In 2015, the Securities and Exchange Commission (SEC) announced resolution of a Foreign Corrupt Practices Act (FCPA) enforcement action involving the Hitachi Ltd (Hitachi). There were several interesting aspects to this enforcement action and plenty of lessons to be learned by the compliance practitioner going forward. This enforcement action also presented one of the clearest cases for keeping track of current events for continuous improvement I have seen.

Perhaps the most interesting aspect of the Hitachi matter is that it involved bribery of a political party, the African National Congress (ANC). This portion of the enforcement action stands as a stark reminder that political parties are covered by the FCPA just the same as government officials. The FCPA Guidance states: “The FCPA’s anti-bribery provisions apply to corrupt payments made to (1) “any foreign official”; (2) “any foreign political party or official thereof ”; (3) “any candidate for foreign political office”; or (4) any person, while knowing that all or a portion of the payment will be offered, given, or promised to an individual falling within one of these three categories.” Although the statute distinguishes between a “foreign official,” “foreign political party or official thereof,” and “candidate for foreign political office,” the term “foreign official” in this guide generally refers to an individual falling within any of these three categories.

The bribery schemes themselves were notable only for their blantantness. Andrew J. Ceresney, Director of the SEC’s Enforcement Division, said in the SEC Press Release “Hitachi’s lax internal control environment enabled its subsidiary to pay millions of dollars to a politically-connected front company for the ANC to win contracts with the South African government. Hitachi then unlawfully mischaracterized those payments in its books and records as consulting fees and other legitimate payments.” Moreover, according to the Complaint:

  • Hitachi was aware that Chancellor House Holdings (Pty) Ltd. was a funding vehicle for the ANC during the bidding process.
  • Hitachi nevertheless continued to partner with Chancellor and encourage the company to use its political influence to help obtain government contracts from Eskom Holdings SOC Ltd., a public utility owned and operated by the South African government.
  • Hitachi paid “success fees” to Chancellor for its exertion of influence during the Eskom tender process pursuant to a separate, unsigned side-arrangement.

The enforcement action does point up the oft-times difficulty in providing corporate social responsibility and distinguishing it from outright corruption in certain countries. As noted in an article in the Wall Street Journal businesses “operating in South Africa are encouraged to take on black business partners under the ANC’s policy of black economic empowerment (BEE), intended to redress economic imbalances created by apartheid.” Yet, critics claim that there is a “blurred line between business and politics in the awarding of state tenders” in South Africa. However, the ANC front group was charged “only approximately $190, 819 stake which returned to it over $5MM in “dividends” and another $1MM in a “success fee” for contracts to Hitachi worth “about $5.6bn.”

This case demonstrates the need for a CCO to keep track of current events. It does not mean you must read the biggest newspapers on a daily basis, although that certainly would help. You must rely on your business folks on the ground to keep track in the changes of personnel of joint ventures or other local partnerships. Moreover, there are several automated due diligence services which literally provide daily updates on a wide variety of persons and individuals who might change positions in a government or move from the public sector to the private sector or back.

In many under-developed countries, there is a relatively small group of well-educated technocrats who move back and forth from the government to the private sector and back. They are also often involved in political parties. So today’s private might be tomorrow’s Politically Exposed Person (PEP) or indeed may have been yesterday’s PEP. This requires you to navigate carefully as these are most usually jurisdictions which are high-risk for corruption.

For the compliance practitioner, the Hitachi SEC enforcement action provides a valuable reminder that the FCPA covers more than foreign government officials and officials of state owned enterprises. Political parties are also covered so that if part of your corporate social responsibility includes payments to political party front groups, your company could get into FCPA hot water. Yet it also means you will need to keep abreast of just who your counter-parties during the entire course of your commercial relationship. This means keeping up with current events is a must and can facilitate continuous improvement.

Three Key Takeaways

  1. The Hitachi FCPA enforcement action demonstrates the need to keep track of current events for continuous improvement.
  2. Many product and services providers in the compliance space provide ongoing monitoring for PEPs and SDNs.
  3. Make sure your partners are still who they say they are!

