To read more, check out my blog post series on Hallmark 4.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

Henry VIIII am on assignment in Oxford on a two-week study course, focusing on the Tudors. For the first week we focused on Richard III to the end of Henry VIII’s reign. Although Richard III was not a Tudor, we began with him to study the ‘bad rap’ of negative publicity he received from the Tudor court, specifically Sir Thomas Moore and most particularly Shakespeare’s play, Richard III.

In the career of Henry VIII, we discussed the role of Thomas Cromwell and the series of steps leading up to the split from Rome to obtain his divorce from Catherine of Aragon and his dissolution of the Catholic Church in England to create the Church of England. One of the questions initially posed by our tutor, Janet Dickinson, was whether there was an overarching plan to take these steps or if they were made more on an ad hoc basis in response to events on the ground.

The consensus of our group was the steps taken were in response to the changing and evolving circumstances not only in England but also on the Continent, both in Rome and in the wider sphere of European politics. Initially it appeared the Pope was inclined to grant Henry his annulment but that solution was foreclosed when greater European politics intervened. This intervention was the invasion of Italy by the Spanish King Charles V, who was the nephew of Catherine of Aragon. Charles was disinclined to allow the Pope to grant Henry an annulment of the marriage of his aunt to Henry.

Making Henry the head of the Church of England was only one part of the break from Rome. The second part was the dissolution of the Catholic monasteries and passing of Catholic Church land to the English crown, as head of the Church of England. We may never know who initially came up with these ideas, whether it was Cromwell, another advisor or even if Henry himself came up with some or all of the plans. It does seem relatively clear that Cromwell developed the legal arguments supporting the legal claim for Henry to head up the church in England.

Yet, even at this point there was no clear plan to dissolve the Catholic Church’s property in England to the English crown. This move appears to have come in response to an attempt to clarify religious doctrine after the break with Rome. These widespread popular and clerical uprisings found support among the gentry and even the nobility; all culminating in the Pilgrimage of Grace.

If you are a loyal reader of this blog, you know that I am in the midst of a two-week series on the Ten Hallmarks of an Effective Compliance Program, as it was first laid out in the 2012 FCPA Guidance. I find the series of events I outlined above, from our first week of study of the Tudor period of English history, illustrate a key theme of compliance programs. It is that compliance programs must be flexible and have the ability to evolve. Simply put, it is not in the business interest of US companies (or others subject to the Foreign Corrupt Practices Act (FCPA)) to have a static compliance program. Compliance programs must have the flexibility to respond to a wide variety of factors, including changing market conditions both inside a corporation and on the ground.

Moreover, companies need to have the flexibility to design, create and implement a compliance program that manages the risks they face. As companies mature in their compliance function, they can begin to manage more, additional and further sophisticated risks. For instance, audits of third parties should not begin when your compliance program is made operational. It should wait an appropriate period of time so that you have enough information to review and study.

Additionally chronological developments drive more and greater compliance. Transaction monitoring is one clear area that has achieved significant growth in the past few years alone. If a static approach to compliance had been advocated by the Department of Justice (DOJ) this development might have never occurred.

Finally, the times of Henry VIII informs us that companies need to be ready to respond to events on the ground. Not only must companies have a compliance response to new products or service and entry into new markets; they must respond to new and more sophisticated ways to fund bribery and corruption. The sad fact is that the funding of bribery and corruption occurs from internal funds from a company; whether it is mis-labeling marketing expenses or charitable donations, burying commission payments in unauthorized discounts or making subsidiary financial statements so complicated that home office auditors cannot read them; businesses need to respond to the ever changing landscape. The monies to fund bribes come from the company itself, thus there is always a fraud upon the company by its own employees.

The goal of any best practices compliance program is to prevent, detect and remediate. To achieve this the DOJ and Securities and Exchange Commission (SEC) give companies a wide latitude to achieve these goals. The FCPA Guidance says “each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.”

I have long been drawn to the lessons of history and what they teach us in the present day in the field of compliance. The reason the events of the 1520s and 1530s can and do resonate today are that they are based on the actions of people. I find these lessons build into how companies should think about compliance in the 21st century.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Show notes for week ending August 19, 2016

  1. Tom Fox posts on Key Energy FCPA enforcement action: Part I, Part II and Part III.
  2. More Och-Ziff FCPA news as its “Fixer” is arrested for FCPA violations. See this FCPA Blog report.
  3. EU’s to Olympic committee arrested and charged with ticket scalping in Rio. See BBC story.
  4. SEC has second enforcement action against company attempting to prevent employees from going to the SEC with complaints of illegal conduct. This time in a post-employment separation agreement. See Dan Marshall story in the FCPA Blog.
  5. Keppel executives alleged to have known about their agent’s bribery to obtain Petrobras business. See Petro Global News story.
  6. Compliance is a business. See blog post.

