OthelloWhich play in Shakespeare’s cannon presents the biggest clash of cultures, which leads to the most catastrophic result? I would have to opine Othello, one of the great tragedies in all of Shakespeare. Othello, a Moor and General in the service of the Venetian republic, wins great honors on the fields of battle with the Turks. He also wins the hand of the lovely Desdemona. However, off the battlefields, Othello falls prey to the whiles of Iago, who convinces Othello of the infidelity of his bride. Othello murders his wife and then, realizing his mistake, takes his own life.

There are many culture clashes going on in the play. The military ethos vs. the deceit of civilian life, African tribal culture vs. the isolation of life in Venice, and even the warm bloodedness of a Moor vs. the chilly civilization of 16th century Venice. Yet it all leads to one thing – destruction.

One of the more difficult things to predict in a merger and acquisition (M&A) context is how the cultures of the two entities will merge. Further, while many mergers claim to be a ‘merger of equals’ the reality is far different as there is always one corporate winner that continues to exist and one corporate loser that simply ceases to exist. This is true across industries and countries; witness the debacle of DaimlerChrysler and the slow downhill slide of United after its merger with Continental.

In the Foreign Corrupt Practices Act (FCPA) space this clash of cultures is often seen. One company may have a robust compliance program, with a commitment from top management to have a best practices compliance program. The other company may put profits before compliance. Whichever company comes out the winner in the merger, it can certainly mean not only conflict but if the winning entity is not seen as valuing compliance, it may mean FCPA investigations and possibly even FCPA violations going forward.

A recent article by Andrew Hill, in the On management column in the Financial Times (FT), entitled “Dealmakers need new tools to predict M&A culture clash”, he focused on the fact that the “potential for cultural mismatch is usually one of the first red flags raised over complex deals.” He went on to state, “There is a crying need to improve the supposedly softer side of dealmaking and cut the great financial and psychological cost of finding out too late that the partners do not get on.”

Hill recognizes it is often difficult to begin such a discussion without engaging in cultural anecdotes or even cultural stereotypes, such as the French and the Americans will never get along or even appreciate how the other does business. Even such tried and tested methods based on “observation and interview can be unsystematic or prone to bias.” He also points out the problems with self-reported surveys that “go stale quickly or suffer from self-censorship.” This is even truer when one company has an ethos of punishing those who actually answer surveys honestly or report incidents. Finally, Hill notes that even questions by one group towards the other can bring a certain biting critique.

Of course all of this comes in the context of the employees from the acquired side that may be fearful for their jobs and employment prospects going forward. I once asked a friend going through a takeover what it was like and he said it was every employee for him or herself, each wondering when they would get axed. Certainly that is not positive either.

Yet even when working towards merging cultures in systematic manner, companies can make miss-steps. Hill points to the Hewlett-Packard acquisitions of Compaq as a classic example. He noted that after the two entities had “poured hours into their due diligence on their contrasting cultures before the deal was complete” which included 138 focus groups, consisting of 127 executives and 1600 staff in 22 countries, they still could not get it right. He pointed to the Compaq cultural value of keeping in touch with all employees through routine reports of what projects they were working on, clashing with the HP culture which saw this same action as “being micromanaged and not trusted.”

The quandary of how to determine cultural clashes is an ongoing problem during any acquisition. However, Hill reported that a new approach may provide some insight. A study, by University of California Professor Sameer Srivastava and Stanford University Professor Amir Goldberg, looked at it from a different angle; the email angle. They crunched “the language in 10.3m internal emails sent over five years by staff at a medium-sized technology company. Comparing the results against personnel records, they were able to map the trajectory of staff as they joined, got used to the culture and stayed, quit or were forced out. Among the findings: the reciprocal use of swear words in emails is one important clue to cultural fit; so are message exchanges about families.”

As Hill dryly noted, “Such studies are valuable not only for those building sweary or homely teams. They could tell managers more about subgroups within supposedly monolithic organisations”. I have previously written about Catelas, a software company that can review your internal emails to determine patterns that might detect nefarious conduct. If you couple the power of such software with the insights of Professors Srivastava and Goldberg, you might be able determine areas of compliance trouble in a merged entity.

