I guess Matt Kelly cannot leave his journalist roots for it was he who broke the story within the greater compliance community that the Department of Justice (DOJ) very quietly released a document, entitled “Evaluation of Corporate Compliance Programs” (Evaluation), on the Fraud Section website late last week. Kelly gave kudos to the law firm of White and Case for the initial notice but as they are FCPA Inc., Kelly gets the call for being the first to announce it to the compliance community. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner. Over the next couple of blog posts, I will be taking a look at the Evaluation.

The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. Once again, I detect the hand of DOJ Compliance Counsel Hui Chen in not only helping the DOJ to understand what constitutes an effective compliance program but also providing solid information to the greater compliance community on this score.

As there are 11 areas of inquiry and 10 Hallmarks, one of the interesting considerations is Evaluation No. 1 – the analysis and remediation of underlying conduct. In this area, you understand the root cause of any incident, is it systemic and who made the analysis? You will also need to evaluate your detection or if the conduct was missed, why was it missed? Finally, you need to explain the remediation.

Next is the area of senior and middle management where you will need to evaluate the specific conduct of senior management in not only discouraging Foreign Corrupt Practices Act (FCPA) violative conduct but also the role of senior management in remedial actions. How do senior leaders and other stakeholders model appropriate behavior and share information on compliance throughout the organization and how is that conduct monitored on an ongoing basis?

Finally, the Board’s role is re-emphasized as the Evaluation asks the following questions, “What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?” If you are following my month long series of One Month to a Better Board, you will recognize these as significant issues that many Boards have yet to adequately deal with going forward. The Evaluation also looks at the CCO and compliance function’s upward communications with the Board by looking at reporting lines, CCO access to the Board and independence of the compliance function within the organization.

Next is the area of autonomy and resources for the CCO and the compliance function. This section follows the FCPA Pilot Program Prong Three on remediation by inquiring into the professionalism and expertise of both the CCO and the compliance function. It also asks about the stature of the CCO and compliance function within the organization, including specifically “compensation levels, rank/title, reporting line, resources, and access to key decision-makers”. It also asks about turnover and promotion opportunities. You need to evaluate the role of compliance in strategic planning and whether the compliance function is truly “empowered” within an organization. This final point will entail documenting any “specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns”. Also echoing the Pilot Program Remediation Prong was an inquiry into funding and dollar resources available to the compliance function.

In a new area of review, the Evaluation considers “outsourced compliance functions” for the first time. It asks the following questions, “Has the company outsourced all or parts of its compliance functions to an external firm or consultant? What has been the rationale for doing so? Who has been involved in the decision to outsource? How has that process been managed (including who oversaw and/or liaised with the external firm/consultant)? What access level does the external firm or consultant have to company information? How has the effectiveness of the outsourced process been assessed?”

In the area of “Policies and Procedures” we see a clear operationalization inquiry as you are required to evaluate who had input into the design of your compliance policies and procedures and the process for drafting, all coupled with consultation with the business units. You also need to look at the specific policies and procedures which may have failed and determine how and why they failed. There are some inquiries into “gatekeepers, e.g. the persons who issue payments or review approvals” regarding their training and ongoing monitoring.

Next, and once again following on the operationalization of your compliance program, is a section entitled “Operational Integration” which includes who is responsible for integrating your policies and procedures throughout your organization, what internal controls are in place and specific inquiries into the role of the company payment system in any FCPA violation. This last inquiry is coupled with a review of your vendor management program going forward.

In the area of risk assessments, you need to consider the methodology the company used to identify, analyze, and address the particular risks it faced, coupled with the metrics your company has collected and used to help detect the type of misconduct in question and, most interestingly, how this information has “informed the company’s compliance program”? In a section entitled “Manifested Risks” the Evaluation poses the following question, “How has the company’s risk assessment process accounted for manifested risks?”