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Another mechanism to facilitate continuous improve comes from ideas around risk assessments. Both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) make clear the need for a risk assessment to inform your compliance program. I believe that most, if not all CCOs and compliance practitioners understand this well-articulated need. The FCPA Guidance could not have been clearer when it stated, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” While many compliance practitioners have difficulty getting their collective arms about what is required for a risk assessment and then how precisely to use it; the FCPA Guidance makes clear there is no ‘one size fits all’ for about anything in an effective compliance program.

One type of risk assessment can consist of a full-blown, worldwide exercise, where teams of lawyers and fiscal consultants travel around the globe, interviewing and auditing. Of course, this can be a notoriously expense exercise. However, if there is one thing that I learned as a lawyer, which also applies to the compliance field, it is that you are only limited by your imagination. So using the FCPA Guidance’s no ‘one size fits all’ proscription, I would submit that is also true for risk assessments. You might try assessing other areas annually, through a more limited focused risk assessment, literally while staying at your desk and not traveling away from your corporate headquarters.

The idea comes from Jan Farley, the Chief Compliance Officer at Dresser-Rand and he calls it the ‘Desktop Risk Assessment’. I think it is an excellent tool for continuous improvement. Moreover, it is a tool you can employ at little to no cost by you or your compliance team and on an ongoing basis. It is something you can use as often as quarterly, semi-annually or annually. Some of the areas that such a Desktop Risk Assessment could inquire into might be the following:

  • Are resources adequate to sustain a culture of compliance?
  • How are the risks in the C-Suite and the Boardroom being addressed?
  • What are the FCPA risks related to the supply chain?
  • How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
  • Is the documentation adequate to support the program for regulatory purposes?
  • Is culture, attitude (tone from the top), and knowledge measured? If yes, can we use the information enhance the program?
  • Disciplinary guidelines – Do they exist and has anyone been terminated or disciplined for a violating policy?
  • Communication of information and findings – Are escalation protocols appropriate?
  • What are the opportunities to improve compliance?

There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities.

This list is not intended to be a complete list of items, you can pick and choose to form some type of Desktop Risk Assessment but hopefully you can see some of the areas you can assess. My suggestion is that you try identifying and focusing on core compliance components in your organization. Obviously there are probably a million things you could fix. However, you cannot fix everything, so you must make a decision about your primacies, and then act on them. A Desktop Risk Assessment may well help you to do so.

If you perform an annual Desktop Risk Assessment with a full worldwide risk assessment every two years or so, you should be in a good position to keep abreast of compliance issues that may change and need more or greater risk management. Do not forget that the FCPA Guidance ends its section on risk with the following, “When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” By using the Desktop Risk Assessment, you can answer any regulator who asks what have you done to manage the risks in your company, by using the resources and tools that were available to you.

Three Key Takeaways

  1. As a compliance professional you are only limited by your imagination.
  2. Use the Desktop Risk Assessment to supplement the full Risk Assessment, performed biennially.
  3. You must remediate as appropriate.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

In this episode Richard Lummis and I consider the movie Dunkirk and the leadership lessons which can be drawn from the movie and historical events. If you have not seen it, I would suggest you go to see what I believe is the summer’s top movie, Dunkirk. It is great cinema, good history and presents the view of soldier on the ground from the English perspective. It unfolds on land, sea and air; in decreasing time frames of one week, one day and one hour. I was lucky enough to see it in glorious 70MM wide screen so the resolution was outstanding. There are several leadership lessons which I believe can be learned from the British (and German) experiences at Dunkirk.

Continuous improvement requires that you not only audit and monitor but also that you test your controls. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. Finally, under Prong 9 of the Evaluation of Corporate Compliance Programs, under the area of Control Testing, it asks the following question: What control testing has the company generally undertaken? Controls testing is key component enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

A review plan is an excellent tool for the compliance practitioner because it provides a method for the ongoing evaluation of policies and sets forth a manner to communicate and train on any changes that are implemented. More than simply staying current, this approach will help provide the dynamics that the DOJ continually talks about in keeping your program fresh. Lastly, such a review plan can also guide the compliance practitioner in creating an ongoing game plan for continuous improvement.

