I guess Matt Kelly cannot leave his journalist roots for it was he who broke the story within the greater compliance community that the Department of Justice (DOJ) very quietly released a document, entitled “Evaluation of Corporate Compliance Programs” (Evaluation), on the Fraud Section website late last week. Kelly gave kudos to the law firm of White and Case for the initial notice but as they are FCPA Inc., Kelly gets the call for being the first to announce it to the compliance community. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner. Over the next couple of blog posts, I will be taking a look at the Evaluation.

The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. Once again, I detect the hand of DOJ Compliance Counsel Hui Chen in not only helping the DOJ to understand what constitutes an effective compliance program but also providing solid information to the greater compliance community on this score.

As there are 11 areas of inquiry and 10 Hallmarks, one of the interesting considerations is Evaluation No. 1 – the analysis and remediation of underlying conduct. In this area, you understand the root cause of any incident, is it systemic and who made the analysis? You will also need to evaluate your detection or if the conduct was missed, why was it missed? Finally, you need to explain the remediation.

Next is the area of senior and middle management where you will need to evaluate the specific conduct of senior management in not only discouraging Foreign Corrupt Practices Act (FCPA) violative conduct but also the role of senior management in remedial actions. How do senior leaders and other stakeholders model appropriate behavior and share information on compliance throughout the organization and how is that conduct monitored on an ongoing basis?

Finally, the Board’s role is re-emphasized as the Evaluation asks the following questions, “What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?” If you are following my month long series of One Month to a Better Board, you will recognize these as significant issues that many Boards have yet to adequately deal with going forward. The Evaluation also looks at the CCO and compliance function’s upward communications with the Board by looking at reporting lines, CCO access to the Board and independence of the compliance function within the organization.

Next is the area of autonomy and resources for the CCO and the compliance function. This section follows the FCPA Pilot Program Prong Three on remediation by inquiring into the professionalism and expertise of both the CCO and the compliance function. It also asks about the stature of the CCO and compliance function within the organization, including specifically “compensation levels, rank/title, reporting line, resources, and access to key decision-makers”. It also asks about turnover and promotion opportunities. You need to evaluate the role of compliance in strategic planning and whether the compliance function is truly “empowered” within an organization. This final point will entail documenting any “specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns”. Also echoing the Pilot Program Remediation Prong was an inquiry into funding and dollar resources available to the compliance function.

In a new area of review, the Evaluation considers “outsourced compliance functions” for the first time. It asks the following questions, “Has the company outsourced all or parts of its compliance functions to an external firm or consultant? What has been the rationale for doing so? Who has been involved in the decision to outsource? How has that process been managed (including who oversaw and/or liaised with the external firm/consultant)? What access level does the external firm or consultant have to company information? How has the effectiveness of the outsourced process been assessed?”

In the area of “Policies and Procedures” we see a clear operationalization inquiry as you are required to evaluate who had input into the design of your compliance policies and procedures and the process for drafting, all coupled with consultation with the business units. You also need to look at the specific policies and procedures which may have failed and determine how and why they failed. There are some inquiries into “gatekeepers, e.g. the persons who issue payments or review approvals” regarding their training and ongoing monitoring.

Next, and once again following on the operationalization of your compliance program, is a section entitled “Operational Integration” which includes who is responsible for integrating your policies and procedures throughout your organization, what internal controls are in place and specific inquiries into the role of the company payment system in any FCPA violation. This last inquiry is coupled with a review of your vendor management program going forward.

In the area of risk assessments, you need to consider the methodology the company used to identify, analyze, and address the particular risks it faced, coupled with the metrics your company has collected and used to help detect the type of misconduct in question and, most interestingly, how this information has “informed the company’s compliance program”? In a section entitled “Manifested Risks” the Evaluation poses the following question, “How has the company’s risk assessment process accounted for manifested risks?”

Tomorrow I will consider the remainder of the Evaluation and how best to use it going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

Today I want to consider a couple of failures at the Board level around bribery and corruption.   

  1. VimpelCom 

Board of Directors and Senior Management Involvement

VimpelCom sought to enter the telecom market through the acquisition of a local player, Unitel, as an entrée into the Uzbekistan market. Unitel made clear to VimpelCom that to have access to, obtain and retain business in the Uzbeki telecom space, VimpelCom would have to, according to the VimpelCom DPA, “regularly pay Foreign Officials millions of dollars” who was Gulnara Karimova, the daughter of the then President of the country. VimpelCom also acquired another entity Butzel, that was at least partially owned by an Uzbeki government official, who hid their interest through a shell company, which was known to VimpelCom. VimpelCom did not articulate a legitimate business reason for the deal and paid $60MM for Buztel.

