I am excited to announce at Compliance Week 2017 the publication of my latest book 2016-The Year in Corporate FCPA Enforcement: Cardinal and Provident, published by Compliance Week. In it I take a look the most prolific year in FCPA enforcement and what it means for the compliance practitioner.

We have never seen and may well never see again a year of FCPA corporate enforcements as we did in 2016. The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) combined twenty-seven corporate enforcement actions and nearly $2.48bn in total fines and penalties, the highest since the statute’s enactment in 1977. The vast majority of that amount, some 90 percent, was generated by a few very large and significant FCPA enforcement actions involving the following entities: VimpelCom, Och-Ziff, Embraer, JPMorgan, Odebrecht/Braskem, and Teva. While these cases all involved substantial, company-wide bribery schemes, which led to their massive penalties, the majority of 2016’s FCPA enforcement actions involved relatively small-to-medium-sized penalties which involved less systemic, routine bribery schemes. Yet these smaller cases usually provided some of the most interesting fact patterns, which can be studied by chief compliance officers (CCOs) and compliance professionals to help prevent and detect bribery in their organizations.

What do these enforcement actions signify? More importantly what are the lessons to be drawn from these cases for compliance going forward? What about the FCPA Pilot Program, what does it portend for the future. Finally I consider the public comments of the regulators around FCPA enforcement and compliance. You can parse the facts and figures but if you want to understand what 2016 means going forward for the compliance profession, this is the book for you. If you are a compliance professional, this is the single must have  book around the the most prolific year in FCPA enforcement history.

You can purchase of copy of the book, from Compliance Week by clicking here.

If you are attending Compliance Week 2017, drop by the Compliance Week booth for an autographed copy!

Show Notes for Episode 53, for the week ending May 19, the I Left My Heart in SF Edition

This week, Jay and I have a wide-ranging discussion on some of the week’s top compliance related stories. We discuss:

  1. Brazilian President Temer comes under corruption fire? See article in the New York Times.
  2. The turmoil at FIFA continues as FIFA’s ethics watchdogs quit in protest after their chairman was fired. See article in Bloomberg.
  3. Should compliance and ethics be wedded? New report by Institute of Business Ethics and the Ethics Institute considers the issues. See article in WSJ Risk and Compliance Journal.
  4. The Fat Leonard scandal lands U.S. Navy Rear Admiral Robert Gilbeau with a prison sentence of 18 months. See article in the FCPA Blog.
  5. Almost one-third of all open FCPA investigations involve Brazil. Only 17% involve China. See article in the FCPA Blog.
  6. Astros lead the MLB with the best record in baseball. Will they regress to the mean?
  7. ComTech is here. Are you ready? See Tom’s article in the FCPA Compliance and Ethics Blog.
  8. Jay previews his Weekend Report.
  9. It is not too late to join me at Compliance Week 2017. Listeners to this podcast can received a discount to Compliance Week 2017. Go to registrationand enter discount code CW17TOMFOX.


Jay Rosen can be reached:

Mobile (310) 729-6746

Toll Free (866)-201-0903


Tom Fox can be reached:

Phone: 832-744-0264

Email: tfox@tfoxlaw.com




Being a Houston baseball fan has been largely pain, misery and suffering. While we have not gone 80+ years or even a century without winning a World Series it is not for lack of ineptitude. It is because the Houston Major League Baseball (MLB) entry only came into existence 1962. We were not even the Astros back then, but the Colt-45’s. Playing in the world’s greatest open air mosquito pit, Colt Stadium, sort of set the tone for the franchise. Of course, we did have one glorious run into the World Series in 2005 but even there, we were swept by the Chicago White Sox, who at that point had not won a World Series since 1917. At least I can finally say I went to a World Series and I did get to scream my lungs out in the bottom of the 9th inning of Game 4 where the Sox completed their sweep.

Now the Astros have the best record in baseball, with a sterling 29 wins and 12 losses for a .707 winning percentage. Although it is only May all of Houston is celebrating, knowing what may well lie ahead. Put another way, there is only way for the Astros to go and it is not up.

