Where does “Tone at the Top” start. With any public and most private US companies, it is at the Board of Directors. But what is the role of a company’s Board in FCPA compliance? We start with several general statements about the role of a Board in US companies. First a Board should not engage in management but should engage in oversight of a CEO and senior management. The Board does this through asking hard questions, risk assessment and identification.

In a recent White Paper, entitled “Risk Intelligence Governance-A Practical Guide for Boards” the firm of Deloitte & Touche laid out six general principles to help guide Boards in the area of compliance risk governance. I have adapted them for the Board role around compliance.

  1. Define the Board’s Role-there must be a mutual understanding between the Board, CEO and senior management of the Board’s responsibilities.
  2. Foster a culture of compliance risk management-all stakeholders should understand the compliance risks involved and manage such risks accordingly.
  3. Incorporate compliance risk management directly into a strategy-oversee the design and implementation of compliance risk evaluation and analysis.
  4. Help define the company’s appetite for compliance risk-all stakeholders need to understand the company’s appetite or lack thereof for compliance risk.
  5. Execute the compliance risk management process-the compliance risk management process should maintain an approach that is continually monitored and had continuing accountability.
  6. Benchmark and evaluate the compliance process-compliance systems need to be installed which allow for evaluation and modifying the compliance risk management process for compliance as more information becomes available or facts or assumptions change.

All of these factors can be easily adapted to FCPA compliance and ethics risk management oversight. Initially it must be important that the Board receive direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s Chief Compliance Officer to either the Audit Committee or the Compliance Committee. This commentator recommends that a Board create a Compliance Committee as the Audit Committee may more appropriately deal with financial audit issues. A Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information the Board can give oversight to any modifications to managing FCPA risk that should be implemented.

There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the Securities and Exchange Commission (SEC) desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Reg SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company which fails to make it to fines, penalties or profit disgorgement.

Three Key Takeaways

  1. The Board’s role is to keep really bad things from happening to a Company.
  2. There are six general areas the point can inquire into and lead from.
  3. SEC Reg SK 407 may put greater scrutiny on Boards.

What are 6 fast and efficient areas of inquiry for a Board around compliance?

 

In this final five days of my One Month to a Better Board series, I will look at inquiries and questions a Board can take to help the organization actually do compliance going forward. I begin with an exploration of how can a Board work to incorporate the compliance function into a long-term business strategy of the organization. A Board can do so by engaging with the Chief Compliance Officer and compliance function through having a strong Board which is committed to doing business ethically and incompliance with anti-corruption laws such as the FCPA and engaging actively with the CCO and compliance function. This post will begin a discuss of various tools and techniques a Board can use and engage to move to this level of engagement.

The first point is to develop a framework for incorporating compliance into your long-term strategy. This framework draws from the State Street Global Advisors’ strategy for sustainability and adapts it to compliance. To set up the framework for evaluation of the compliance function is a three-step process, which you can use to determine how comprehensive you compliance program is as a starting point.

Step 1-has the company identified the compliance issues relevant to the Board?

Step 2-has the company assessed and incorporated those compliance issues into its long-term strategy?

Step 3-has the company communicated its approach to compliance and the influence of those factors on its overall strategy?

From this initial inquiry you can move into some specific questions that the Board can use to determine the overall state of your company’s compliance program. First a Board can work to identify compliance issues material to your organization. This can be accomplished with compliance related key performance indicators, which a Board should then prioritize to elevate their impact on compliance. A Board should consider these through the life-cycle of a business line or geographic sales area. Next the Board should work to move compliance into both the long-term strategy for the company and also have the CCO detail the long-term strategy for the compliance function.

Drawing from the February release Justice Department Evaluation of Corporate Compliance Programs (Evaluation), the Board should actively work to incorporate compliance into the long term capital allocation of the company. Obviously the earlier the investment the better as it brings benefits such as benefits through brand differentiation, lowering the risk profile of the company and improving nimbleness in market responses.

The Board should oversee the incorporate of KPIs into senior management performance evaluations and compensation. Once again building upon the Evaluation which asks how the company monitors its senior leadership’s behavior and how senior leadership modelled proper behavior to subordinates, the Board should make certain systems are in place to quantify or measure performance related to compliance issues, should establish performance goals against which they measure compliance achievement and finally disclose to shareholders the material compliance issues that drive compensation, the specific goals or performance targets that management has to achieve and report on the actual performance against established goals to justify compensation payouts.

