In this episode, Jay and I have a wide-ranging discussion on some of the week’s top FCPA and compliance related stories. We discuss:

  1. Wrap up from the SCCE European Compliance and Ethics Institute.
  2. SEC Unit Chief Kara Brockmeyer announces her retirement. Click here for Matt Kelly’s article on Radical Compliance.
  3. Wal-Mart announces its 2016 spend on its FCPA investigation and remediation of $99MM. Click here for Matt Kelly’s article on Radical Compliance.
  4. Upjohn warnings after the Yates Memo. See article the Grand Jury Target blog.
  5. Report on OECD Integrity Forum. Allison Taylor writes in the FCPA Blog.
  6. Astros, Red Sox and Dodgers all lead their divisions.
  7. Jay previews his weekend report.

everything-complianceAs many of you knew I am an avid fan of podcasts and today I am thrilled to announce I have added another podcast to the growing network of podcasts available here at the FCPA Compliance Report and on the same named site on iTunes. At the SCCE 2016 Compliance and Ethics Institute, I sat down with four of the top compliance commentators in the field for my first roundtable-style podcast. It was so successful that I persuaded the gang to come back together every couple of weeks for a formal podcast, which is entitled Everything Compliance. The premier episode is available for your listening pleasure today. I will post a new episode every two weeks.

I host these four well-known compliance practitioners and commentators in a roundtable format:

  • Jay Rosen (Mr. Translations) – Jay is Vice President of Legal & Corporate Language Solutions at United Language Group. Jay helps his clients develop efficient and cost effective solutions for Foreign Corrupt Practices Act (FCPA), Ethics & Compliance legal language needs for global investigations and Governance, Risk Management and Compliance (“GRC”) matters. Jay is my podcast partner for our weekly Friday podcast This Week in FCPA. Jay also curates weekly top FCPA and Ethics & Compliance stories for “Jay Rosen’s Weekend Read” which is available on LinkedIn Pulse. Rosen can be reached at
  • Mike Volkov – One of the top FCPA commentators and practitioners around and is the Chief Executive Officer (CEO) and owner of The Volkov Law Group, LLC. Mike has over 30 years of experience in practicing law, is a former federal prosecutor and veteran white collar defense attorney, he has expertise in areas of compliance, internal investigations and enforcement matters. Volkov maintains the highly popular FCPA blog – Corruption, Crime & Compliance. He is a regular speaker at events around the globe, and is frequently cited in the media for his knowledge on criminal issues, enforcement matters, compliance and corporate governance. Volkov can be reached at
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of the noted Compliance Week Matt is an independent compliance consultant who studies corporate compliance, governance, and risk management issues. On his blog,, he writes on the intersection of business issues, compliance, governance, and risk topics. Kelly was named as ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in the inaugural class of 2008 and named on Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 (no. 91) and 2013 (no. 77). Kelly can be reached at
  • Jonathan Armstrong – Rounding out (but certainly not least) is our UK colleague, who is an experienced lawyer with Cordery Compliance Limited in London. His practice concentrates on compliance and technology issues, including advising multinational corporations on matters involving risk, compliance and technology across Europe. He has handled legal matters in more than 60 countries involving allegations relating to bribery, whistleblower complaints, corporate governance, ethics code implementation, reputation, internal investigations and data privacy matters. Armstrong can be reached at

The format is a roundtable discussion where I throw out a question to one commentator to lead the discussion. From that starting point we will all join in. I also include an “On My Mind” segment where each participant discusses what is on the forefront of their mind. This podcast is longer than my others, coming in at around 60 minutes, which allows us to explore the week’s issues in depth.

I am pleased to announce the first podcast is up and the inaugural episode includes the following discussion topics:

  1. Mike Volkov leads a discussion of the unintended consequences of the Yates Memo/Pilot Program for internal investigations. We explore the issue of “de-confliction” where the government asks a company to halt its own internal investigation for the government to be the first to interview witnesses. We explore de-confliction in the context of a requirement of cooperation to gain the benefits of the pilot program and how such a request from the Department of Justice (DOJ) could lead companies to be unable to disclose to other agencies or to shareholders and keep a Board in the dark about the alleged wrongdoing. What does this mean for the company and the internal investigator?

