Winslow AZAs I end my week’s exploration of the intersection of bribery and corruption in international sports, I have also ended a week of solid listening to The Eagles 1970s studio albums. In honor of Glenn Frey, I will also end this week with a final tribute to Frey and his work with this seminal band from the 70s. Today, it is a tribute to the first Eagles hit, Take It Easy. While Jackson Browne was the primary author of this song, Frey stepped in to finish it when Browne could not complete it. The Eagles also opened their first album, titled The Eagles, with this cut.

I cannot think of anyone born after about 1970 who does not instantly recognize the opening cords from Bernie Leadon’s lead guitar on this iconic song. If this song alone does not make you want to go to Winslow Arizona, well probably nothing will. In fact the song made the town so famous that the city of Winslow erected a life-size bronze statue and mural commemorating the song, at the Standin’ on the Corner Park. The statue stands near a lamp post, the male figure securing an acoustic guitar between his right hand and the shoe of his right foot. Above his head, a metal sign, crafted in the style of US Route shields, displays the words “Standin’ on the corner”.

As I have noted this week, the world of sports continues to provide ample lessons to be learned for the Chief Compliance Officer (CCO) or compliance practitioner. Although we no longer have the sad sack Astros to kick around, there are many other candidates out there you can draw inspiration from for your compliance regime. For today, I want recap some of these lessons.

Perhaps the clearest sign from the scandals reviewed this week and the ongoing Fédération Internationale de Football Association (FIFA) scandal is the role of regulators such as the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in leading the international fight against bribery and corruption. Only the US had the wherewithal to bring the charges against FIFA. While the Swiss have tagged along, they certainly did not take anything like the lead in this matter. Further, the allegations of FIFA’s bribery was publicized in Britain as long ago as 2010 and the Serious Fraud Office (SFO) never brought charges against FIFA or its cronies.

The bottom line is that only the US government has the ability and, more importantly, the will to engage in such a worldwide investigation and coordinate the actions of numerous countries in providing assistance. Do you think the Swiss police would have been so involved if it was not for the US government lead in this investigation? From President Obama on down, the US government has made clear that it will lead the international fight against bribery and corruption. The FIFA indictments are yet one more indication that they will continue to do so.

From the International Association of Athletics Federations (IAAF) scandal there are certain aspects similar to FIFA but made even more invidious. Not only was a there a long entrenched self-serving and self-congratulatory cabal running the organization, but they even out did FIFA by allegedly extorting money from athletes who they expected of using performance enhancing drugs to suppress positive drug tests. These officials were allowed to not only run rampart but also engage in essentially self-government of themselves. Kind of like having the foxes guard the henhouse.

I think the lesson is the checks and balances required in any best practices compliance program that form the basis of compliance. While some of these checks and balances are in the form of multiple internal levels of oversight, such as a Compliance Committee, which might be made up of senior managers from various disciplines; another level is brought about by internal controls and the concept of the segregation of duties (SODs). No one person should be allowed have so much discretionary power that they can approve vendors, approve contracts; then approve invoices for payments on those same vendors and contracts they have previously approved.

In the corporate world this is fairly standard in the US but there continues to be Foreign Corrupt Practices Act (FCPA) enforcement actions, emanating from outside the US, where a Country or Regional Manager can make such multiple approvals. This is not only a recipe for disaster financially but also allows the creation of a pot of money to pay a bribe much easier. Internal controls also work towards having continuous oversight, if a technology solution is used it can facilitate both the prevent and detect prongs of a best practices compliance program.

The lesson for the US company which does not have a compliance program in place is that the basic forms of corporate governance are not only mandatory for a compliance and ethics regime but they are also the basics for any minimums of corporate governance in the 21st century. The level of any fraud, including bribery and corruption under the FCPA, can be low, yet the attendant costs can be far in excess of any fine or penalty. For FIFA and the IAAF, their cost will be played out in the international press and court of world public opinion for some time to come. For the former heads and senior members of those organizations, the cost may well be more pedestrian, with jail terms for felony criminal violations.