I thought about the Astros in the context of Chief Compliance Officer (CCO) leadership or even Chief Executive leadership around compliance when I read a couple of recent articles in the Financial Times (FT). The first was by Andrew Hill in his On Management column, entitled “Spectacular failures that prime leaders for success”, where he discussed the concept of failure as a “powerful educator”. One of the reasons I mine Foreign Corrupt Practices Act (FCPA) settlements for lessons to be learned is that I believe compliance professionals can learn from the missteps of other companies to make their compliance programs more robust.

I agree with Hill that it may seem odd to celebrate failure but to ignore it condemns one to repeat either your own missteps or the mistakes of others which are in the public record. He noted, “But wilfully ignoring failure is poisonous, too, and coverage of business inevitably promotes a misleading cult of success. One reason is that “failure” is a poor selling point for a book, presentation or article. Another is that most failures, by definition, never get far enough to be worth analysing, even assuming they are noticed by the outside world.”

The point is to learn from failures. This is memorialized in Prong 1 of the Department of Justice’s  (DOJ’s) Evaluation of Corporate Compliance Programs (Evaluation) which details, “Root Cause Analysis – What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis?” Hill echoed these questions when he wrote, “chief executives who talked about mistakes as failures were less likely to perform strongly. The best recalled their regret and disappointment, but looked for root causes and integrated what they had learnt into their future actions. In short, they became more adaptable.”

Equally interesting was an article by Tim Harford, in his column The Undercover Economist, entitled “Why prizewinning chiefs risk a swift fall from grace”. He began by discussing the awkwardness  which PRWeek brought upon itself when it awarded United Airlines chief Oscar Munoz as “Communicator of the Year” shortly before the passenger “re-accomodation” scandal engulfed Munoz, the company and cost him a promotion to the Chairmanship of the United board. That was not even the worst timing as Harford noted the  “American Institute of Architects honoured the Kemper Arena in Kansas City with a national honour award, and then held its annual convention there in 1979. Alas, the roof of the arena collapsed a few hours after the architects’ convention left the site.” It is not always business awards which have the most inopportune timing. Witness the number of National Basketball Association (NBA) prognosticators who rue their votes for Russel Westbrook or James Harden about now for the NBA Most Valuable Player (MVP) award.

I raise these humorous hiccups in the context of huge increases in sales for businesses and the compliance angle. Many CCOs now wonder when they hear about a sales person who wins the company’s top sales award for hitting 10X, 100X or higher on their sales goal. They wonder how they did it. Was the sales goal so low that it constituted what we called in one company ‘sand’. Our company President was so well-known for his proclivities to under estimate annual sales revenue, he was nick-named the Sandman. Sand in your estimate is certainly one explanation.

Another might be the opposite of regression to the mean, where there is an increase for some inexplicable reason. Just as the Astros having a stunning .707 winning percentage, a sales person can have an excellent quarter, half-year or annual sales performance. One key is the historical data which might show a regression to the mean. Harford noted, “The most impressive performance may combine skill with luck. In a financial market — or a casino — the easiest way to become an outlier is to make a big bet. Unfortunately, there is no way to be sure whether you will be an outlier on the upside or the downside. Treading a different path is a good way to look spectacularly right, or spectacularly wrong — or, given enough time, both.”

This insight is important for a CCO when considering data analytics and ongoing monitoring. Monitoring allows a closer to real-time review and analysis. But another important component is having the historical data to review for longer term trends. Simply because a sales person has an outsized sales year does not necessarily mean something nefarious or even a FCPA violation. Being able to consider the full scope of historical trends can lead to more robust compliance analysis and one which may well help a company to operate more efficiently. If a super sales year is not re-creatable with an accepted sales practice one question compliance might want to ask is Why?

How about those Astros and their .707 winning percentage? I am betting on regression to the mean.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

What should a company do when it desires to hire a Chief Compliance Officer (CCO).  I sat down and visited with Maurice Gilbert, the Managing Partner at Conselium Partners LP. Gilbert believes that it behooves any company to find the right CCO or compliance practitioner for the right position. But to do so, a company needs to fully understand and appreciate what it needs from such a position going forward. Unfortunately, many companies do not have this insight at the beginning of the recruitment process.

The process often begins with the company supplied job description, which Gilbert noted is “typically a legacy of various things that are not even updated. It’s a hodgepodge of things that maybe began a few years ago, but it needs to be updated to reflect what’s going on in the company at that particular moment. You have certain business risks. You have certain regulatory risks…. You need to be attentive to those risks so that you could build your profile about what those risks need to be addressed presently.” Moreover, “what you’re going to get in a company job description is just a litany of things that actually could be quite disjointed and may not necessarily make sense for what you’re going to be asking the person to do.”