Finally the Board should work to communicate the influence of compliance factors on overall corporate strategy by demonstrating how compliance was integrated into the business. Not only is this good from a business perspective and shareholder expectation but also as the DOJ Evaluation makes clear what the government expects is the operationalization of compliance going forward.

These general factors will lead us into more specific questions that a Board can pose as we continue one month to a better board for a best practices compliance program.

Three Key Takeaways

  1. Having a long term strategy is critical.
  2. What is the Board’s framework for assessing compliance?
  3. Create KPIs to measure senior management’s actions around compliance.

What is the role of a Board of Directors in hiring senior executives, Chief Compliance Officers and even other Board members? I recently explored this issue with Candice Tal, founder and CEO of Infortal, a global security and risk management consulting company. Tal began by noting, that a bad senior executive hire can cost a company much more than simply dollars. She noted, the “financial costs in day-to-day operations easily can quadruple that of a regular employee, but it can also impact the company’s corporate governance and Board of Directors if that executive hire was found to be involved with unethical and illegal activities. Not even a signed contract can protect a company if an executive hire’s unethical actions come to the attention of the national media. Fiduciary risk and exposure for the board of directors cannot be overlooked.”

She pointed to the example of Yahoo! and its hire of Scott Thompson back in 2012. It turned out that Thompson had incorrect information on his online biography regarding his academic credentials. As Tal noted, “implications went beyond the activist shareholder accusations to reflect on the board of directors for not vetting his background more carefully. The company may have been exposed to claims of providing false information to the SEC and potential stockholder law suits. Thompson’s 120-day tenure at Yahoo! cost the company over $7 million and seriously tarnished the company’s reputation in the business community.”

The key is that a company engage in an executive due diligence investigation rather than simply a routine or even executive-level background investigation. Tal explained that an executive background search, is “typically limited to a 5 component review of: criminal records, employment verification, degree or education verification, social security validation, address verification and sometimes credit history.” Such searches are “very limited searches.”

Conversely, executive due diligence, “looks in-depth at all available public records sources: criminal history, civil litigation issues, financial and legal issues, relationships with other companies and board advisory positions, reputation, misrepresented education and overstated work history, behavioral history (for example litigiousness), and, in particular, undisclosed or adverse issues.” While it is generally “more costly than executive background checks and takes more time, the information gathered is extremely valuable and can save a company substantially more. A high quality due diligence review can find important information which would not be returned in a routine executive background check.”

Infortal has found that up to 20% of executive search candidates fail a deep level due diligence investigation. Now consider how many senior executive slots your company has and add to that seats on the Board of Directors and you can quickly see the risk of failure to consider an executive due diligence search when promoting or hiring. Moreover, you need an executive level due diligence in other business situations as well, including the senior management of new business acquisitions brought into your organization through a merger or other acquisition, selecting new Board members, screening corporate Boards of Directors and of course, for third party business partners and other agents in the sales and supply chain channels.

Three Key Takeaways

  1. The costs of a bad executive hire can far exceed the dollar loss.
  2. Do not forget the differences between an executive background check and executive level due diligence.
  3. 20% of all senior executives fail an executive level due diligence check.

I guess Matt Kelly cannot leave his journalist roots for it was he who broke the story within the greater compliance community that the Department of Justice (DOJ) very quietly released a document, entitled “Evaluation of Corporate Compliance Programs” (Evaluation), on the Fraud Section website late last week. Kelly gave kudos to the law firm of White and Case for the initial notice but as they are FCPA Inc., Kelly gets the call for being the first to announce it to the compliance community. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner. Over the next couple of blog posts, I will be taking a look at the Evaluation.

The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. Once again, I detect the hand of DOJ Compliance Counsel Hui Chen in not only helping the DOJ to understand what constitutes an effective compliance program but also providing solid information to the greater compliance community on this score.

As there are 11 areas of inquiry and 10 Hallmarks, one of the interesting considerations is Evaluation No. 1 – the analysis and remediation of underlying conduct. In this area, you understand the root cause of any incident, is it systemic and who made the analysis? You will also need to evaluate your detection or if the conduct was missed, why was it missed? Finally, you need to explain the remediation.

Next is the area of senior and middle management where you will need to evaluate the specific conduct of senior management in not only discouraging Foreign Corrupt Practices Act (FCPA) violative conduct but also the role of senior management in remedial actions. How do senior leaders and other stakeholders model appropriate behavior and share information on compliance throughout the organization and how is that conduct monitored on an ongoing basis?