For Volkov’s post on conflicts of interest (COI) in internal investigations after the Yates Memo, click here.

  1. Matt Kelly leads a discussion on compliance and corporate governance. We explore the issue of compliance being involved in issues around pricing and sales in companies like Valeant and Wells Fargo. We discuss the role of compliance in areas outside of strict legal compliance but may move towards reputational risk, going into such areas as the new revenue recognition standards and executive compensation.

For Kelly’s blog post on the intersection of CEO pay and Chief Compliance Officers (CCOs), click here.

  1. Jonathan Armstrong leads a discussion of funding and the UK Serious Fraud Office (SFO), in the context of the recent announcement that the SFO has received additional or supplemental funding to investigate Unaoil. Why does the SFO need supplemental funding and how does it obtain it? What does all of this mean for the continued existence of the SFO in light of a former critic now being PM? Finally, Armstrong ties all of this into Brexit, his recent interview of Max Schrems and issues surrounding Privacy Shield.

For Armstrong’s interview with Max Schrems, click here and Cordery’s FAQs on Privacy Shield, click here.

  1. Jay Rosen takes us through the compliance conference scene. For those of you who are avid attenders of the various conferences, he discusses some of the key differences in the types observed, such as the nuts and bolts types (SCCE) and others which focus more on commentary (FCPA Blog NYC Conference). He discusses the relative strengths of each and how a compliance professional should think about selecting one or more to attend. He ends with his thoughts on why compliance certification is a plus (or minus).

For Rosen’s blog post Designing Your 2017 Ethics, Compliance & FCPA Conference Schedule, click here.

This new podcast Everything Compliance joins the four other podcasts I have on different aspects of compliance. The original FCPA Compliance and Ethics Report focuses on the nuts and bolts of compliance. Unfair and Unbalanced – is a podcast I do with SCCE CEO Roy Snell. In it we focus on wide ranging issues for the compliance profession. Compliance into the Weeds – is a podcast I do with Matt Kelly where we take a deep dive into the weeds of a compliance issue, typically technology, internal controls or GRC. We both indulge our inner geekiness in this podcast. Jay Rosen and I wrap up each week in FCPA, compliance and ethics with This Week in FCPA. All of these podcasts are available to you on my site,, and are available on iTunes under the same name.

Finally, I have a separate podcast on business leadership for both the compliance professional and broader business leader, 12 O’Clock High – A Podcast on Business Leadership with Tom Fox. It is hosted by Richard Lummis and each week I take a deep dive into a different area of business leadership; such leadership lessons from Dr. Frankenstein to managing a culture transformation.  It has is hosted on a separate site, click here, and is also available on iTunes under the same name.

Go to the first episode of Everything Compliance


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016

First InningYou might figure that the year I decide to jump back on the Houston Astros bandwagon, they go back in the tank. Last year they were one game away from the American League (AL) Championship. This year they have the third worst record in the AL, with a paltry .419 winning percentage. Is it too early in the season to draw any conclusions? I will leave that one up to you. And yet…

What are the lessons to be learned from allegations of corruption in the early stages of any investigation? Indeed, are there any lessons to be learned at all? If so when should you learn them? The FCPA Professor recently explored some of these issues in a blog post, entitled “Lesson Learned…”. Proving once again that the FCPA Professor and I can look at the same event or set of facts and see different things, I see significant lessons to be learned when reviewing ongoing Foreign Corrupt Practice Act (FCPA) or other significant matters, even when reported in the press. Or to use the Professor’s analogy, I believe it is both useful and appropriate to consider the ongoing results of the National Basketball Association (NBA) playoffs, on an ongoing basis and apply those results going forward.

Why should you consider reviewing events on an ongoing basis? When I look at these, I see information that could help the Chief Compliance Officer (CCO) or compliance practitioner going forward. I think Wal-Mart is a prime example. It really does not matter if you fall into the New York Times (NYT) or Wall Street Journal (WSJ) story camps; when the world’s largest retailer is on the front page, you can and should draw lessons from this applicable to your organization.