This is all the more important with the compressed time frames required after an M&A to complete the acquisition integration as set out in the Ten Hallmarks of An Effective Compliance Program, as laid out in the 2012 FCPA Guidance. Coupled with the Opinion Release 08-02, involving Halliburton and two enforcement actions, Data Systems & Solutions LLC (DS&S) and Johnson and Johnson (J&J), the time frames for your post-acquisition, integration, investigation and any remediation are quite tight. The DOJ makes clear that rigor is needed throughout your entire compliance program, including M&A. This rigor should be viewed as something more than just complying with the FCPA; it should be viewed as just making good business sense.

FCPA Post-Acquisition Time Frame Summary 

Time Frames Halliburton 08-02 J&J DS&S
FCPA Audit 1.     High Risk Agents – 90 days

2.     Medium Risk Agents – 120 Days

3.     Low Risk Agents – 180 days

18 months to conduct full FCPA audit As soon “as practicable
Implement FCPA Compliance Program Immediately upon closing 12 months As soon “as practicable
Training on FCPA Compliance Program 60 days to complete training for high risk employees, 90 days for all others 12 months to complete training As soon “as practicable

Using the approach laid out by the Professors might well give you a leg up on any potential problems that need to be investigated, remediated and reported so that you can receive the benefits of meeting the post-acquisition time lines for a safe harbor. Such an analysis might also tell you if an acquired company or merger partner is as serious about compliance as your company is going forward.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

SECYesterday, I used a quotation from the Oscar winning animator, Chuck Jones who described two of his well-known creations, Roadrunner and Wily E. Coyote, by referring to philosopher George Santayana’s description of fanaticism when he articulated these cartoon characters as “redoubling your effort after you’ve forgotten your aim”. That would seem to be an excellent description for the pharmaceutical giant Novartis who recently settled a Foreign Corrupt Practices Act (FCPA) enforcement action for approximately $25MM. Yesterday I reviewed the underlying facts and today, I want to consider what the company did after it discovered the illegal conduct, what its obligations may be going forward and the lessons to be learned for the compliance practitioner.

As noted in the Securities and Exchange Commission (SEC) Cease and Desist Order (the Order), Novartis began its investigation based on an ongoing SEC investigation and “in response to media reports concerning a competitor in August 2013”. Based on this information the company “instituted an expansive review of its relationships in China with travel and event planning vendors.” Novartis actions should be well considered by every Chief Compliance Officer (CCO) and compliance professional going forward. If a competitor gets into FCPA hot water, whether through an investigation or enforcement action, this is clear signal for you to consider your company’s actions in the same area, whether that competition is in products, services or, in the case of Novartis, the same geographic area. Moreover, at this point in the history of FCPA enforcements if you are doing business in China you should take a deep review into your own operations and if you are looking to do business in China, you should put the appropriate anti-corruption protections and compliance internal controls in place.

Novartis’ internal investigation identified not only several weaknesses but also clear violations. The company found (1) “the vast majority of these vendors were retained in connection with events in which HCPs [health care providers] attended.” (2) There were a significant percentage of events that did not comply with existing compliance policies and procedures. The Order noted, “This included events for which no record existed to verify it had occurred, events for which inconsistent records existed, and events that could not be verified from available information.” (3) The company also determined through the internal investigation that its Chinese subsidiaries were using the mechanism of “travel agencies and similar vendors to plan events, funds were generated that were used to provide improper payments and other inducements to HCPs in order to increase sales of Novartis products.” Implicit in this find was that the company had not properly recorded these payments by and through travel agencies in its books and records.