Gilbert will bring the key company stakeholders into an initial meeting to help them understand the process. Obviously, this will include Human Resources (HR) and others involved in the internal hiring process for the company. Gilbert gets them to rethink their approach to focus on what they will ask the new hire to accomplish because typically there is a disconnect between what the company thinks it needs and what it really needs.

The next step is developing an appropriate job profile. Gilbert will ask the key stakeholders to give him a list of four things they would like the new hire to accomplish in the first year of employment. By limiting to this to four, Gilbert not only ends unrealistic expectations but helps winnow down the inevitable “laundry list of, “We’d like the professional to accomplish 30 things within the first year.” Many of which, are inconceivable. They have to be done in the course of several years. When we’re listening to the response, we, again, are counseling our client as to whether that makes sense or if that’s an unreasonable, let’s say, expectation.”

Gilbert gave an example of a recent search he headed for a client. One of the things he was able to develop at this initial meeting was that the company wanted the CCO “to spend the first two, three months evaluating her staff, to see if she has the appropriate team in place for the rest of the journey. By the way, she’s traveling all over the world doing just that. Evaluating her staff.” However that task alone could take several months. The company also wanted the CCO to perform a comprehensive risk assessment immediately upon starting the position. It is simply not realistic to expect such disparate and time consuming tasks to be performed so quickly, all the while the new CCO would be expected to travel to company locations across the globe.

Another important issue in this initial meeting is the professional growth opportunities that the company will present to any candidate. Gilbert explained that this is something companies do not always appreciate in the hiring process. Yet, as he explained, a company is trying to get a seasoned executive to leave a position so they need to have an attractive package ready to present. It is more than simply salary and benefits. Gilbert said, “we have to capture data such as, “What are career growth options once a person steps in and does a good job for three, whatever, years?” We have to capture data. “What is the culture of the company? What is the culture of the compliance department? What are the hot buttons and the management strategy, if you will, of the hiring authority? How does that person like to interface with the individuals?”

A final query to the company is around the sourcing of candidates. Gilbert needs to know if there are any particular competitors, or companies, which the client feels are hands off for sourcing candidates from and before he leaves this meeting he needs to know the companies that his client does not want Conselium to recruit from.

I found these points quite illuminating for several reasons. First, the company was not clear on what it wanted the new CCO to accomplish and had not thought through what it would need to commit to in terms of resources to have these goals accomplished. The second demonstrated the communications flow facilitated learning on the part of both parties, i.e. for the client this was to have a realistic expectation of the new role and for Gilbert it was to help develop an appropriate Job Profile. It also demonstrated the collaborative nature of the relationship. By engaging in this process Gilbert is able to move from simply a third party executive search firm to a trusted advisor to the client. By having such a relationship Gilbert and his company, Conselium, are able to deliver a much more focused and valuable service beyond the typical generalist experience available inside a corporation in the hiring process.

From these discussions, Gilbert will develop a Job Profile and present to the company to have them sign off on not only the package of what they are looking for in a candidate, but also the package they will be willing to present. Gilbert related that through the capture of and agreement with these points, he is ready to begin the next step, which is to tell the compelling story about the job position on behalf of his client.

Three Key Takeaways

  1. Bring in your key stakeholders to flesh out the job description.
  2. Consider the top four things you would like a new CCO to accomplish in the first year.
  3. For a new CCO to succeed, the company must have a realistic expectation developed before the process begins.


This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox.




What will be the role of Artificial Intelligence (AI) in compliance going forward? In Wednesday’s Compliance into the Weeds podcast, Matt Kelly and I continue our discussion, that we began several years ago, of how technology is changing the role of the Chief Compliance Officer (CCO). Matt tends to see things through an Enterprise Risk Management (ERM) framework while I consider the issue through more of a legal/compliance context. A recent article in the Financial Times (FT), entitled Cheap, accurate artificial intelligence closes in on the work of junior lawyers, reviewed the LawTech world and how it is reshaping many areas of private practice. I found the article had multiple implications for the compliance function. Indeed, I wondered if there might even be a ComTech industry lurking down the road.