Such public reporting is a useful teaching paradigm for the FCPA practitioner. The day after the NYT broke the story I wrote a blog post about it and I called several client types (I am a proud card carrying member of FCPA Inc.) to make sure they were aware of the matter. Was it marketing? Or perhaps something more nefarious, like business development? How about the following – I wanted to make sure they were aware of it. Or a combination of all three? Does any of that lessen the messages to be learned from the NYT story about Wal-Mart? I would answer a resounding No.

The thing that struck me when I called around was how many CCOs had used the NYT front-page story about Wal-Mart as a teachable moment for several internal constituencies. These constituencies started with the C-Suite and the message was along the lines of this is what can happen if you do not have an effective compliance program in place. Several others used the Wal-Mart story as an opportunity to consider their internal use of facilitation payments; to explain to employees how they are defined under the FCPA and also to make sure they were properly recorded on the company’s books and records.

Was this in the first inning of Wal-Mart’s long trek FCPA investigation? Most probably, yet these CCOs were able to use this very public event as lessons learned for their organizations in a powerful and current events manner to help educate or reinforce.

What about the Unaoil matter? Once again, can the reported story provide anything worth writing about or commenting upon? I would certainly urge the answer is Yes. How could a CCO use the information in the Huffington Post story in the everyday doing of compliance? I can think of three immediate lessons to be learned that every compliance practitioner should take to heart and use going forward.

First and foremost, did your organization use Unaoil in any manner? If your organization has contracted with or has any contact with Unaoil in any company files you need to find out now as a Department of Justice (DOJ) subpoena could well be on its way. Second, as with Wal-Mart, can you utilize the discussion around Unaoil internally to educate senior management or others? Once again I think the answer is Yes and the most obvious way would be to discuss your risk management lifecycle of your third parties. Use this as an opportunity to explain that it is the management of the relationship which may well be the key element so that even if your due diligence was faulty you can demonstrate effective compliance. Finally, it is a very good reminder to review all of your third parties files to make sure they contain the required documentary evidence to support your compliance program. All of these lessons can be learned now, at the very beginning of the matter (first inning yet again).

Next, the Panama Papers. What can you draw from this event; even at the very beginning of what may be a very long slog? (Probably the top of the first inning.) As of today, you can review the 214,000 entities with offshore entities, in a searchable database. This is more than a lesson to be learned or even a teachable moment. This is a new resource available to anyone to use to find out if an entity their company is doing business with is who they say the are or even might be. This is information that is in the public domain, made available by the International Consortium of Investigative Journalism. You can search by jurisdiction or by country. It is axiomatic that when information becomes available a compliance practitioner should not only use it going forward but also use it to see if any third parties or counter-parties might need updating in your risk ranking.

As for the lesson to be learned, once again does your compliance department know with whom you are doing business with? Are you managing the relationship after the contract was signed? Have you Documented, Documented, and Documented the files and the relationship? When was the last time your business sponsor visited high-risk third parties to discuss your anti-corruption compliance program?

Information is critical to any best practices compliance program. Usually that information comes internally. Yet that information can also come from outside the organization. How many CCOs knew about Unaoil before the Huffington Post story? Or had thought about their company’s recordation of facilitation payments? Or had considered what it might mean if a third party was incorporated in Panama? I do not find any of the above to be scare mongering or even inappropriate questions to ask. For I have found it is always how you use information that forms the key inquiry; not when you obtain the information.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016

Lou Reed died yesterday. He was one of the most influential figures in rock and roll history and pop culture over the past 50 years. Starting with his band, the Velvet Underground, Rolling Stone magazine said that the group’s “debut [album] The Velvet Underground & Nico stands as a landmark on par with the Beatles’ Sgt. Pepper’s Lonely Hearts Club Band and Bob Dylan’s Blonde On Blonde.” Moreover, his work was “embraced by future generations, cementing the Velvet Underground’s status as the most influential American rock band of all time.” But his influence went simply beyond rock and roll, including all things hip and cool from fashion to even introducing Dion at his induction into the Rock and Roll Hall of Fame. Reed could even be fashionable while advertising in a TV commercial for Nissan Xterra. Lou Reed was a true leader, in many areas.