Finally, the Board’s role is re-emphasized as the Evaluation asks the following questions, “What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?” If you are following my month long series of One Month to a Better Board, you will recognize these as significant issues that many Boards have yet to adequately deal with going forward. The Evaluation also looks at the CCO and compliance function’s upward communications with the Board by looking at reporting lines, CCO access to the Board and independence of the compliance function within the organization.

Next is the area of autonomy and resources for the CCO and the compliance function. This section follows the FCPA Pilot Program Prong Three on remediation by inquiring into the professionalism and expertise of both the CCO and the compliance function. It also asks about the stature of the CCO and compliance function within the organization, including specifically “compensation levels, rank/title, reporting line, resources, and access to key decision-makers”. It also asks about turnover and promotion opportunities. You need to evaluate the role of compliance in strategic planning and whether the compliance function is truly “empowered” within an organization. This final point will entail documenting any “specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns”. Also echoing the Pilot Program Remediation Prong was an inquiry into funding and dollar resources available to the compliance function.

In a new area of review, the Evaluation considers “outsourced compliance functions” for the first time. It asks the following questions, “Has the company outsourced all or parts of its compliance functions to an external firm or consultant? What has been the rationale for doing so? Who has been involved in the decision to outsource? How has that process been managed (including who oversaw and/or liaised with the external firm/consultant)? What access level does the external firm or consultant have to company information? How has the effectiveness of the outsourced process been assessed?”

In the area of “Policies and Procedures” we see a clear operationalization inquiry as you are required to evaluate who had input into the design of your compliance policies and procedures and the process for drafting, all coupled with consultation with the business units. You also need to look at the specific policies and procedures which may have failed and determine how and why they failed. There are some inquiries into “gatekeepers, e.g. the persons who issue payments or review approvals” regarding their training and ongoing monitoring.

Next, and once again following on the operationalization of your compliance program, is a section entitled “Operational Integration” which includes who is responsible for integrating your policies and procedures throughout your organization, what internal controls are in place and specific inquiries into the role of the company payment system in any FCPA violation. This last inquiry is coupled with a review of your vendor management program going forward.

In the area of risk assessments, you need to consider the methodology the company used to identify, analyze, and address the particular risks it faced, coupled with the metrics your company has collected and used to help detect the type of misconduct in question and, most interestingly, how this information has “informed the company’s compliance program”? In a section entitled “Manifested Risks” the Evaluation poses the following question, “How has the company’s risk assessment process accounted for manifested risks?”

Tomorrow I will consider the remainder of the Evaluation and how best to use it going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

Today we honor what was called by British Lord Nelson, “the most daring act of its age”; the capture and burning of the US frigate Philadelphia in Tripoli harbor. In October 1803, the ship had run aground near Tripoli and was captured. The Americans feared that the well-constructed warship would be both a formidable addition to the Tripolitan navy and an innovative model for building future Tripolitan frigates. Hoping to prevent the Barbary pirates from gaining this military advantage, President Thomas Jefferson sent Lieutenant Stephen Decatur to lead a daring expedition into Tripoli harbor to destroy the captured American vessel. The Americans recaptured the ship and then set it alight. Decatur and his men escaped without the loss of a single American. The Philadelphia subsequently exploded when its gunpowder reserve was lit by the spreading fire.

A most “daring act” seems to be a good way to introduce a multi-part look at the recent Foreign Corrupt Practices Act (FCPA) enforcement action involving the Chilean chemicals and mining company Sociedad Química y Minera de Chile (SQM), which agreed to pay a criminal penalty of $15.5 million and a civil penalty of $15 million for a total fine and penalty of $30.5 million. The company settled with the Department of Justice (DOJ) via a Criminal Information and Deferred Prosecution Agreement (DPA) and the Securities and Exchange Commission (SEC) via a Cease and Desist Order (Order).

There were a couple of unusual aspects to this matter which bear review and consideration by any Chief Compliance Officer (CCO) and compliance practitioner, particularly for those with companies headquartered or domiciled outside the United States. The first is that the case was rare for its criminal violations of the FCPA for the Accounting Provisions; both the Books and Records and Internal Controls provisions. The second was that the company’s illegal actions appeared to have no US nexus to the conduct involved and the jurisdictional hook was that the company’s shares trade on the New York Stock Exchange (NYSE) as American Depository Receipts (ADRs) and the company is required to file periodic reports with the SEC. There were however some excellent points for review by any compliance practitioner regarding the underlying conduct involved.

