In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

  1. Are CCOs at risk? Indeed is should the entire compliance industry be running for cover. Adam Dobrik explores explore in GIR. Court Golumbic explores in “The Big Chill”: Personal Liability and the Targeting of Financial Sector Compliance Officers” in the NYU Compliance and Enforcement Blog.
  2. Tom and Mike Volkov argue the new FCPA Corporate Enforcement Policy has ended, once and for all, the debate around amending the FCPA to add a compliance defense. See Tom’s article in Compliance Week Magazine and listen to Mike Volkov’s podcast.
  3. The FCPA will be with us for years to come, argues Jaclyn Jaeger in her Compliance Week piece, “How the FCPA withstands the test of time
  4. Teva Pharmaceuticals resolves bribery case with Israel authorities. Chiam Gelfand reports in a guest post on the FCPA Blog.
  5. Ben DiPietro considers whether AI will have machine executable rules, in the Wall Street Journal Risk and Compliance Report.
  6. Roy Snell publishes a heartfelt letter to retiring Pat Kelly, the FBI Integrity and Compliance Officer in the SCCE Blog.
  7. Matt Kelly explore the salary misconduct penalty in two posts on his Radical Compliance blog, The Salary Penalty for Misconduct and More Thoughts. Matt & I explored the issue on the most recent episode of Compliance into the Weeds.
  8. Jonathan Marks explains why skepticism is an auditor friend in Skepticism – a Weapon to Fight Fraud in his Board and Fraud blog.
  9. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program, sponsored this month by Convercent. In January, I bring together the entire year of compliance program best practices with 31 days to a more effective compliance program. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  10. Tom announces his next Compliance Master Class, sponsored by Marcum LLP. It will be held on February 12 & 13 at Marcum’s offices in Miami, FL. More information or a copy of the agenda, or to register, will be available on my website, FCPA Compliance Report or at Marcum LLP.
  11. Join Tom and Dun & Bradstreet CCO Louis Sapirman for a SCCE Webinar on 360-Degrees of Compliance Communication. Registration and information is available here.
  12. Jay is too worried about Tom Brady’s hand to get out a weekend report. Should he be? Jacob Feldman reports in Sports Illustrated.
  13. We preview this week’s NFL playoffs.

In this episode, the top compliance roundtable podcast returns with a look back at some of the top FCPA, compliance and data privacy/data security issues from 2017 and how they inform what will be the top such issues in 2018 by looking forward. 

  1. Jay Rosen considers the new Justice Department FCPA Corporate Enforcement Policy and what it will mean for compliance practitioners and compliance programs in 2018 and beyond. 

For Jay Rosen’s post on the new FCPA Corporate Enforcement Policy, see the following:

Jay Rosen’s Most Significant FCPA Event from 2017 – FCPA Corporate Enforcement Policy (or a 5 Min History of How We Got From There to Here)

  1. Jonathan Armstrong looks a fascinating couple of cases working their way through the English courts, the Morrison and Carphone Warehouse cases. They each have very interesting angles including the reliability of audit staff, liability of the employer for an employee’s criminal and individual criminal liability in the data breach situation.

For Cordery Compliance’s posts touching on these cases, see the following:

Client Alert: Morrisons Data Breach Litigation Succeeds

Client Alert: Carphone Warehouse fined under data breach

  1. Matt Kelly returns to his vendor management soapbox to explore the intersection of FCPA compliance and data security. He considers some of the top data security breaches of 2017, the SEC response from the regulator perspective and most importantly the business response, both up and down the Supply Chain.

For Matt Kelly’s post on this topic, see the following:

Microchip Meltdowns and Vendor Risk

  1. Tom Fox sits in for Mike Volkov this week. Tom discusses the continued internationalization of anti-corruption investigations and enforcement which began in earnest in 2016. He details some of the notable cases, including the Rolls-Royce matter, Keppel Offshore, SBM Offshore and the Telia case and explores what these enforcement actions may portend for compliance practitioners and compliance programs going forward. 

For Tom Fox’s post on the continued internationalization of anti-bribery/anti-corruption enforcement, see the following: 

DOJ-Aggressive International Anti-Corruption Enforcement to Continue

Rants follow at the end. 

The members of the Everything Compliance panel include:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at
  • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at
  • Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at

Do you recall the boycott of South Africa from the 1970s and 1980s as a lexicon of the global fight against apartheid? The boycott extended from business to sporting events and everything in between. The campaign was one of the key reasons for the fall of the white minority government. Now a new campaign fighting the specter of corruption in the country may be gaining traction as the New York Times (NYT) has reported that South African President Jacob Zuma agreed to set up a nationwide corruption commission to look into allegations of rampant corruption through looting of government agencies and state-owned entities, most particularly through Zuma’s links with the Gupta family. Zuma had long resisted such calls from government officials and even members of his own political party, the African National Congress (ANC).

