s written policies and procedures reasonably designed to prevent violations of the Advisers Act and its rules. Battista knew and approved of numerous outside activities engaged in by BlackRock employees (including Rice), but did not recommend written policies and procedures to assess and monitor those outside activities and to disclose conflicts of interest to the funds’ boards and to advisory clients. As such, Battista caused BlackRock’s failure to adopt and implement these policies and procedures.” Battista was fined $60,000 separately.

According to the SFX Cease and Desist Order, the company President, Brian Ourand, “misappropriated at least $670,000 in assets from three client accounts.” The company was ordered to pay a civil penalty of $150,000. However, the SEC accused SFX CCO Eugene Mason of three general violations. First, Mason did not effectively implement “an existing compliance policy requiring that there be a review of “cash flows in client accounts.”” Second Mason did not require an appropriate segregation of duties in that he did not guarantee that account cash flow reviews were done by someone other than the President. This caused the following statement in SFX’s brochure to be untrue: “Client’s cash account used specifically for bill paying is reviewed several times each week by senior management for accuracy and appropriateness.” Finally, and perhaps most troubling, while CCO he was in the midst of an internal investigation following the discovery of [the President’s] misappropriation, the company did not conduct an annual review of its compliance program. The SEC believed that “Mason was responsible for ensuring the annual review was completed and was negligent in failing to conduct the annual review.”

One of the difficulties with assessing these actions in the context of the role of a CCO in the broader FCPA world is that they are the end results of lengthy processes of negotiations. This is particularly true when it comes to the final resolution documents, such as the SEC Cease and Desist Orders, from both cases.

Last week there was an enforcement action initiated by the FINRA against Raymond James and Associates, Inc. and its former CCO Linda Busby (the “Raymond James matter”). Raymond James paid a fine of $17MM and Busby was fined $25,000 and banned from the industry for three months. The resolution was in the form of a Letter of Acceptance, Waiver and Consent (Letter of Acceptance). The facts laid out in the Letter of Acceptance were accepted and consented to by the defendants without admitting or denying same.

In the Letter of Acceptance, FINRA laid out the specific failings of Busby in her role as CCO. The basis of liability is FINRA Rule 3310 that requires a company to “develop and implement a written anti-money laundering program reasonably designed to achieve and monitor the member’s compliance with the requirements of the Bank Secrecy Act…” The required policies and procedures to detect and report suspicious activity and monitor transactions for specified red flags. If such red flags were detected, additional investigation was required and any clearance of such a red flag required documentation.

Busby’s role within the company, from 2002-2013, was to ensure that the company’s AML compliance program was “tailored to the Firm’s business and for appropriately monitoring, detecting and reporting suspicious activity.” Unfortunately for Busby, she was the Lone Ranger of Raymond James compliance from 2002-2012. She did, however, increase head count in the compliance function by 100% in late 2012 “by adding a second employee.” The size of this compliance function, when compared to the size of the company as laid out in the Letter of Acceptance, is stunning, “the firm’s “size increased from approximately 2,398 registered persons in 190 branches in 2006, to approximately 5,294 registered persons in 445 branches in January 2014.” Busby oversaw all of their work and one might see how her position was untenable to start with before there was any analysis of her work.

These head count numbers are rendered starker when one considers the number of transactions of the company. By 2014, the company had approximately 2.2 million accounts, generating “over 51 million transactions” annually. Busby and her team (such that it was) “were responsible for, among other things, reviewing more than a dozen lengthy AML exception reports for suspicious activity across the millions of accounts, filing suspicious activity reports (SARs), and communicating with branch managers and registered representatives regarding client actions and account activity.” It sure does not sound like a position set up for success.

Tomorrow, we will review that work and see what lessons may be drawn…stay tuned.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

 

7K0A0223This week I have been exploring the Public Accounting Oversight Board (PCAOB) with Joe Howell, an Executive Vice President (EVP) with Workiva Inc. We have considered how some of the issues addressed by the PCAOB directly impact the Foreign Corrupt Practices Act (FCPA) compliance practitioner in ways that might not seem immediately self-evident. Today I will conclude my series with Howell by considering some of the costs for the failure of internal controls and how auditors, governed by the PCAOB, can help foster and facilitate a best practices compliance program.

There is no materiality standard under the FCPA. This is generally a different standard than internal auditors or accountants consider in a company. However Howell believes their approach is wrong based upon simply more than just a plain reading of the statute itself. This is because Howell feels it is not simply the materiality of the bribe, it may not even be the materiality of the contract that you receive because of the bribe. Howell’s view is that it is much broader as the materiality would be the entire cost that potentially the company could be liable for: pre-resolution investigation, an enforcement penalty and fine, and then post-settlement remediation or other costs.

Howell began by noting that a company must report contingent liabilities in its financial statements, if only in notes. Even if a company cannot estimate these costs, they must be described. A financial statement would be incomplete and actually wrong if they fail to describe a liability when you know that you have one. This means “If a company discovers that a bribe was paid and a fraud was perpetrated and that money was used to pay a bribe, they now know that they have some sort of liability, a cost that they’re going to have to recognize at some point, but they don’t know how much it is yet.”