In a post last week, entitled “Wal-Mart’s latest FCPA disclosure (October 2013)”, the FCPA Blog reported that Wal-Mart has spent over $155 MM in “costs incurred for the ongoing inquiries and investigations” and costs which “relate to global compliance programs and organizational enhancement.” This is in addition to the reported $157MM in costs for these matters in 2012. So for those of you keeping score at home, that is $312MM in costs related to the company’s Foreign Corrupt Practices Act (FCPA) investigation so far. Wal-Mart is well on its way to becoming the leader in the all-time costs for a FCPA investigation.

Also in the FCPA Blog last week, Michael Scher wrote an impassioned piece entitled “Wal-Mart and the FCPA: An open letter to the DOJ and SEC”. In this post Scher said, “We considered in a prior post the new spirit of tough enforcement at the DOJ and SEC and the need to seize the opportunity for more advocacy by the compliance profession, in particular to head off a resolution of the Wal-Mart investigation harmful to compliance officers and the public.” He urged the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) to thoroughly investigate and bring severe sanctions against the company, if warranted by the company’s actions. His tack differed from that of Matt Ellis, who last December, in a blog post on FCPAméricas entitled “Wal-Mart, Go Big on FCPA Compliance”, urged the company to “innovate by playing to its strengths.” These strengths include both physical size and financial resources which would allow it to “use its enormous leverage in international markets to educate foreign audiences on compliance.” Further, he wrote that “Maybe it could use the high visibility placement of its stores throughout Mexico to begin to teach communities how to identify and avoid risks of petty corruption? It could partner with local municipalities to launch reporting centers in its Supercenters.”

Both of these articles stake out positions with much merit. I would like to suggest another approach; which can be summarized as follows: Wal-Mart – Be a Leader in Compliance. The conduct in which Wal-Mart has engaged in is all in the past. The company cannot change those actions, whatever they may have been, but what the company can control is its actions going forward. So here are my suggestions on how Wal-Mart can be a leader in compliance.

Lead in the Retail Industry

The first thing that I recommend Wal-Mart do is call an executive meeting of the largest retail industry trade group that the company belongs to. I would say that Wal-Mart wants to lead the retail industry in its fight against bribery and corruption on a world-wide basis. Wal-Mart could certainly take some of Matt Ellis’ suggestions to the group about ‘going big’ on compliance. But Wal-Mart, as a leader, could say that we need to agree amongst ourselves that we will not engage in bribery and corruption, nor will we tolerate members that do so. We will urge that our members engage in “Ethical Capitalism” along the lines as laid out by Dov Seidman. We will ask that our retail industry trade group institute an industry wide Code of Practice, similar to that instituted by the International Federation of Pharmaceutical Manufacturers and Associations (IFPMA), which is designed “to stamp out bribery and corruption, particularly in emerging markets.”

Lead at the Chamber of Commerce

In the past, Wal-Mart has supported the US Chamber of Commerce’s efforts to amend the FCPA to add a compliance defense. Some argue this would level the playing field with the US government, while others claim that such a defense would help companies to understand their obligations under the FCPA. Wal-Mart can make clear that it understands quite simply that they, and other US companies, should not do business through bribery and corruption. Wal-Mart should aver that it will take the responsibility upon themselves to lead by example and put a best practices compliance program in place, not only to do business within the parameters of the FCPA but also because it makes good business sense to do so. Wal-Mart should demonstrate they now understand a compliance program is not a set of burdensome rules and procedures, which are designed to constrain how a person does business, but they are essential to the long term success of any organization. The company should embrace that concept and the belief that it should lie at the heart of the way a company does business.