7K0A0246Compliance is a business. That statement should not come as a shock or even a surprise to anyone who has worked in the corporate world. Every part of a business should work towards doing business. Yet many compliance practitioners and unfortunately some business types see compliance as the Land of No, led by the corporate equivalent of Dr. No.

The Department of Justice (DOJ), in the form of its Compliance Counsel, Hui Chen, has phrased it somewhat differently. In November 2015, at the New York University Program on Corporate Compliance and Enforcement, Chen provided her initial public comments about how she would consider the effectiveness of a compliance program. One of her points was that you should operationalize your compliance program by tying it to functional disciplines within your company. This means that Human Resources (HR), Payment, Audit, Vendor Management and similar corporate disciplines should be involved in the operation of your compliance program in their respective areas of influence. Then in April 2016 with the initiation of the DOJ Pilot Program around FCPA enforcement, under the remediation prong, the DOJ once again emphasized the operationalization of a company’s compliance program as a key metric in determining benefits under the program.

All of this leads me to conclude the DOJ (as well as the Securities and Exchange Commission (SEC)) want to see compliance moved out into the business. This means that Chief Compliance Officers (CCO’s) will need to move past the thinking that simply having a compliance program will be enough to make compliance effective. You must actually be doing compliance going forward. So what are some of the indicia of doing compliance as a business?

Compliance is a service within your organization. You could actually be a part of the profit generator for your company. Just as law departments generate business by doing transactions, compliance can be viewed as delivering services not only to the business unit but also third parties with whom the company does business. This means not only traditional transaction partners such as sales agents, representatives and distributors but also joint venture (JV) partners, teaming partners and others. Compliance can deliver compliance related services to these third parties as a profit center.

Doing compliance means doing business. There are multiple types of risks in a business; operational, regulatory and reputational, just to name a few. The effort to measure and then manage each of these risks can be led by the compliance function. The more efficiently these risks are measured (i.e. assessed) the more easily and efficiently these risks can be managed. This means that the business is not faced with a binary 1/0 or Go/No Go decision on risk but if compliance moved into measuring and the managing risk through the operationalization of compliance into the business unit; the process would help you to do business more efficiently and with greater profitability.

Compliance is a platform to make your company not only a better run organization but can also demonstrate the thoughtfulness and effectiveness of your compliance program should a regulator ever come knocking. Compliance as a business even satisfies the Tom Fox mantra of Document, Document and Document. This is because if you operationalize compliance into the fabric of your organization, compliance internal controls will touch every aspect of the employment experience in a way that is not obtrusive and will not slow down what you are trying to achieve.

Take compliance as a platform in HR. At every point in talent management, HR can insert compliance into the cycle. Those points include the pre-employment interview and screening, the interview process with progressively higher senior management, the initial on-boarding process, the quarterly; semi-annually; annual performance review, annual bonus review, assessment and award, promotions and even exiting of an entity. The platform of compliance can record each of these touch points and you now have an internal control burned into HR which is a compliance internal control. Further, if there is any attempt to circumvent or over-ride one of these HR internal controls involving the hiring of a son or daughter of a foreign governmental official, a red flag can be raised and sent to the compliance function for further review.

Compliance is a marketing platform. Some attention has been paid to the use of compliance as a recruiting and hiring tool for millennials. One of the facts of their generation is they want to work at companies which are seen to be doing business ethically, all the while making money. Moreover, as Ethisphere demonstrates annually with its World’s Most Ethical Company awards, businesses which win those awards, on average, exceed the New York Stock Exchange blue chip average for profitability.

Compliance embraces public advocacy. The Volkswagen (VW) emissions-testing scandal is one of the largest corporate scandals of the past few years. One thing that makes the VW scandal so unique is that it is one of the few scandals where a company’s actions were so transgressive they damaged the reputations of its competitors. As a response to the VW scandal, Ulrich Grillo, President of the German industry association BDI, recognized that compliance is the answer. He urged companies to check their management processes, including compliance and control systems. He suggested one of the key questions to ask should be “Are we doing everything right?” When you have the President of a national industrial association saying compliance is the answer, you need to sit up and take notice.

As we move from the legal based model of compliance to the more mature understandings that compliance may best well be thought of as a business process, we begin to see how compliance can fit seamlessly into a business. This integration will allow a business to move more nimbly and with greater acumen. Compliance has been driven largely by legal requirements. The enactment of the Foreign Corrupt Practices Act in 1977, the implementation of the 1992 US Sentencing Guidelines, the passage of Sarbanes-Oxley in 2002 and Dodd-Frank in 2010 have all led to development and innovation in compliance. Now the DOJ is moving the bar again by talking about the operationalization of compliance and this development will continue to advance the corporate compliance function.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Kenny BakerKenny Baker died last week. For those not familiar with that name, you are most assuredly familiar with the character he played, that being R2D2. Baker had a long history in English vaudeville before filling the role of one of the most lovable characters in all of Star Wars. In his New York Times (NYT) obituary, Baker was quoted that “This film came along and I turned it down. I said, ‘I don’t want to be stuck in a robot, what for, for goodness sake.” But take it he did and he loved it, later saying, “he would do it again for free.” Free or for pay, we are all better off for Kenny Baker’s decision.