Tomorrow I will consider the remainder of the Evaluation and how best to use it going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

Show Notes:

  1. The SFO announces an investigation into the Swiss engineering giant ABB, Ltd. for allegations of corruption coming out of the Unaoil scandal. See article in the FCPA Blog.
  2. Former Magyar Telekom exec settles with SEC before trial. See article in FCPA Blog.
  3. Tom goes on an extended rant about the ISO 37001 certification process and why it is “worse the useless”. See Tom’s post on the topic on the FCPA Compliance and Ethics Blog.
  4. Jay Rosen’s discusses his new gig with Affiliated Monitors.
  5. Everything Compliance-Episode 7 is out. It is dedicated exclusively to the first two chaotic weeks of the Trump Administration.
  6. Jay Rosen Weekend Report preview.

For some additional reading see:

1.) Mike Volkov Article on Monitors

http://blog.volkovlaw.com/2017/02/yikes-perils-remediation-corporate-monitors/

2.) Jay Rosen Weekend Read

The “Real” FCPA, SCCE + Hello Goodbye

https://www.linkedin.com/pulse/real-fcpa-scce-hello-goodbye-jay-rosen-ccep

3.) Kristy Grant-Hart on The Top Five Myths about ISO-37001 Exposed

http://fcpablog.squarespace.com/blog/2017/2/14/the-top-five-myths-about-iso-37001-exposed.html

4.) Jay Rosen new contact info

Jay Rosen, CCEP

Vice President, Business Development

Monitoring Specialist

Affiliated Monitors, Inc.

Mobile (310) 729-6746

Toll Free (866)-201-0903

JRosen@affiliatedmonitors.com

Today I want to consider a couple of failures at the Board level around bribery and corruption.   

  1. VimpelCom 

Board of Directors and Senior Management Involvement

VimpelCom sought to enter the telecom market through the acquisition of a local player, Unitel, as an entrée into the Uzbekistan market. Unitel made clear to VimpelCom that to have access to, obtain and retain business in the Uzbeki telecom space, VimpelCom would have to, according to the VimpelCom DPA, “regularly pay Foreign Officials millions of dollars” who was Gulnara Karimova, the daughter of the then President of the country. VimpelCom also acquired another entity Butzel, that was at least partially owned by an Uzbeki government official, who hid their interest through a shell company, which was known to VimpelCom. VimpelCom did not articulate a legitimate business reason for the deal and paid $60MM for Buztel.

As laid out in the VimpleCom’s Information, its senior management was well aware of the potential FCPA risk. The Information stated, “From the beginning of VIMPELCOM’s deliberations concerning its entry into Uzbekistan, there was an acknowledgment of the serious FCPA risks associated with certain VIMPELCOM management’s recommendation to purchase Buztel in addition to Unitel… Documents prepared for the December 13, 2005 Finance Committee meeting explained that Buztel was owned by a Russian company “and a partner” without further detailing the identity of the “partner” who was in fact Ms. Karimova. The materials documented that “[t]hrough a local partner, [VIMPELCOM was] in a preferred position to purchase both assets . . . .”” The Finance Committee “identified the likelihood of corruption and expressed concerns.” Even with these reservations, the Finance Committee failed to identify the local partners.

But there was even more specific cautions around a FCPA violation when one Finance Committee member ““expressed concern on the structure of the deal and FCPA issues” and noted “that if [VIMPELCOM] goes into this deal under this structure and if the structure violates the FCPA picture, [VIMPELCOM’s] name could be damaged.”” The Finance Committee voted to move forward with the Buztel portion of the transaction “provided that all issues related to the FCPA should be resolved.”

These concerns moved up to the VimpelCom Board of Directors. In a December, 2005 Board meeting, “the likelihood of corruption was further discussed” and that “there was a recognition that a thorough analysis was needed to ensure that the Buztel payment was not merely a corrupt pretext for other services and favors. There were also numerous requests to ensure that the deal complied with the FCPA. Ultimately, VIMPELCOM’s board approved the Buztel and Unitel acquisitions, with a condition that FCPA analysis from an international law firm be provided to VIMPELCOM.”