In the Order section entitled, “Undertakings”, the SEC laid out what the company agreed to do on a go forward basis. Over a two-year period, they agreed to “(1) conduct an initial review and submit an initial report, and (2) conduct and prepare at least two follow-up reviews and reports”. This Initial Report is to be presented within six months after the entry of the Order and is to set forth “a complete description of its Foreign Corrupt Practices Act (“FCPA”) and anti-corruption related remediation efforts to date, its proposals reasonably designed to improve the policies and procedures of Respondent for ensuring compliance with the FCPA and other applicable anticorruption laws, and the parameters of the subsequent reviews”. The Follow Up Reports are “to further monitor and assess whether the policies and procedures of Respondent are reasonably designed to detect and prevent violations of the FCPA and other applicable anti-corruption laws”.

In an interesting limitation and one no doubt in response to HSBC Deferred Prosecution Agreement (DPA), where the US District Judge overseeing the terms of the DPA ruled that “the public has a First Amendment right to see the monitor’s report”. This was over the objections of HSBC, the Department of Justice (DOJ) and the Monitor. The Order reads, “The periodic reviews and reports submitted by Respondent will likely include proprietary, financial, confidential, and competitive business information. Public disclosure of the reports could discourage cooperation, impede pending or potential government investigations and thus undermine the objectives of the reporting requirement. For these reasons, among others, the reports and the contents thereof are intended to remain and shall remain non-public, except (a) pursuant to court order, (b) as agreed by the parties in writing, (c) to the extent that the Commission staff determines in its sole discretion that disclosure would be in furtherance of the Commission’s discharge of its duties and responsibilities, or (d) is otherwise required by law.”

While the both the SEC and Novartis recognize that these reports can (always) be released if compelled by court order, as this enforcement action was resolved in the SEC Administrative Process, there would seem less likelihood that an interested citizen or even John Q. Public would seek release of this information. Further, the reporting agreed to in this Order could arguably have some attorney-client privilege as opposed to an outside third party Monitor as was selected in the HSBC matter, who could not even argue attorney-client privilege.

Even with these key differences, it is interesting to see such language in this Order and it could well be a manner for companies and the government to use going forward to help to keep follow up reports to the government post settlement confidential and away from disgruntled shareholders or their lawyers who might want to use the information in follow-on shareholder litigation. Finally, this could be one more reason companies agree to the SEC Administrative Process, to keep such information out of the public eye.

 

Remember the quote “redoubling your effort after you’ve forgotten your aim” as this would certainly seem to be an apt way to think about doing business in China, particularly under any type of FCPA analysis. Yet Novartis clearly got the message and moved to investigate, remediate, self-report and then work to make sure such issues do not arise in the future. They are to be commended for their work in this area. It would benefit the CCO and compliance practitioner to review the                                                           solid lessons from the Novartis FCPA enforcement action, especially in these key areas: (1) fraud schemes to develop monies to pay bribes; (2) weaknesses in compliance internal controls; (3) the clear benefits of self-reporting; (4) robust and effective internal investigations; (4) remediation during the pendency of an investigation; and (5) creating a process to test the effectiveness of your compliance program going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Close to the EdgeDown at the edge, round by the corner.

Close to the edge, down by a river.

I continue to explore my list of Tom’s favorite prog rock albums by focusing today on the English band Yes. The group dominated prog rock in the early 1970s with three great albums; The Yes Album, (1971), Fragile (1971), and Close to the Edge (1972). For my money Close to the Edge is the top of the three. Will Hermes, writing in Rolling Stone, said, “Yes’ greatest prog statement is a complex pair of multi-part suites, plus the dazzlingly unintelligible showpiece.” A headphone journey with album’s cryptic lyrics are well worth the trip. The album was released just eight months after Fragile. While drummer Bill Bruford left the band after the grueling studio sessions, the album “might be his ultimate showpiece. He quoted Rush’s Geddy Lee that Close to the Edge, is “To my mind, Yes may be the single most important of all the progressive rock bands and that it is “among my favorite rock albums of all time.”