As laid out in the VimpleCom’s Information, its senior management was well aware of the potential FCPA risk. The Information stated, “From the beginning of VIMPELCOM’s deliberations concerning its entry into Uzbekistan, there was an acknowledgment of the serious FCPA risks associated with certain VIMPELCOM management’s recommendation to purchase Buztel in addition to Unitel… Documents prepared for the December 13, 2005 Finance Committee meeting explained that Buztel was owned by a Russian company “and a partner” without further detailing the identity of the “partner” who was in fact Ms. Karimova. The materials documented that “[t]hrough a local partner, [VIMPELCOM was] in a preferred position to purchase both assets . . . .”” The Finance Committee “identified the likelihood of corruption and expressed concerns.” Even with these reservations, the Finance Committee failed to identify the local partners.

But there was even more specific cautions around a FCPA violation when one Finance Committee member ““expressed concern on the structure of the deal and FCPA issues” and noted “that if [VIMPELCOM] goes into this deal under this structure and if the structure violates the FCPA picture, [VIMPELCOM’s] name could be damaged.”” The Finance Committee voted to move forward with the Buztel portion of the transaction “provided that all issues related to the FCPA should be resolved.”

These concerns moved up to the VimpelCom Board of Directors. In a December, 2005 Board meeting, “the likelihood of corruption was further discussed” and that “there was a recognition that a thorough analysis was needed to ensure that the Buztel payment was not merely a corrupt pretext for other services and favors. There were also numerous requests to ensure that the deal complied with the FCPA. Ultimately, VIMPELCOM’s board approved the Buztel and Unitel acquisitions, with a condition that FCPA analysis from an international law firm be provided to VIMPELCOM.”

Here VimpelCom management defrauded its own Board of Directors. The Information states, “VIMPELCOM’s management then sought FCPA advice that could be used to satisfy the board’s requirement while allowing VIMPELCOM to proceed with a knowingly corrupt deal. Despite the known risks of Foreign Official’s involvement in Buztel, certain VIMPELCOM management obtained FCPA legal opinions from an international law firm supporting the acquisition of Unitel and Buztel; however, certain VIMPELCOM management did not disclose to the law firm Foreign Official’s known association with Buztel. As a result, the legal opinion did not address the critical issue identified by the VIMPELCOM board as a prerequisite to the acquisition. Management limited the law firm’s FCPA review of the transaction to ensure that the legal opinion would be favorable. Having obtained a limited FCPA legal opinion designed to ostensibly satisfy the board’s requirement, certain VIMPELCOM management then proceeded with the Buztel acquisition and corrupt entry into the Uzbek market.”

Fraudulent Stock Transfer

But that was only the start as VimpelCom then entered into a partnership with the foreign official who was given an ownership interest in Unitel, through the shell corporation. The shell company held an option to sell this interest back to VimpelCom in 2009. It would appear that the owner of the shell corporation was well known within both VimpelCom and Unitel but both entities referred to this person as the “partner” or “local partner”. VimpelCom set up partnership where, “Shell Company obtained an indirect interest of approximately 7% in Unitel for $20 million, and Shell Company received an option to sell its shares back to Unitel in 2009 for between $57.5 million and $60 million for a guaranteed net profit of at least $37.5 million.”

VimpelCom’s Board was required to and did approve the partnership but as with the original acquisition, “approval again was conditioned on “FCPA analysis by an international law firm” and required that the “the identity of the Partner . . . [be] presented to and approved by the Finance Committee.” VIMPELCOM received an FCPA opinion on the sale of the indirect interest in Unitel to Shell Company on or about August 30, 2006. The FCPA advice VIMPELCOM received was not based on important details that were known to certain VIMPELCOM management and that certain VIMPELCOM management failed to provide to outside counsel, including Foreign Official’s control of Shell Company. In addition, documents, including minutes from the Finance Committee’s meeting on August 28, 2006, failed to identify the true identity of the local partner by name while noting the “extremely sensitive” nature of the issue.”

Some three years later, the shell company exercised its option to be bought out of the partnership for $57.5MM, after having invested $20MM. This netted a profit of $37.5MM. Unfortunately for all involved, they routed the payments for the transaction through financial institutions in the US, thereby creating FCPA jurisdiction.

  1. BizJet

Another FCPA enforcement action involved the Tulsa-based company BizJet, which had four senior executives convicted for their participation in a bribery scheme. But this case also involved the Board of Directions. In the Criminal Information it stated, that in November 2005, “at a Board of Directors meeting of the BizJet Board, Executive A and Executive B discussed with the Board that the decision of where an aircraft is sent for maintenance work is generally made by the potential customer’s director of maintenance or chief pilot, that these individuals are demanding $30,000 to $40,000 in commissions, and that BizJet would pay referral fees in order to gain market share.”