Here VimpelCom management defrauded its own Board of Directors. The Information states, “VIMPELCOM’s management then sought FCPA advice that could be used to satisfy the board’s requirement while allowing VIMPELCOM to proceed with a knowingly corrupt deal. Despite the known risks of Foreign Official’s involvement in Buztel, certain VIMPELCOM management obtained FCPA legal opinions from an international law firm supporting the acquisition of Unitel and Buztel; however, certain VIMPELCOM management did not disclose to the law firm Foreign Official’s known association with Buztel. As a result, the legal opinion did not address the critical issue identified by the VIMPELCOM board as a prerequisite to the acquisition. Management limited the law firm’s FCPA review of the transaction to ensure that the legal opinion would be favorable. Having obtained a limited FCPA legal opinion designed to ostensibly satisfy the board’s requirement, certain VIMPELCOM management then proceeded with the Buztel acquisition and corrupt entry into the Uzbek market.”

Fraudulent Stock Transfer

But that was only the start as VimpelCom then entered into a partnership with the foreign official who was given an ownership interest in Unitel, through the shell corporation. The shell company held an option to sell this interest back to VimpelCom in 2009. It would appear that the owner of the shell corporation was well known within both VimpelCom and Unitel but both entities referred to this person as the “partner” or “local partner”. VimpelCom set up partnership where, “Shell Company obtained an indirect interest of approximately 7% in Unitel for $20 million, and Shell Company received an option to sell its shares back to Unitel in 2009 for between $57.5 million and $60 million for a guaranteed net profit of at least $37.5 million.”

VimpelCom’s Board was required to and did approve the partnership but as with the original acquisition, “approval again was conditioned on “FCPA analysis by an international law firm” and required that the “the identity of the Partner . . . [be] presented to and approved by the Finance Committee.” VIMPELCOM received an FCPA opinion on the sale of the indirect interest in Unitel to Shell Company on or about August 30, 2006. The FCPA advice VIMPELCOM received was not based on important details that were known to certain VIMPELCOM management and that certain VIMPELCOM management failed to provide to outside counsel, including Foreign Official’s control of Shell Company. In addition, documents, including minutes from the Finance Committee’s meeting on August 28, 2006, failed to identify the true identity of the local partner by name while noting the “extremely sensitive” nature of the issue.”

Some three years later, the shell company exercised its option to be bought out of the partnership for $57.5MM, after having invested $20MM. This netted a profit of $37.5MM. Unfortunately for all involved, they routed the payments for the transaction through financial institutions in the US, thereby creating FCPA jurisdiction.

  1. BizJet

Another FCPA enforcement action involved the Tulsa-based company BizJet, which had four senior executives convicted for their participation in a bribery scheme. But this case also involved the Board of Directions. In the Criminal Information it stated, that in November 2005, “at a Board of Directors meeting of the BizJet Board, Executive A and Executive B discussed with the Board that the decision of where an aircraft is sent for maintenance work is generally made by the potential customer’s director of maintenance or chief pilot, that these individuals are demanding $30,000 to $40,000 in commissions, and that BizJet would pay referral fees in order to gain market share.”

In both cases, this is where the rubber hits the road. If a company is willing to commit bribery and engage in corruption to secure business no amount of doing compliance is going to help. If senior management is ready, willing and able to lie, cheat and steal, the Board is the final backstop to prevent such conduct. Both the VimpelCom and BizJet Boards sorely failed in their compliance duties.

Three Key Takeaways

  1. Board liability will be severe based upon similar conduct going forward.
  2. Board members must critically challenge management on its conduct.
  3. The Board is the ultimate backstop against bribery and corruption.

What are metrics for a Board around compliance? Former Assistant Attorney General Leslie Caldwell laid out some that the Justice Department would consider in a review of compliance programs. These metrics are:

  • Does the institution ensure that its directors and senior managers provide strong, explicit and visible support for its corporate compliance policies?
  • Does a Board maintain a material role in overseeing a company’s overall compliance framework?