The single Close to the Edge encapsulates prog rock about as well as one song can. I agreed with its entry in Wikipedia, that the song’s glory is revealed immediately as the song opening fades in with the sounds of running water, wind chimes, and birds chirping; a layering of sounds derived primarily from “environmental tapes” collected by lead vocalist Jon Anderson. These nature sounds fade into a crescendo and into a somewhat menacing guitar solo, the backdrop for which is a cacophonous musical passage that serves as a replacement for the natural cacophony that preceded it. The guitar solo is punctuated by a series of sudden vocals. Again, a crescendo signals a transformation, this time into a more down to earth melody. Like a classical composition, this melodic passage is the establishment of a theme that will go through many variations throughout the life of the song. The lyrics themselves come are inspired by the Hindu/Buddhist mysticism of Hermann Hesse’s book Siddhartha. It does not get much better than this.

I thought about all this interconnectedness when I read a recent article from the Harvard Business Review (HBR), entitled “How Smart, Connected Products are Transforming Companies”, by Michael E. Porter and James E. Heppelmann. While the focus of their article was on new products they also had some interesting insights into both the interconnectedness of processes and structures, which apply to the compliance practitioner going forward. I call it “connected compliance.”

Process in Connected Compliance

Processes are being reshaped by the data which is now available and more “intense coordination among [corporate] functions is now required.” Regarding structures, the authors believe, “new forms of cross-functional collaboration and entirely new functions are emerging.” I will explore both in this post.

Obviously compliance is a permanent process. Yet it should also be a continuous process. The data from a wide variety of sources should be used to track the types of risk that compliance professionals must manage. This begins with third parties. Continuous monitoring of third party watch lists seems almost pedestrian now yet many companies do not understand they have a continuing obligation to understand who they are doing business with, even after the contract is signed. Put simply, due diligence once every two years is a recipe for trouble. But this type of information should not only be limited to third parties’ in your sales business. You should also consider your exposure from your customers.

However, what if a large part of your company is exposed to the financial risk of a corrupt company slowing down its business? If you are in the auto supply business or even the software industry, have you considered how much of your business is at risk through your relationship with a company like Volkswagen (VW)? Most Foreign Corrupt Practices Act (FCPA) risk analysis considers corruption risks involving third parties in the sales arena or vendors that come in through the Supply Chain, now, based upon the VW, Petrobras or you name the scandal, you may need to know the corruption propensity of your customers as well.

Finally, connected compliance will help make people, materials, energy, plant and equipment far more productive, and the repercussions for business processes will be felt throughout the economy. The authors’ state, “We will see a whole new era of “lean.” Data flowing to and from products will allow product use and activities across the value chain to be streamlined in countless new ways.” For the compliance practitioner, waste will be cut or eliminated. Connected compliance will also allow a compliance solution to be delivered when certain thresholds are met, rather than according to a schedule. New data analytics will lead to previously unattainable efficiency improvements and allow you to do more business in compliance going forward.

Structures in Connected Compliance

Just as processes will evolve in connected compliance, so will structures. As the authors note, the classical organizational approach combines “two basic elements: differentiation and integration. Dissimilar tasks, such as sales and engineering, need to be “differentiated,” or organized into distinct units. At the same time, the activities of those separate units need to be “integrated” to coordinate and align them.” Connected compliance will have a major impact on both differentiation and integration in your company going forward.

This structural changes means that compliance will be integrated into diverse functional units of the company such as manufacturing, logistics and SC, sales and finance. This integration across functional units will occur through the business unit leadership team and through the design of formal processes for connected compliance with multiple units having roles.

This sounds quite like burning compliance into the DNA of your company. It is. However connected compliance gives you the means and methods to think through how to accomplish this goal. You will have to coordinate between and across multiple functions within your organization. It will require the critical function of not only data management but also data analysis. What does it all mean?

The authors believe that such an approach will require “dedicated data groups that consolidate data collection, aggregation, and analytics, and are responsible for making data and insights available across functions and business units.” Once again the compliance function is uniquely situated to be at the fulcrum of this connectedness. No other discipline within an organization can tap into so many areas and have such an effect. Scott Lane, Executive Chairman of the Red Flag Group, has described this as a straight line of sight. Connected compliance indeed.