Lead at the Board

While there is some debate as to how the allegations of corruption came up to the corporate headquarters or the initial company response about them; the FCPA Professor has made clear that he believes this scandal is largely a failure of corporate governance. As corporate governance starts at the Board, Wal-Mart should commit to having the most active and knowledgeable Board on anti-corruption matters there is in the US. Wal-Mart should bring in Jeff Kaplan (or some equally notable practitioner, such as the FCPA Professor) to lead Board training on the roles and responsibilities of a Board in overseeing compliance. While the Board does not have to, nor should it, delve down into the weeds of the company’s compliance program, it must understand the parameters and actions of the company’s compliance program going forward and be ready to act if allegations of bribery and corruption are brought forward.

Lead at the CCO Position

One thing that Donna Boehme consistently discusses in talks, articles, tweets, in person and just about everywhere else is that the Chief Compliance Officer (CCO) must be separate from and not report to the General Counsel (GC). The CCO cannot be in any merged unit of the company’s overall legal group. Further, the CCO should report directly to the Audit or other appropriate committee of the Board and not to the GC. The reason for this is clear; it is so that the CCO can have the true independence to make the determinations of what the company can do ethically and in compliance with all relevant national and international anti-corruption legislations. If you keep your CCO buried under the GC on the organization chart, it is clear that legal is more important than compliance.

Lead by Working with the DOJ

Lastly, I would suggest that Wal-Mart call Chuck Duross and Kara Brockmeyer and ask for a meeting. In that meeting the company should lay out all the steps it takes to be a leader in compliance. Its lawyers can certainly make clear that they will defend the company, consistent with the ethical duties and Wal-Mart’s rights as a corporate citizen. Further, the FCPA Guidance suggests that the three goals of a compliance program should be to prevent, detect and then remediate. The conduct that did or did not occur from 2000-2006 is in the past. Wal-Mart is committed to working to remediate what it can do so now. Will such conduct aid it with the DOJ and SEC? Perhaps, but more importantly, Wal-Mart should desire to show that a company can work with the DOJ and SEC, consistent with both their obligations as the enforcement agencies, all towards the goal of greater compliance.

The one thing that I disagree with Michael Scher on is that the DOJ has to hammer Wal-Mart with fines, penalties or criminal prosecutions to support the compliance profession, compliance with the FCPA and doing business ethically. There are business solutions to business problems. If Wal-Mart decides to be a leader in compliance and does so in a public manner, that can do as much for moving forward the compliance profession, FCPA and other anti-corruption law compliance and the general proposition of doing business ethically as well as severe sanctions. Further, if Wal-Mart takes these steps, it can control its future rather than simply reacting going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2013

Ed. Note-this article was originally posted in the FCPA Professor.

The nightmare of every corporate director is to wake up to find out that the company of the Board he or she sits on is on the front page of the New York Times (NYT) for alleged illegal conduct. This nightmare came true for the Directors of Wal-Mart when the New York Times, in an article entitled “Vast Mexico Bribery Case Hushed Up by Wal-Mart After Top-Level Struggle”, alleged that Wal-Mart’s Mexican subsidiary had engaged in bribery of Mexican governmental officials and that the corporate headquarters in Bentonville, Arkansas, had covered up any investigations into these allegations.

Recently the NYT reported that shareholders were asking questions of the Wal-Mart Board regarding its response these allegations. In a story, entitled “More Dissent in a Store Over Wal-Mart Bribery Scandal”, Stephanie Clifford reported Wal-Mart shareholders are still asking questions of the Board regarding its role in the ongoing scandal. Some of these questions include “whether the company is holding current and former executives financially responsible for breaching company policies” and concerns about the company’s supply chain vendors. This shareholder dissatisfaction held several groups of large shareholders to indicate that they would vote against the company’s current Board of Directors at its annual shareholder meeting.

Clifford quoted from a report by Institutional Shareholder Services (ISS), a proxy advising firm, which said that investors have also complained about “being in the dark about the nature and extent of the alleged violations (and knowledge of them within the company)” and the company’s “timetable for completion of its investigation and disclosure of its results”. There were also questions raised about the remediation efforts of Wal-Mart. The ISS report went on to add that “Shareholders should vote against these directors to send a clear message to the board that such poor oversight does not come without repercussions.”