These requirements move beyond simply having the correct ‘Tone at the Top’ which every Board should articulate. They charge the Board in a company with a substantive role in the actual doing of compliance going forward. One of my concerns is this metric sets up Board members and senior management for prosecution under the Foreign Corrupt Practices Act (FCPA) in the new era of the Yates Memo where companies are required to investigate and turn over individuals to the DOJ for prosecution if they want to receive any credit for cooperation. Of course, the Yates Memo also articulated the DOJ’s stated intention to more aggressively prosecute individuals as well.

Board Role

You begin with two questions. First, does the Board of Directors exercise independent review of a company’s compliance program? Second, is the Board of Directors provided information sufficient to enable the exercise of independent judgment?

Boards of Directors should take a more active role in overseeing the management of risk within a company. Now this includes having a FCPA compliance program in place and actively oversee that function. This means if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward. Some of the areas for hard questions include

  • Corporate Compliance Policy and Code of Conduct – Is there an overall governance document which will inform the company, its employees, stakeholders and third parties of the conduct the company expects from an employee, translated into appropriate local langauges. Is there documents of delivery and training on this or these documents?
  • Risk Assessment – Has the Board assessed the compliance risks associated with its business?
  • Implementing Procedures – The Board should determine if the company has a written set of procedures in place that instructs employees on the details of how to comply with the company’s compliance policy. Once again, have these implementing procedures been translated as appropriate and do employees understand these procedures? Are all of the above documented?
  • Training – Has the Board been trained to understand its role in an effective compliance program?
  • Monitor Compliance – Has the Board independently tested, assessed and audited to determine if its compliance policies and procedures are a living and breathing program and not just a paper tiger.

There are several paths a Board of Directors can take to fulfill this duty. Obviously the full Board can be apprised of compliance issues and handle them appropriately. However this may be unwieldy or not workable if there is a large Board and the compliance function only has limited time to present a quarterly and annual report. The Audit Committee is usually considered a natural venue for the compliance function to report to as it handles issues somewhat related to compliance already.

Through the convergence of the Yates Memo and these metrics, it is time for companies to create a Compliance Committee separate and a part from the Audit Committee. This Board-level Compliance Committee would be charged with oversight of FCPA compliance and ethics but could also be the reporting venue for anti-money laundering compliance (AML), export control compliance and all other such disciplines within an organization. Further after the Volkswagen emissions-testing scandal, not only have a robust compliance program but direct and transparent Board oversight may be the only thing stopping injury to your reputation from a competitor’s illegal or unethical conduct.

Three Key Takeaways

  1. The Justice Department expects active engagement by a Board around compliance.
  2. Does the Board exercise independent review of the compliance program?
  3. The convergence of the Yates Memo, Hui Chen and the FCPA Pilot Program.

Today’s headline is inspired by two recent notices; the first is from a January 25 ENI Press Release crowing that “Eni is the first Italian company to receive that certification”. The second came from an article in the Financial Times (FT) entitled “Eni chief Claudio Descalzi charged with international corruption” by James Politi, where he began his piece with the opening, “Claudio Descalzi, chief executive of Eni, has suffered a setback after Italian prosecutors charged him with international corruption following a lengthy investigation into the Italian energy group’s 2011 purchase of a Nigerian exploration licence. Mr Descalzi was asked to stand trial along with Paolo Scaroni, the former chief executive of Eni, as well as nine other individuals who were involved in the $1.3bn transaction, according to Fabio De Pasquale, the lead prosecutor on the case.”

The international corruption, also involving Royal Dutch Shell, involved questions regarding “an offshore exploration bloc called OPL 245, which is estimated to contain up to 9bn barrels of oil and is considered one of Nigeria’s most highly-prized energy prospects.” It was further noted that “The main accusation is that Eni and Shell knew the money paid to the government for OPL 245 would then be funnelled to other Nigerian individuals, essentially as bribes.” In what can only be said is a non-denial denial, both “Eni and Shell have said that they simply transferred money to the Nigerian government, without making any arrangements with third parties or the ultimate beneficiaries.”