It is through connected compliance that all groups within a company will become responsible for compliance. The integration of this data into compliance is still viewed as cutting edge; nonetheless companies have this data, structured within their own ERP systems. Connected compliance will allow senior management to view information to make the business more efficient and allow a company to take more risk because the risks will be managed more effectively.

Today, I present all three of the great Yes albums for your listening pleasure…

To listen to The Yes Album on YouTube, click here.

To listen to Fragile on YouTube, click here.

To listen to Close to the Edge on YouTube, click here.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

George KennedyGeorge Kennedy died this week. He was one of the few actors who went from playing tough guys to being a hit in comedies. According to his obituary in the New York Times (NYT), Kennedy played “vicious killers, bumbling lawmen, saddle tramps, bank robbers, scowling bullies – anybody you’d be foolish to mess with or trust in an emergency who played tough guys, oafs, G.I.’s and a bonanza of cowboys as one of Hollywood’s most versatile and durable character actors. He portrayed them all in more than 200 films and television productions in an acting career that spanned nearly five decades. He also won an Oscar as the best supporting actor of 1967 for his performance in the Paul Newman film “Cool Hand Luke”(pictured left).

In a late career twist he moved to ironic comedy starring in the “cult favorite “The Naked Gun: From the Files of Police Squad!” (1988) and its sequels, “Naked Gun 2 ½: The Smell of Fear” (1991) and “Naked Gun 331/3: The Final Insult” (1994), Mr. Kennedy played Capt. Ed Hocken, wincing and grimacing at the wreckage wrought by Mr. Nielsen’s bumbling Lt. Frank Drebin.” Sometimes to win all you need is a real cool hand.

One of the things Chief Compliance Officers (CCOs) and compliance practitioners face is how to scale up a compliance program for dramatic growth, which can occur organically and sometimes inorganically through acquisitions. However, in both situations a CCO, who is a single compliance resource for a company, may need to scale up quickly. A recent Harvard Business Review (HBR) article authored by Ranjay Gulati and Alicia DeSantola, entitled “Start-Ups That Last”, looked at this scalability issue in the context of start-ups.

I found that their insights could be useful for the compliance professional who might confront the issue. This is because scaling up your compliance function does not mean the CCO should disavow who is personable and accessible. Nonetheless you need to be prepared to manage that corporate growth and to learn new ways of operating and behaving. This will provide a stronger and more effective compliance program in the long term.

For a single source compliance functionary, who knows everyone and is accessible to everyone in the organization, it is sometimes difficult to begin to delegate out. The egalitarian nature of such an operation cannot be denied. Moreover, there tends to be consistency when one person makes the decisions. However this situation can lead to bottlenecks when there is simply too much work to do. The authors note, “organizations spin out of control as centralized authority becomes a bottleneck that hinders information flow, execution and decision making.”

Hierarchy is not always bad. The key is to put structures in place that remain flexible enough to keep the company moving forward in the right direction but does not discourage solo contribution. However, the CCO must work to keep from having too many layers in the decision making process while provided the second set of eyes and that any best practices compliance program requires. You should try to find the balance between formal structures with informal communications up and down your chain. Such a communication system can help streamline and make more efficient the process of compliance. Finally, this will help you to embed compliance within the fabric of your organization.

The next area the authors discuss is not one usually considered by a CCO or compliance practitioner. It is planning and forecasting with discipline. In the compliance realm, we usually will posit a risk assessment and use the results as a road map for a 1, 3 or 5 year game plan. However, if you can move from this process to more robust forecasting, you can have a framework in place that allows you to test how new compliance initiatives are received and also react more dynamically to the business market, “with an eye towards larger objectives and sustaining” compliance.

You need to begin with strategic planning. This is moving beyond simply ‘what I want to be when I grow up’ to regular goal-setting to build your long-term compliance vision for the company. You can sit down with your business lead counter-parts and ask what is there strategic vision for both products and markets? If they identify Brazil as a huge growth opportunity, then you will need to forecast out what their team will need from the compliance perspective. More pointedly, what processes and protocols can you put in place that will allow the business team to move into Brazil seamlessly, both on the operational and tactical level?