The publicity and costs to Wal-Mart have been well documented. The FCPA Professor has consistently stated that he views this scandal as largely a failure of corporate governance. In a post entitled, “Wal-Mart One Year Later” he said, “Corporate governance, or lack thereof, is what made the NY Times April 2012 remarkable.  This is the reason why Wal-Mart generated all the buzz it did a year ago this week and I’ve consistently held the view that the Wal-Mart story is a corporate governance sandwich with the FCPA as a mere condiment.” I thought about the Professor’s observations on this failure in light of Clifford’s article and wondered what the Board’s legal obligations might be.

I.                   Some Case Law

As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc. Derivative Litigation 698 A.2d 959 (Del.1996) was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” The Corporate Compliance Blog, in a post entitled “Caremark 101”, said that the Caremark case “addressed the board’s duty to oversee a corporation’s legal compliance efforts. As part of its duty to monitor, the Board must make good faith efforts to ensure that a corporation has adequate reporting and information systems. The opinion described this claim as “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment,” with liability attaching only for “a sustained or systematic failure to exercise oversight” or “[a]n utter failure to attempt to ensure a reporting and information system.”

In the case of Stone v. Ritter 911 A.2d 362, 370 (Del. 2006), the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties with respect to corporate compliance issues. Second, the Court found that there is no duty of good faith that forms a basis, independent of the duties of care and loyalty, for director liability. Rather, Stone v. Ritter holds that the question of director liability turns on whether there is a “sustained or systematic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exists.”

Andrew J. Demetriou and Jessica T. Olmon, writing in the ABA Health Esource blog, said that “This standard aims to protect shareholders by ensuring that corporations will adopt reasonable programs to deter, detect and address violations of law and corporate policy, while absolving the Board from liability for corporate conduct so long as it has exercised reasonable responsibility with respect to the adoption and maintenance of a compliance and reporting system. Although the standard protects the Board, consistent with most jurisprudence under the business judgment rule, it also requires that the Board follow through to address problems of which it has notice and this may include adopting modifications to its compliance program to address emerging risks.”

Lastly, I recently heard Jeff Kaplan discuss the oversight obligations of the Board regarding the compliance function. In addition to the above cases, he discussed the case of Louisiana Municipal Police Employees’ Retirement System et al. v. David Pyott, et al., 2012 WL 2087205 (Del. Ch. June 11, 2012) (rev’d on other grounds, No. 380, 2012, 2013 WL 1364695 (Del. Apr. 4, 2013), which was a shareholder action that went forward against a Board based upon a claim that the Board knew of compliance risk based on the company’s business plan. The Delaware Court pointed out the possibility that “The appearance of formal compliance cloaked the reality of noncompliance, and directors who understood the difference between legal off-label sales and illegal off-label marketing continued to approve and oversee business plans that depended on illegal activity.” Kaplan believes that this case more generally, supports the need for risk-based oversight by board.

II.                FCPA Guidance and US Sentencing Guidelines

A Board’s duty under the Foreign Corrupt Practices Act (FCPA) is well known. In the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance, under the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1, entitled “Commitment from Senior Management and a Clearly Articulated Policy Against Corruption”, states “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3 entitled “Oversight, Autonomy and Resources”, where it discusses that the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ’s Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?

Board failure to head this warning can lead to serious consequences. David Stuart, a senior attorney with Cravath, Swaine & Moore LLP, noted that FCPA compliance issues can lead to personal liability for directors, as both the SEC and DOJ have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption”. He added that based upon the SEC’s enforcement action against two senior executives at Nature’s Sunshine Products, “Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery”. I would not be a far next step for the SEC to invoke the same provisions against audit committee members who do not actively exercise oversight of an ongoing compliance program.

There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the SEC desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.

From the Delaware cases, I believe that a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. The specific obligations set out regarding the FCPA drive home these general legal obligations down to the specific level of the statute.

The Wal-Mart case has driven home the need for focused Board of Directors oversight of a company’s compliance program.  But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward. If the Wal-Mart Board had fulfilled its legal obligations regarding compliance, the company might not have found itself on the front page of the New York Times.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2013