The problem I see with one headline is that it brings up the uselessness of the ISO certification process. One might reasonably ask how a company could receive a certification for its “AntiBribery Management Systems” when both its current and former chief executives are under indictment for ‘international corruption’? The ISO certification issue is separate and stands apart from the ISO 37001 standards themselves. When I sat down to read the more than 100 pages of what might constitute good compliance practices, I, for the most part, did not have too many disagreements with the articulation. However, in the global world of anti-bribery/anti-corruption enforcement there were multiple standards for an effective compliance program, including, but not limited to the Ten Hallmarks of an Effective Compliance Program, Six Principles of Adequate Procedures, the OECD 13 Good Practices and multiple others. Indeed, I published an entire book some 2 1/2 years ago to laying out what constitutes an effective compliance program. So while it is mildly interesting from an intellectual perspective, the reality is that it is not anything new, different or innovative.

Yet the title of this blog post makes clear that any ISO 37001 certification is much worse, for it can lead an unsuspecting person to conclude that because a company has the ISO 37001 certification, it is actually doing compliance. From the ENI Press Release it stated, “quality of the system of rules and controls aimed at preventing corruption”. If that does not sound like a paper compliance program I do not know what does. I should also note the same Press Release goes on to state that since 2009, Eni has enshrined the principle of “zero tolerance” as “expressed in its Code of Ethics.” I wonder if either the current or former ENI chief executive under indictment read or even knew about this robust ENI Code of Ethics. Interestingly, the Press Release also stated that Stage 2 of the ISO 37001 certification process involved “interviews with people on the ground” to assure compliance with the program. It is safe to assume these interviews did not include the current or former ENI chief executive.

What is a counter-party to ENI to conclude about the robustness of its anti-corruption compliance program? How about any other company which has an ISO 37001 certification? This is where the worse than useless part comes into play. People might actually think that this certification affirms the company which holds it is committed to doing compliance and will continue to do so going forward. The counter-party who does business with such an ISO 37001 certificate holder may well assume this certification forms some basis of protection against a Foreign Corrupt Practices Act (FCPA), UK Bribery Act or (you name the law) investigation for bribery and corruption. Nothing could be further from the truth.

The Department of Justice (DOJ), Securities and Exchange Commission (SEC) and Serious Fraud Office (SFO) continually make abundantly clear that a company is responsible for its counter-parties not violating applicable anti-corruption laws. Put another way, a third-party, with an ISO 37001 certification who violates the FCPA, UK Bribery Act or any other similar law puts your company at just as much risk as a third-party with no ISO 37001 certification. Putting it as simply as I can, an ISO 37001 certification from a counter-party is of less than zero worth to your company, your compliance program or indeed any defense against a FCPA enforcement action.

What about a company which thinks it needs an ISO 37001 certification? This is equally problematic but for different reasons. The DOJ and SEC jointly issued FCPA Guidance made clear that an effective compliance program is based upon a company assessing its own risks and then setting up a program to manage those risks going forward through training, incentives and discipline and ongoing monitoring. The Ten Hallmarks were designed to be flexible to allow each company to assess and then manage its risks. Moreover, this flexibility allows a Chief Compliance Officer (CCO) or compliance practitioner to put forward clear evidence of compliance with this approach if the government comes knocking in a FCPA investigation. The evidence from the Pilot Program is that the DOJ is taking this approach into account and has doled out multiple declinations and Non-Prosecution Agreements (NPAs) since its inception in April 2016.

So which headline is right: that ENI received an ISO 37001 certification or that the chief executive of ENI will stand trial for corruption? Unfortunately, they are both right and that simple answer communicates to every CCO and compliance practitioner across the globe that the ISO 37001 certification process is worse than useless. This is both for the company assessing the effect of such a certification from a potential third-party and a company considering whether it should obtain the certification to prove it is actually doing compliance.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017