Here technology can be a real leg up for you and your compliance program. By using both data analytics and transaction monitoring, you can be more nimble to deliver a proscriptive compliance solutions going forward. Further, once a solution is determined you can then scale that solution companywide, as circumstances dictate. The authors note, “Setting clear goals and guidelines, systemically gathering and sharing information to shed light on performance and enable better forecasting, and creative processes instead of relying on key individuals” are all hallmarks that your program is running more efficiently.

A final area the authors consider is how to sustain a culture when scaling up. This is something near and dear to every CCO or compliance practitioner’s heart as we are motivated to do the most business in compliance with our company’s ethics and ethos. Obviously it will be important to sustain this cultural ethos during times of rapid growth. You must work to codify and then reinforce this cultural ethos going forward. Obviously a robust Code of Conduct and written compliance programs are important first steps but they must be reinforced in the face of rapid business and personnel growth. Indeed, it starts with the hiring process as your first touch point to communicate the company’s expectations around compliance and weed out those who may not have the same business ethics that you stand for going forward.

Equally important is to continue this communication, with founding members or senior executives of the company being ambassadors for compliance. This is more than simply good tone at the top. This is senior management holding town halls around your ethical culture, holding compliance moments and using social media tools to talk to and listen to employees about issues around compliance.

I once worked at a software company that held ‘Final Friday’s’ where employees could all get together and visit with senior management. Initially these were held weekly. However, as the company grew they were moved to monthly and then quarterly and even as they became less frequent, they actually gained in popularity because it not only reminded everyone of some far off nostalgic days that may never have actually existed but it allowed everyone to get together in a collegial atmosphere. You can try something like that through the social media tools of Blab or Periscope.

As a CCO who is the sole member of a corporate compliance department, you may have created something very special and unique. The authors end with the comment, “Between the extremes of ad hoc and prescriptive organizing, there’s a useful middle ground.” By moving towards this place, you, as the CCO, can make your company more nimble, more efficient and may well provide to your company a market differentiator.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

CorruptionToday, I continue my exploration of the lessons to be learned from the VimpelCom Ltd. (VimpelCom) Foreign Corrupt Practices Act (FCPA) enforcement action. While it is clear that the company and its Uzbeki subsidiary, Unitel LLC (Unitel), engaged in an intentional bribery scheme and probably not even a best practices compliance program would have helped prevent the corrupt acts admitted by the company, there remain significant education to be mined from both VimpelCom’s and Unitel corrupt acts. Yesterday, I explored the role of VimpelCom’s Board of Directors and senior management in the failure, together with the fraudulent stock transfer. Today I want to look at the more mundane bribery schemes to instruct the Chief Compliance Officer (CCO) or compliance practitioner regarding what to look for going forward.

It must be emphasized, and even re-emphasized, that VimpelCom knew exactly what it was doing, worked very hard to hide it and lied internally about what it was doing. Of course it lied publicly as well via fraudulent books and records.

For review, Unitel funded its bribes to the Uzbeki government official through a variety of mechanism. The summary is as follows:

Bribery Scheme Amount of Bribe Paid Time Frame
Fraudulent Buy-Out $37.5MM March, 2007
Outright Cash bribe for 3G network $25MM November, 2011
False Consulting Invoices for 4G Network $2MM

$30MM

2008

2011

Corrupt Reseller Payments $10MM

$10MM

2011

2013

Total $114.5MM

Bribes Paid for 3G and 4G Networks

According to the Unitel Deferred Prosecution Agreement (DPA), the company paid bribes related to the acquisition of 3G frequencies in 2007. They were falsely recorded in VimpelCom’s consolidated books and records as the acquisition of an intangible asset, namely 3G frequencies, and as consulting expenses. In 2008 another bribe was falsely recorded in the consolidated books and records as “submission and support documentation packages seeking assignment of 24 channels to Unitel” and treated as an acquisition of an intangible asset and consulting services. Finally, the 2011 bribe related to consultancy services associated with the acquisition of 4G frequencies in 2011 was falsely recorded in their consolidated books and recorded as “consulting services” and treated as consulting services and as an acquisition of an intangible asset, namely 4G frequencies.