According to the DOJ Press Release, “SQM knowingly failed to implement internal controls sufficient to ensure that payments from a fund under the control of one of its officers and high-level executives were made for services received and in compliance with Chilean law. Between 2008 and 2015, SQM made donations to dozens of foundations controlled by or closely tied to Chilean politicians. During this period, for example, SQM funneled approximately $630,000 to foundations controlled by a Chilean official with influence over the government’s mining plans in Chile, a key segment of SQM’s business.” It went on to add, “SQM also admitted to falsifying its books and records to conceal payments to vendors associated with politicians, logging them as consulting and professional services SQM never received. For example, in 2009, SQM paid approximately $11,000 to the sister-in-law of a Chilean official, recording the payment in SQM’s books as a payment for services received, despite the fact that the official’s sister-in-law submitted the false invoice solely to disguise payment to a Chilean senatorial campaign.” The sum total was that “SQM admitted having paid nearly $15 million between 2008 and 2015 to vendors despite having no evidence any goods or services were actually received.”

Yet in none of the resolution documents was there discussion of specific bribes paid or obtaining or retaining business by SQM. Moreover, as noted above, none of the payments were routed through the US or the US banking system. Finally, although there were numerous emails cited in the resolution documents, there was no evidence presented that they were stored on a US server or even went through the US in cyberspace.

What does come through loud and clear from the Information is the discretionary fund used by the person designated as “SQM Executive” and identified as Mr. Patricio Contesse G. – former Chief Executive Officer (CEO) of SQM. When I say discretionary fund, it was apparently at his sole discretion. Simply put, according to the Information “SQM paid approximately US $14.75 million to PEPs [Politically Exposed Persons] and related parties without effective internal accounting controls, such as appropriate due diligence, documentation or oversight.”

Going more deeply into the results of the company’s internal investigation than was reported in the Information, the company made the following Form 6-K SEC disclosure in December 2015.

“(a) payments were identified that had been authorized by SQM’s former CEO, Mr. Patricio Contesse G., for which the Company did not find sufficient supporting documentation;

(b) no evidence was identified that demonstrates that payments were made in order to induce a public official to act or refrain from acting in order to assist SQM obtain economic benefits;

(c) regarding the cost center managed by SQM’s former CEO, Mr. Patricio Contesse G., it was concluded that the Company’s books did not accurately reflect transactions that have been questioned, notwithstanding the fact that, based on the amounts involved, these transactions were below the materiality threshold defined by the Company’s external auditors determined in comparison to SQM’s equity, revenues, expenses or earnings within the reported period; and(d) SQM’s internal controls were not sufficient to supervise the expenses made by the cost center managed by SQM’s former CEO and that the Company trusted Mr. P. Contesse G. to make a proper use of resources.”

This same disclosure also specifically noted that Mr. Contesse G. (the former CEO) and “Mr. Patricio Contesse F. – former director of SQM,” declined to be interviewed by company’s designated outside counsel performing the internal investigation.

Contesse G.’s involvement and fraud was more than simply using his unlimited discretion to facilitate shady payments. He was actively and intentionally involved in falsifying the company’s books and records. The Information stated, “From 2008 to 2013, at the end of each fiscal year, SQM’s books and records, including those that SQM Executive and others intentionally falsified to justify payments to vendors connected to PEPs, were used for the purpose of preparing SQM’s financial statements. In addition, during each of these years from 2008 to 2013, SQM Executive signed financial certifications as part of SQM’s securities filings that he knew to be false.”

Regarding the internal controls violations, the company’s auditors noted payments made to third parties which “had a ‘high-risk’ connection to PEPs.” These findings were even presented to the full company Board of Directors with the recommendation that adequate internal controls be put in place to prevent such conduct going forward. However, none were.

Also interesting was the lack of notation of how the company’s illegal actions came to attention of the US government. There was no company self-disclosure, no reported whistleblower, no reported referral from another law enforcement agency, domestic or foreign. It may well be there was some type of tip or even electronic information obtained by government regulators.

The actions of SQM senior management were certainly daring in the extreme, one might even say stupid, given their blatant disregard for US law. If companies want the benefits of US securities offerings and prestige, they need someone to counsel them on why they have to comply with US regulations, even in their actions exclusively outside the US. The matter also points to the need for a company’s Board of Directors to step up, ask the hard questions and then take action when management fails to fulfill its obligations to do business legally. Finally, the enforcement action makes clear the need for any company which crosses multiple borders to have a best practices compliance program in place as there will be at least one country which has an anti-bribery/anti-corruption compliance program.

In the next post we will consider how the company was able to receive a 25% discount off the minimum fine range through cooperation and remediation after the US government came knocking.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017