There is not much doubt one of the companies to be investigated will be McKinsey and Company (McKinsey) and a transaction it worked on for the South African state-owned utility Eskom and a company controlled by the Gupta family named Trillian Capital Partners Ltd. (Trillian), in 2015 and 2016. In Q3 of 2017, reports began circulating about this transaction. In response McKinsey conducted an internal investigation but claiming it did not find any evidence of payment of bribes or other evidence of corruption which are illegal under the Foreign Corrupt Practices Act (FCPA). The report did find that the company had failed to follow its own internal compliance policies, procedures and internal controls by doing business with a third party which had not gone through the company’s full due diligence process. Additionally, McKinsey placed a partner in South Africa on a leave of absence. This partner had been involved in bringing a subcontract, which had been alleged to be either a politically exposed person (PEP) or conduit to a PEP into a consulting contract with McKinsey and “whether it knowingly let funds from state power utility Eskom be diverted to a Gupta company as a way of securing a $78 million contract to advise Eskom.”

The project which brought McKinsey to grief involved a restructuring plan for a South African state-owned utility, Eskom. The next step was to be implementation of the plan for which McKinsey was to be paid up to $370MM over four years. This amount was characterized in one internal McKinsey report as “exorbitant”. However, it was not price gouging which impacts the FCPA. It was McKinsey’s work with a business partner on the implementation, Trillian. Eskom alleged pointed McKinsey to partner with Trillian as a part of the requirement to work with a black empowerment partner. It turned out that Trillian was associated with the Gupta family. Six months after beginning work, McKinsey had not inked a contract with Trillian and Eskom pulled the implementation contract, after McKinsey “only” billing $76MM.

McKinsey has said that it has not uncovered any illegal payments under the FCPA. However, FCPA also prohibits the corrupt “offer, payment, promise to pay, or authorization of the payment of any money, or offer, gift, promise to give, or authorization of the giving of anything of value to” a foreign official. Over-paying for a contract and having some of the over-payment rebated to foreign officials is a well-known bribery scheme. It would be easy to envision a bribery scheme where there is an “exorbitant” amount paid to the prime contractor, which then hires a subcontractor who receives a very high fee for bringing very little or indeed nothing to the project. Another tactic could be to simply begin a project before due diligence is completed, then if it comes back with uncleared red flags, claim the company is now contractually obligated to complete the work. Finally, there is simply the old-fashioned wink, wink, nod, nod where there is an ‘understanding’ the bribe receiver will be taken care of at some point in the future.

Further, even if there were no illegal payment or illegal promise to pay, there is the matter of McKinsey violating its own internal compliance controls, which can be a separate FCPA violation, even without evidence of bribery and corruption. At one point, McKinsey had said it has done nothing which would require it to self-report to the Justice Department. John Gapper, writing in the Financial Times (FT), said “This seems to be setting the reputational bar rather low.” It turns out his thoughts were not the final word on the subject.

Early this week, South African prosecutors ordered McKinsey to forfeit its share of the Eskom contract “after prosecutors argued that the fees may be the proceeds of corruption.” While McKinsey has previously apologized for “several errors of judgment” from its work on the project; it continues to proclaim its overall innocence stating, “We are returning the money not because we have done anything wrong but because Eskom has told us they did not follow the appropriate process.”

Recent revelations about McKinsey and others in South Africa over possible allegations of corruption have driven home a truism that many in the compliance space have known for some time; that South Africa has become one of the most corrupt countries on earth. When you couple a structural requirement baked into every government contract with a non-South African company for a local content partner with a corrupt system you have a recipe for rampant corruption. Such would appear to be the situation on South Africa today.

The Gupta family is widely viewed as the true power behind sitting President Zuma. The Guptas fingerprints are all over the transactions involving McKinsey and others. Yet this is only the highest profile allegations of corruption which is claimed to be ongoing in the country. Foreign companies are routinely directed to certain players under the requirement of the Black Economic Enterprise (BEE) requirement for a local South African partner. This alone is a well-known red flag under any anti-corruption compliance program.

With all the public information coming out of South Africa, it is not surprising to see reports that the FBI is now investigating US companies with ties to the Gupta family. Eric Holder has publicly stated he would not be surprised if the Department of Justice was investigating US companies for their actions in South Africa. With these revelations, one must wonder if a FCPA country sweep with the Justice Department focusing on South Africa is just around the corner.

Similar questions might be asked in the United Kingdom as Lord Hain, has accused the law firm of Hogan Lovells of aiding corruption at South Africa’s revenue service and has apparently referred the firm to UK’s Solicitor Regulation Authority for investigation. With South Africa’s continuing commercial connection to Great Britain the same question might be asked of the UK government, most specifically the Serious Fraud Office and other authorities under the UK Bribery Act.

For US and UK companies doing business with the South African government now is the time review your third-party risk management protocol for any local agents, distributors or partners in South Africa. If your company comes under scrutiny through a follow-on case, it may well fare much worse than a company which cleans itself up sooner rather than later.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018

I. Legal Requirements of the Board Regarding Compliance

A. Case Law

As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc. was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.”