All of these bribes were paid to a shell company that was controlled by a daughter of a foreign official. The $2MM bribe paid, according to the DPA, was an additional obligation incurred “from the moment of payment for the acquisition of Unitel.” There was a vague attempt to hide this bribe for services but the in-house counsel involved noted that the “payout term of the amount was not specified” and the in-house attorney did “not know if all the services listed in the presentation [had] to be fulfilled as a condition for the payment.” There was a later attempt to create a sham contract for these services and backdate the contract to cover this bribe payment.

The payment of $30MM in 2011 was equally fraudulent on the company’s books and records. While it was allegedly for help in procuring some 4G licenses from the Uzbeki government, the company neither needed nor wanted these 4G licenses. The whole deal smelled so bad that one witness said, “I cannot see how I can be able to sign off on this…unless the legal FCPA analysis can clarify this and settle my concerns.”

So VimpelCom moved forward to obtain an opinion from an outside counsel. However it did so without providing outside counsel its own knowledge that a foreign official owned the shell company, through which the payments were directed, and did not provide information on the nature of the transaction or its high dollar value. It was so bad that the same witness cited above asked if “VimpelCom had received any official ‘ok’ from US Governmental body/SEC”? Unfortunately VimpelCom’s in-house counsel did not bother to provide accurate information for outside counsel to review and opine upon; coupled with an outside counsel who did not appear to know to ask the basic questions about the ownership structure or to investigate on its own. Finally, VimpelCom’s in-house counsel viewed its sham due diligence report as a legal defense if a FCPA allegation arose.

False Reseller Payments

After the previously noted payments, the corrupt foreign official was paid another $20MM in 2011 and 2013. This is far past conduct in 2005 and is much nearer in time to the present. This clearly demonstrates a company’s commitment to continued bribery and corruption. However, “Because of significant currency conversion restrictions in Uzbekistan and the inability to use Uzbek som (the Uzbek unit of currency) to obtain necessary foreign goods, UNITEL frequently entered into non-transparent transactions with purported “reseller” companies to pay foreign vendors in hard currency for the provision of goods in Uzbekistan. Typically, UNITEL would contract with a local Uzbek company in Uzbek som, and that Uzbek company’s related companies located outside of Uzbekistan would agree to pay an end supplier using the hard currency (usually, U.S. dollars).”

To pay these bribes Unitel entered into contracts for services with certain resellers that were neither necessary or where payments were made at highly inflated prices. Additionally, these contracts were made through contravention of the company’s internal controls as they “were approved without sufficient justification and bypassed the normal competitive tender processes. How fraudulent were these resellers? It was noted, “the office was “located in an old run-down house [building], without any signage” and “[t]here were no specialists [or technicians] there.” The employee recommended against using the reseller company as a contractor for UNITEL, as it was “not qualified and there are big risks . . . .” The employee who reported this was forced to “voluntarily resign”. Finally, when there was an attempt to audit these fake resellers, executives at Unitel stalled their own internal auditors and, when finally forced to present them for audit, claimed the “transaction was “not a reselling operation,” which resulted in the purported reseller company contract being removed from the audit.”

Failures

The failures up and down the VimpelCom and Unitel chain are simply mindboggling. Even when confronted with an employee who clearly understood and articulated that the transactions at issue were potential FCPA violations, senior management engaged in conscious avoidance to the violation. VimpelCom’s in-house counsel most likely committed criminal acts by limiting the information presented to outside counsel to fraudulently obtain a favorable opinion of counsel that the transaction passed muster. Basic internal controls were lacking or were completely over-ridden in selecting and using the resellers for services the company did not need or want.

Further, the company did not have any system for conducting, recording or verifying due diligence on third parties. The company did not require that consulting agreements or other contracts with third parties be for actual services or have any way to verify services were performed. There was a lack of appropriate controls around payments to single sourced vendors and a failure to audit third parties.

The VimpelCom case will be studied for some time for the failure of an entire compliance system.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016