Yesterday I began a what I thought would be a two-part series on the Key Energy, Inc. (Key Energy) Foreign Corrupt Practices Act (FCPA) enforcement action. However (and as usual), I got carried away so today I will review the lessons to be learned from the underlying actions which led to the FPCA violations. Tomorrow, I will consider the actions taken by Key Energy to obtain the very good resolution the company achieved in the form of a declination from the Department of Justice (DOJ) and the profit disgorgement of $5MM.

The Key Energy matter concluded with the filing of an Order instituting a Cease and Desist Order (Order) in a Securities and Exchange Commission (SEC) administrative proceeding. The matter involved conduct in the US corporate office and also its Mexican subsidiaries, “Key Energy Services de Mexico S. de R.L. de C.V., and a service payroll company, Recursos Omega S. de R.L. de C.V., which is the legal employer of Key Energy’s employees in Mexico” and which were collectively referred to as “Key Mexico” in the Order.

The vast majority of the corrupt payments were made through a “Consulting Firm”, which had close connections with a Pemex official, who had decision making authority over Key Mexico contracts. The Consulting Firm apparently did not have a written contract with the company, the contract was not approved by the Key Energy legal department and did not go through any background due diligence, even though both were required under the Key Energy compliance program in place at the time of the issues involved. Even more amazingly is that when these issues became known to the corporate headquarters of Key Energy, the third party was allowed to continue.

Yet even without the minimum of any enforcement of a contract management process or third party risk management process, Key Energy also failed in having a set of internal controls around payments. The Order noted that out of the $561,000 in payments made to the Consulting Firm, “at least $229,000 were payments made through April 2013 in connection with consulting services that were described in Key Mexico’s accounting system as “Expert advice on contracts with the new regulations of Pemex/Preparation of technical and economic proposals/Contract Execution.”” Such description of services is a clear red flag, which should always warrant additional investigation.

While Key Energy had a compliance program in place, it certainly did not engage in doing compliance. The corporate offices failed in the basic oversight of Key Mexico around compliance and did not monitor compliance in Mexico to “ensure they complied with and enforced anti-corruption policies and kept accurate records concerning payments to consultants and gifts to Mexican government officials.” Additionally, there was no oversight and monitoring by compliance or internal audit, who could enforce the requirements of the company’s anti-corruption compliance program or even clean up the mess with remedial actions.

Finally, there was one paragraph in the Order which demonstrated Key Energy’s complete failure of internal controls. More importantly, the SEC laid out in this same paragraph how the information about the violation could have been used by the company to stop the illegal conduct. In short, it lays out how transaction monitoring can be used on a case-by-case basis to detect and remediate illegal conduct and prevent it going forward. The specific issue was around monies made as a donation for a Christmas raffle intended to benefit Pemex employees.

No doubt there will be commentators who will use this paragraph to claim that money or gifts donated for customer raffles violates the FCPA. Such views miss the entire point of this paragraph. The Order stated, “in 2012, Key Energy approved Key Mexico’s contribution of gifts totaling approximately $118,000 to Pemex’s annual Christmas season celebration with the understanding that the gifts were to be intended for a raffle.” However, of this amount some $55,000 was designated to some 130 specific Pemex officials, not a general donation for the benefit of all Pemex employees.

The Order went on to specify the amount was nine times greater than the amount donated for the Christmas raffle for Pemex employees in 2010 and some 26 times the amount spent in 2011 for the same event. More interestingly, the SEC pointed out “Key Energy also failed to consider the implications of the explanation by Key Mexico’s country manager that the higher gift amount in 2012 was correlated to Key Mexico having done more business with Pemex that year.” If Key Energy had engaged in such transaction monitoring, it would have seen an increase in business with Pemex, which, of course, could then have been further investigated. As the Order noted, “Had Key Energy sought more information, it may have learned that Key Mexico was providing gifts to Pemex officials during a period Key Mexico was engaged in ongoing negotiations with Pemex, including negotiations to obtain additional funding for work required under its contracts with Pemex.”

This transaction monitoring analysis laid out by the SEC in its Order clearly intones the SEC will be expecting this type of monitoring going forward. This means a Chief Compliance Officer (CCO) or compliance function will need visibility into not only gifts, travel, entertainment and donation spends in high risk areas but also sales information so they can be correlated and reviewed from the compliance perspective. This is a new level of detail we have not seen before.

Tomorrow will focus on Key Energy’s comeback in the face of its compliance failure.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016