In the case of Stone v. Ritter, the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties with respect to corporate compliance issues. Second, the Court found that there is no duty of good faith that forms a basis, independent of the duties of care and loyalty, for director liability. Rather, Stone v. Ritter holds that the question of director liability turns on whether there is a “sustained or systematic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exists.”

According to Haynes and Boone in its publication, “Corporate Governance and the Role of the Board” a director’s business decisions generally qualify for protection by the “business judgment rule.” Under the business judgment rule, courts presume that directors making business decisions acted on an informed basis, in good faith, and with the honest belief that the action taken was in the best interests of the corporation. In lawsuits brought against directors brought by shareholders, courts applying the business judgment rule will determine only whether the directors making the decision (i) were free from conflicts of interest, (ii) appropriately informed themselves before taking the action, and (iii) acted after due consideration of all relevant information that was reasonably available. Under the business judgment rule, the board’s action will not subject board members to liability if the action or decision of the directors can be attributed to any rational business purpose. Directors that meet the criteria of the business judgment rule do not have to worry about having their business decisions second-guessed by a court, even where their decisions result in corporate losses.

B. FCPA Guidance and US Sentencing Guidelines

A Board’s duty under the Foreign Corrupt Practices Act (FCPA) is well known. In the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) 2012 FCPA Guidance, under the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1, entitled “Commitment from Senior Management and a Clearly Articulated Policy Against Corruption”, states “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3 entitled “Oversight, Autonomy and Resources”, where it discusses that the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ’s Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?

From the Delaware cases, a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. The specific obligations set out regarding the FCPA drive home these general legal obligations down to the specific level of the statute.

II. Prudent Discharge of Compliance Obligations

What are the obligations of a Board member regarding the FCPA? Are the obligations of the Compliance Committee under the FCPA at odds with a director’s “prudent discharge of duties to shareholders”? Do the words prudent discharge even appear anywhere in the FCPA? In webinar, entitled “Reporting to the Board on Your Compliance Program: New Guidance and Good Practices”, Rebecca Walker and Jeffery Kaplan, explored these and other issues.

As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, Walker looked to Delaware corporate law for guidance. She cited to the case of Stone v. Ritter for the proposition that “a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate exists.” From the case of In re Walt Disney Company Derivative Litigation, she drew the principle that directors should follow the best practices in the area of ethics and compliance.

According to Haynes and Boone in its publication, “Corporate Governance and the Role of the Board” a board’s role is not to actually manage the company, but instead to oversee and monitor the management of the company. In the realm of compliance, this means the Chief Compliance Officer. The board has the responsibility to fulfill the role of strategic and business advisor to management of the company. In addition, the board has the role of monitoring the performance of the compliance function, including monitoring the performance of it using customary economic metrics, and by overseeing compliance with applicable laws and regulations. While the board is not responsible for auditing or ferreting out compliance problems, it is responsible for determining that the company has an appropriate system of internal controls. The board should also monitor company policies and practices that address compliance and matters affecting the public perception and reputation of the company. Every company should ensure that it conducts appropriate compliance training for employees and conducts regular compliance assessments. Finally, the board must take appropriate action if and when it becomes aware of a material problem that it believes management is not properly handling.

There is no reference to prudent discharge in the FCPA itself. However, a Board member might well think more than twice about the prudent discharge of duties to the shareholders as both the DOJ and SEC now might well wish to look into a Board’s prudent discharge of duties under the FCPA.







What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in regulator’s face during an enforcement action by using it to claim we are an ethical company. Is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What should be the goal in the creation of your company’s Code of Conduct?

In the 2012 FCPA Guidance, the DOJ and Securities and Exchange Commission stated, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In the Society for Corporate Compliance and Ethics (SCCE) 2017 Complete Compliance and Ethics Manual, article, entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “First and foremost, the standards of conduct demonstrate the organization’s overarching ethical attitude and its “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” They go on to state, “The code is meant for all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. This includes management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.” From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.”

There are several purposes which should be communicated in your Code of Conduct. The overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating those requirements, to providing a process for proper decision-making and then requiring that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to your company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. Your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your compliance program are ‘Document, Document and Document’. The same is true in communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands it. The DOJ expects each company to begin its compliance program with a very public announced, very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, which turned on violation of the company’s Code of Conduct. The breach of the Code of Conduct was determined to be a FCPA internal controls violation. It involved a clear quid pro quo benefit paid out by United Airlines to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity which has authority over, among other things, United Airlines operations at the company’s huge east coast hub at Newark, NJ.

The actions of United’s former Chief Executive Officer, Jeff Smisek, in personally approving the benefit granted to favor Samson violated the company’s internal controls around gifts to government officials by failing to not only follow the United Code of Conduct but also violating it. The $2.4 million civil penalty levied on United was in addition to the Non-Prosecution Agreement settlement with the Department of Justice, which resulted in a penalty of $2.25 million. The scandal also cost the resignation of Smisek and two high-level executives from United.

Three Key Takeaways

  1. Every formulation of a best practices compliance program starts with a written Code of Conduct.
  2. The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity.
  3. Document Document Documents your training and communication efforts.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to