Howell acknowledges there can be many reasons why a corporation would not want to put such a disclosure on the face of its financial statements; nevertheless, they do need to describe it in the financial statements in order to actually give the reader of the financial information the full picture that they are required to provide.

Any FCPA investigation is going to have a profound cost. If a company desires to take advantage of the new Department of Justice (DOJ) Pilot Program and self-disclose to the DOJ and Securities and Exchange Commission (SEC), it still may result in a risk of a fine, disgorgement of profits and other penalties. Howell added, “then monitoring at the backend and penalties and reputational risk. All of which go together to be material to the company. Even though the bribe was a little bribe, even though the fuse was a small fuse, the bomb is a big bomb. When you see a fuse, notice that it’s been lit, you have an obligation to report that. That’s material. It’s relevant to the reader of the financial statements. Because the fuse is small, you can’t say, I don’t have to report it.”

In an interesting insight for the Chief Compliance Officer (CCO) or compliance practitioner to consider, Howell said that even if you remediate but make the decision not to self-disclose that alone may be evidence that your books and records are not accurate. Take a minute to consider that from the SEC perspective. If your SOX 404 disclosure does not reflect any reportable FCPA incidents because you have remediated and made the decision not to self-disclose, that alone can be a violation of the FCPA.

While Howell believes that such contingencies will resolve themselves over time, he believes it is important to make that immediately available to readers of the financial statements. He went on to state that there are large numbers of diverse constituencies who depend on your accurate financial statements. These include, “your bankers, creditors, as well as your shareholders. You may have relationships that are contractual relationships with suppliers, customers that could be affected by this. You may have contracts with your employees that are affected by this. There may be contracts with other third parties that could be affected or impaired because of your violation of the FCPA, in one instance.”

I was intrigued by Howell’s inclusion of bankers and creditors relying on the accuracy of your financial statements. This is because it is not uncommon now that a loan document or a secondary financing would require a company to maintain an effective anti-bribery, corruption compliance program. I asked Howell if this is something an external auditor would evaluate and, if so, how would they go about evaluating such a loan covenant?

Howell said this could well be important because if such a loan clause were violated, that would be part of the corporate disclosure. Howell went on to note that if an auditor were to become aware that a fraud was “committed and that fraud resulted in resources being used to pay a bribe, the auditor then needs to take a hard look at all the disclosures about the contingencies. If they’re uncomfortable with that, they need to report themselves about what they think that the client may have missed. When fraud is discovered, they cannot keep silent. They have to report it.”

I concluded by asking Howell about the SEC Audit Standard No. 5: what it is and how it ties into the FCPA and the line through SOX all the way to Dodd-Frank. Howell said the precursor to Audit Standard No. 5 was Audit Standard No. 2 which specified what Howell called a bunch of ““thou shalt do” stuff that became very mechanical and it drove people’s costs up and it made people uncomfortable.”

This led to the adoption of Audit Standard No. 5 and a change to a more risk based focus using a principles-based audit standard. The SEC wanted to direct “auditors to those areas that present the highest risk, such as financial statement, closed processes, and controls designed to prevent fraud by management. It emphasizes that the auditor is not required to scope the audit to find deficiencies that don’t constitute material weaknesses.”

Howell believes that bribery and corruption are subsets of fraud and auditors are “required to always disclose fraud, even if it’s immaterial. If they find fraud, and even if the fraud is immaterial, it still means that it could be a failure in the controlled environment that means that they can no longer really rely on those controls. They have to do something else. What they would do is substantive testing, which that means then they would go back and start to look at everything. That’s prohibitively expensive. It takes an enormous amount of time and it results in audits that are not sustainable.”

This means one can then draw even a line to Audit Standard No. 5 and the risks that companies have doing business outside of the US under the FCPA as a risk that needs to be audited. Howell said this means you have to incorporate such an analysis into your FCPA compliance program because if you are doing business in high-risk countries which have a reputation for bribery as a way of doing business and you have operations there that rely on third parties that are securing contracts for you, you have an obligation to build a controlled environment which both prevents, to the best of your ability, mistakes from happening, bribes, and then if one were to happen, to be on the lookout for where that would most certainly and most likely show up.

Howell said this could be a variety of responses, including “transaction monitoring, surprise counts, sending in auditors to actually be part of that control environment to look for all the documentation. It is important to also have that sense of remediation. If you find it, what do you do with it? To whom do you report? What processes are in place? Are they working?”