Obviously, document review is one area where ComTech would be most useful. There are many companies who provide key word searches and these same concepts translate readily into the compliance world through massive database searches for key words, such as an ongoing email review through email sweeps. The concept is straightforward; at regular intervals, you sweep through your company email database for identified key words that can be flagged for further investigation, if required. Such a sweep is not limited to anti-corruption compliance but any of the risk factors identified for your company.

The objective of this approach is to find the evidence of a compliance breakdown by sweeping systems to uncover items that may contain real issues. From here, you can assess and prioritize, by checking and verifying if an issue needs investigating and focusing on the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities. AI can help you to perform all of this more cheaply and efficiently.

Soon compliance will be pushed more to the forefront in the area of anti-money laundering (AML). As banking institutions continue to tighten and strengthen AML controls, criminals and other nefarious actors will move into non-financial corporations to move money for the simple reason that such robust controls required in the financial and financial services world are not generally required in the non-financial corporate world. Non-financial corporations should have robust AML controls in place and one of the requirements for any best practices AML policy is to “Know Your Customer” (KYC). AI will allow a more robust KYC approach.

Another area where compliance is often left behind is in the arena of Mergers and Acquisitions (M&A). Since the 2012 FCPA Guidance, the focus of compliance in M&A has been more and more on the pre-acquisition phase of a deal. Often the compliance function is either brought in at the last minute and does not have the time to perform adequate compliance due diligence or there is an overwhelming amount of data to be reviewed and the resources available (or made available) to the compliance function is woefully inadequate. AI can help in this area. The FT article cited to one company which has software that allows thousands of documents to be reviewed in the M&A context.

The review could include such issues as whether third party sales representatives have the requisite background due diligence in the files, their status and commission rates paid. There could be a review of top sales and business developments folks in high-risk regions, correlated with a gift, travel and entertainment analysis. Finally, you could consider sales in high risk regions or even sales spikes from low risk areas from the compliance perspective.

A prime example of where AI can assist the compliance function is with third parties in the Supply Chain arena. Every multi-national has literally thousands of vendors. Getting a handle on those is always a challenge simply because of the numbers involved. Through the use of AI, a compliance practitioner can immediately identify vendors that present anti-corruption compliance or other risks to an organization. Once again, having led an effort to list out all employer’s vendors by hand to begin the risk ranking process, I can personally attest to the greater efficiencies AI can bring to the exercise.

Blending over from the LawTech sector space, there is yet another set of AI tools which can review contracts to see if any specific types of clauses are non-standard. It would seem a relatively easy software coding exercise to adapt such products to compliance clauses. This type of approach could also be used for non-standard governance clauses in joint venture (JV) or other types of partnerships agreements. Having once been assigned the task of reading all my employer’s JV agreements (87) and third party sales agents contracts (211) from across the globe and recalling the amount of time it took to do so, I can personally attest again to the greater efficiencies we are considering.

This final example also points to the limitations of AI. While it might have helped to have AI review all my former employer’s JV agreements and third party sales agents’ contracts, it only could identify non-standard contract language. Unfortunately, since most of the aforementioned agreements and contracts were bespoke they were uniformly non-standard. Further, the assignment I was given required an analysis of each non-standard contract so the judgment of a human was required. Even as AI becomes more sophisticated, the judgment of a professionally trained compliance practitioner is still required to validate the areas flagged by AI as anomalies.

Gary Kasparov recognized this after his loss to IBM’s Big Blue in a chess match. In a review of his recent book Deep Thinking-Where Artificial Intelligence Ends and Human Creativity Begins, it noted that Kasparov “recognized that computers do well what humans do badly and vice versa, suggesting a useful complementarity.” Moreover, “he argues that humans are often fallible, finding patterns in randomness and correlations where none exist. Computers can help us be more objective and amplify our intelligence. Technological progress can never be stopped even if it should be better managed.” Kasparov even formulated his own theorem, which he calls “Kasparov’s Law” and it reads, “Weak human + machine + better process is superior to strong human + machine + inferior process.”

There have always been technological innovations which help make corporate disciplines run more efficiently, more smoothly and more profitably. AI is simply another step in this line of technological developments. There is certainly no reason to be afraid of using it. Put another way, if disruption hits the legal world through LawTech; disruption is not far behind in the compliance world through ComTech.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017