In both cases, this is where the rubber hits the road. If a company is willing to commit bribery and engage in corruption to secure business no amount of doing compliance is going to help. If senior management is ready, willing and able to lie, cheat and steal, the Board is the final backstop to prevent such conduct. Both the VimpelCom and BizJet Boards sorely failed in their compliance duties.

Three Key Takeaways

  1. Board liability will be severe based upon similar conduct going forward.
  2. Board members must critically challenge management on its conduct.
  3. The Board is the ultimate backstop against bribery and corruption.

This episode is dedicated to the chaotic (at best) first three weeks of the Trump administration.

  1. Jonathan Armstrong leads a discussion of the Trump administrations devolution towards Privacy Shield and what it may portend for American companies doing business in the UK and EU. He highlights the recent opening of a new trial in Ireland brought by Max Schrems and also discussed the putative Muslim refugee ban in the context of broader business implications.

For the Cordery Compliance client alert on Privacy Shield, see here

  1. Jay Rosen considers what companies the intersection of business and politics under the Trump administration, the Tech sector response to the Muslim refugee ban and the more general business response to the first few weeks of the Trump administation.

For Jay’s post see, Where Do Politics End and Ethics & Compliance Begin?

  1. Matt Kelly opens with a discussion of the management process practices of the Trump administration in issuing Executive Orders and lays down some markers around compliance and regulatory issues under the new administration.

For Matt Kelly’s posts see the following:

Compliance in the Trump Era: More Markers Placed

Five Questions for SEC Nominee Jay Clayton

Yes Government Ethics is Happening

Dodd-Frank Reform Starts Coming into View

 For Tom Fox’s posts on these topics see the following:

The Trump Administration-Kaos is Bad for Business

The Trump Administration-Part II, Failures in Leadership and Management

The Trump Administration-Part III-Preparing for a Catastrophe

The Trump Administration-Part IV-the Business Response

The members of the Everything Compliance panel include:

  • Jay Rosen (Mr. Translations) – Jay is Vice President of Legal & Corporate Language Solutions at United Language Group. Rosen can be reached at rosen@ulgroup.com.
  • Mike Volkov – One of the top FCPA commentators and practitioners around and is the Chief Executive Officer (CEO) and owner of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of the noted Compliance Week Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong – Rounding out is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com

Show Notes for Episode 38, for the week ending February 3, the M&M edition:

  1. January a month for the FCPA record books. See article in the FCPA Blog.
  2. Are hunting trips a FCPA violation? How about in Sweden? See article in by Tom Fox in Compliance Week.
  3. VW update-what the former CEO knew and when did he know it and CCO ‘departs’. What does it all mean? See Tom Fox articles in Compliance Week on the former CEO and the departure of the CCO.
  4. New Tom Fox series on One Month to a Better Board, FCPA Compliance Report.
  5. Everything Compliance-Episode 6 is out. It is dedicated exclusively to Rolls-Royce.
  6. Jay Rosen Weekend Report preview.
  7. Super Bowl predictions.

Show Notes for Episode 6, the Rolls-Royce Global Corruption Enforcement Action

This episode is dedicated exclusively to the Rolls-Royce global corruption enforcement action.

  1. Jonathan Armstrong leads a discussion the UK side of the enforcement action.

For the Cordery Compliance client alert on Rolls-Royce, see Rolls-Royce case sends a strong signal

  1. Jay Rosen considers what companies which did business with RR should do now or even companies in the same or similar industries should consider in the face of the enforcement action.

For Jay’s post on Rolls-Royce, see Rolls-Royce Takes Global Anti-Corruption to New International Heights + Potential Next Steps for a CCO Whose Company has Bid/Worked with Rolls-Royce

  1. Mike Volkov talks about the types of resolution documents used in anti-compliance enforcement and some of the key strategy used by RR during the process to achieve their positive result.

For Mike Volkov’s post on Rolls-Royce, see Serious Fraud Office Makes Big Splash with UK Bribery Act Resolution with Rolls Royce

  1. Matt Kelly brings it all home and ties it together by walking us through the global implications of this settlement.

For Tom Fox’s posts on these topics see the following:

  1. Part I
  2. Part II
  3. Part III

Rants will return next week.

The members of the Everything Compliance panel include:

  • Jay Rosen (Mr. Translations) – Jay is Vice President of Legal & Corporate Language Solutions at United Language Group. Rosen can be reached at rosen@ulgroup.com.
  • Mike Volkov – One of the top FCPA commentators and practitioners around and is the Chief Executive Officer (CEO) and owner of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of the noted Compliance Week Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong – Rounding out is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com.