As the COSO 2013 Internal Controls Framework provides a roadmap to test your controls. This means that if you have a multi-country or business unit organization, you need to determine how your compliance internal controls are inter-related up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing testing and evaluation” program going forward.

First are some general definitions that you need to consider in your evaluation. A compliance internal control must be both present and functioning. A control is present if the “components and relevant principles exist in the design and implementation of the system of [compliance] internal control to achieve the specified objective.”  A compliance internal control is functioning if the “components and relevant principles continue to exist in the conduct of the system of [compliance] internal controls to achieve specified objectives.”

COSO suggests a four-pronged approach in your testing, which I have adapted for the compliance practitioner. (1) Make an overall test of your company’s controls. This should include an analysis of whether each control is present and functioning and they are operating together in an integrated manner. (2) There should be a control component evaluation to determine if any control deficiency is found you can move to see if there are any compensating controls. (3) Test whether each control furthers the legal or business requirement you are trying to meet and then determine if a deficiency exists, what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log so they are addressed on a structured basis for continued improvement.

Another way to think through testing could be to consider the controls to affect the principle and would allow internal control deficiencies to be noted along with an initial review of the control failure. The next step would be to roll up the results of the evaluations. Next would be a re-evaluation of the severity of any deficiency in the context of compensating controls. Lastly, an overall testing allows you to consider if the controls are operating together in an integrated manner. This type of process would then lend itself to an ongoing evaluation so that if business models, laws, regulations or other situations changed, you could test if your internal controls were up to the new situations or needed adjustment.

Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have at a minimum the categories of policies laid out in the FCPA 2012 Guidance, this could be deemed a control failure (The Guidance states the following policies should exist: on “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments”).

If there are no objective criteria, as laid out in the FCPA 2012 Guidance, to evaluate your company’s compliance internal controls, what steps should you take? COSO suggests that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.” The key is to document the reasoning of the boundaries and then follow them.

This Document, Document, and Document feature is critical in any best practices anti-corruption or anti-bribery compliance program whether based upon the FCPA, UK Bribery Act or some other regulation. When the SEC comes knocking this is precisely the type of evidence they will be looking for to evaluate if your company has met its obligations under the both SOX 404 requirements and the FCPA’s internal controls provisions. Finally, it provides a way to continuously improve your controls.

Three Key Takeaways

  1. Testing of controls helps to provide reasonable assurance of achievement of the entity’s controls.
  2. There are two over-arching requirements for effective controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach.
  3. For an anti-corruption compliance program, you can use the Tem Hallmarks of an Effective Compliance Program as your guide to test against.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

In this episode Mike Volkov and I discuss the two official pronouncements from the Sessions’ Justice Department regarding FCPA enforcement. They were both declinations used under the FCPA Pilot Program, which was announced in April 2016. The first declination involved Linde Gas North America LLC and Linde North America Inc. Linde Gas is a wholly owned subsidiary of the Linde Group, a German based entity which is listed on multiple stock exchanges in Germany, but not listed in the US.  The second declination involved CDM Smith Inc. a privately held company, headquartered in Boston MA. As neither company is a US publicly listed entity, neither is subject to jurisdiction of the SEC. Hence both declinations were granted with the notation of declinations with disgorgement. In Linde Gas, the disgorgement amount was $7.8 million and forfeit $3.4 million, for a total of $11.2 million and in the CDM Smith declination the disgorgement amount was $4.037 million. Both declinations were superior results obtained by the companies as both had clearly violated the FCPA, for multiple years in ongoing bribery and corruption schemes.

For more on these two enforcement actions see the following:

  1. Linde in the Republic of Georgia: A Declination and Lessons Learned by Tom Fox;
  2. A Second Superior Result – CDM Smith Obtains a Declination by Tom Fox; and
  3. Justice Department Resolves Two Cases Under FCPA Pilot Program by Mike Volkov.