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

SECYesterday, I used a quotation from the Oscar winning animator, Chuck Jones who described two of his well-known creations, Roadrunner and Wily E. Coyote, by referring to philosopher George Santayana’s description of fanaticism when he articulated these cartoon characters as “redoubling your effort after you’ve forgotten your aim”. That would seem to be an excellent description for the pharmaceutical giant Novartis who recently settled a Foreign Corrupt Practices Act (FCPA) enforcement action for approximately $25MM. Yesterday I reviewed the underlying facts and today, I want to consider what the company did after it discovered the illegal conduct, what its obligations may be going forward and the lessons to be learned for the compliance practitioner.

As noted in the Securities and Exchange Commission (SEC) Cease and Desist Order (the Order), Novartis began its investigation based on an ongoing SEC investigation and “in response to media reports concerning a competitor in August 2013”. Based on this information the company “instituted an expansive review of its relationships in China with travel and event planning vendors.” Novartis actions should be well considered by every Chief Compliance Officer (CCO) and compliance professional going forward. If a competitor gets into FCPA hot water, whether through an investigation or enforcement action, this is clear signal for you to consider your company’s actions in the same area, whether that competition is in products, services or, in the case of Novartis, the same geographic area. Moreover, at this point in the history of FCPA enforcements if you are doing business in China you should take a deep review into your own operations and if you are looking to do business in China, you should put the appropriate anti-corruption protections and compliance internal controls in place.

Novartis’ internal investigation identified not only several weaknesses but also clear violations. The company found (1) “the vast majority of these vendors were retained in connection with events in which HCPs [health care providers] attended.” (2) There were a significant percentage of events that did not comply with existing compliance policies and procedures. The Order noted, “This included events for which no record existed to verify it had occurred, events for which inconsistent records existed, and events that could not be verified from available information.” (3) The company also determined through the internal investigation that its Chinese subsidiaries were using the mechanism of “travel agencies and similar vendors to plan events, funds were generated that were used to provide improper payments and other inducements to HCPs in order to increase sales of Novartis products.” Implicit in this find was that the company had not properly recorded these payments by and through travel agencies in its books and records.

In the Order section entitled, “Undertakings”, the SEC laid out what the company agreed to do on a go forward basis. Over a two-year period, they agreed to “(1) conduct an initial review and submit an initial report, and (2) conduct and prepare at least two follow-up reviews and reports”. This Initial Report is to be presented within six months after the entry of the Order and is to set forth “a complete description of its Foreign Corrupt Practices Act (“FCPA”) and anti-corruption related remediation efforts to date, its proposals reasonably designed to improve the policies and procedures of Respondent for ensuring compliance with the FCPA and other applicable anticorruption laws, and the parameters of the subsequent reviews”. The Follow Up Reports are “to further monitor and assess whether the policies and procedures of Respondent are reasonably designed to detect and prevent violations of the FCPA and other applicable anti-corruption laws”.

In an interesting limitation and one no doubt in response to HSBC Deferred Prosecution Agreement (DPA), where the US District Judge overseeing the terms of the DPA ruled that “the public has a First Amendment right to see the monitor’s report”. This was over the objections of HSBC, the Department of Justice (DOJ) and the Monitor. The Order reads, “The periodic reviews and reports submitted by Respondent will likely include proprietary, financial, confidential, and competitive business information. Public disclosure of the reports could discourage cooperation, impede pending or potential government investigations and thus undermine the objectives of the reporting requirement. For these reasons, among others, the reports and the contents thereof are intended to remain and shall remain non-public, except (a) pursuant to court order, (b) as agreed by the parties in writing, (c) to the extent that the Commission staff determines in its sole discretion that disclosure would be in furtherance of the Commission’s discharge of its duties and responsibilities, or (d) is otherwise required by law.”

While the both the SEC and Novartis recognize that these reports can (always) be released if compelled by court order, as this enforcement action was resolved in the SEC Administrative Process, there would seem less likelihood that an interested citizen or even John Q. Public would seek release of this information. Further, the reporting agreed to in this Order could arguably have some attorney-client privilege as opposed to an outside third party Monitor as was selected in the HSBC matter, who could not even argue attorney-client privilege.

Even with these key differences, it is interesting to see such language in this Order and it could well be a manner for companies and the government to use going forward to help to keep follow up reports to the government post settlement confidential and away from disgruntled shareholders or their lawyers who might want to use the information in follow-on shareholder litigation. Finally, this could be one more reason companies agree to the SEC Administrative Process, to keep such information out of the public eye.

 

Remember the quote “redoubling your effort after you’ve forgotten your aim” as this would certainly seem to be an apt way to think about doing business in China, particularly under any type of FCPA analysis. Yet Novartis clearly got the message and moved to investigate, remediate, self-report and then work to make sure such issues do not arise in the future. They are to be commended for their work in this area. It would benefit the CCO and compliance practitioner to review the                                                           solid lessons from the Novartis FCPA enforcement action, especially in these key areas: (1) fraud schemes to develop monies to pay bribes; (2) weaknesses in compliance internal controls; (3) the clear benefits of self-reporting; (4) robust and effective internal investigations; (4) remediation during the pendency of an investigation; and (5) creating a process to test the effectiveness of your compliance program going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016