Finally, from the allegations around offers of bribes to throw matches in professional tennis is the clear lesson that employees that are offered bribes need to have an avenue to be able to report such conduct. For the CCO, it is important that employees have confidence and trust in the organization so they are willing to make such reports. To stop the scourge of bribery and corruption in any international sports group, the management must take the lead in communicating that such actions will not be tolerated and that anything less would result in expulsion and banishment. That is similar to any top management that must clearly set the expectation that it is more important for employees to follow the law than to make their quarterly numbers. For if management does not do so and communicates that making your quarterly numbers are more important, employees will find a way to make their quarterly numbers.

Moreover, it is important any company knows if a vendor, sales agent or any other party has offered or demanded a bribe to do business. Even if your employees tosses them out of the office on their collective ear, it is incumbent you be made aware of the demand/offer so you can bring it to the attention of the counter-party and take appropriate remedial action. Indeed, in many industries the number of agents or other representatives is small enough that they can be known. If there is a collective refusal to do business with such corrupt third parties, it can be a powerful driver of business behavior.

So I end this week with a fond farewell to Glenn Frey and I hope you are taking it easy about now. For a YouTube clip of The Eagles playing Take It Easy, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

DOJForeign Corrupt Practices Act (FCPA) enforcement by the Department of Justice (DOJ) was a bit different in 2015 than the preceding years. Obviously the record fines and penalties of 2014 dropped considerably. Further, there was the Joseph Sigelman trial disaster where the DOJ had to change horses in mid-stream and offer a very attractive deal to the defendant after the government’s star witness folded on the witness stand. Yet most of the DOJ nay-sayers conveniently forgot that Sigelman did plead guilty to violating the FCPA, along with two other former executives and with their former company PetroTiger admitting to conduct at issue, it would seem to mitigate the trial issues.

There were a couple of notable DOJ enforcement actions around the FCPA in 2015. The enforcement action involving IAP Worldwide Services, Inc. (IAP or “the company”) and its former Vice President (VP) James Rama, where the company agreed to a fine of $7.1MM was a bit of a head scratcher. While Rama pled guilty to a single count of conspiracy to violate the FCPA and was sentenced to 120 days in prison, IAP secured a Non-Prosecution Agreement (NPA) in addition to its fine.

What it is difficult to determine from the company NPA and Rama Plea Agreement is what conduct the company engaged in which led to the NPA because clearly both the company and Rama engaged in conduct that violated the FCPA. Under the facts presented it would appear that this case was egregious. There was a US company, setting up a scheme to pay bribes through both a US person, who was a former employee, and a foreign third party agent. Meetings to facilitate the scheme were held in the US and monies to fund bribes were wired out of a US bank account. There was nothing reported in the NPA which indicated that the company self-disclosed this FCPA violation. While there were statements of cooperation and remediation going forward, there was nothing other than the standard boilerplate language generally seen in NPAs.

In July, Louis Berger International Inc. (LBI) received a Deferred Prosecution Agreement (DPA) for its FCPA sins. As reported by the FCPA Blog, the “company, admitted violating the Foreign Corrupt Practices Act and agreed to pay a $17.1 million criminal penalty. The company said it bribed foreign officials in India, Indonesia, Vietnam, and Kuwait to win construction management contracts.” Two of its former executives, Richard Hirsch and James McClung, also pleaded guilty to conspiracy and FCPA charges. Both are currently scheduled to be sentenced in February, 2016.

In its Press Release the DOJ reported, “it gave Louis Berger a DPA because the company self reported the FCPA offenses and made U.S. and foreign employees available for interviews. The company collected and organized evidence for federal investigators and undertook “extensive remediation, including terminating the officers and employees responsible for the corrupt payments.” It also promised to improve its compliance program and internal controls.”

Contrasting the Sigelman trial were several high profiles cases where individuals pled guilty and were sentenced in 2015, most notably several former executives and employees of Direct Access Partners LLC (DAP). Former Chief Executive Officer (CEO) Benito Chinea, was sentenced to four years in prison and forfeited $3.6 million for bribing a Venezuela state bank official in return for bond trading business. Former Managing Director Joseph DeMeneses, was sentenced to four years in prison and ordered to forfeit nearly $2.7 after pleading guilty. Former Managing Partner Ernesto Lujan, was sentenced to two years in prison and ordered to forfeit $18.5 million for bribing a Venezuela state bank official. Former Senior Vice President Tomas Clarke pleaded guilty and was sentenced to two years in prison and ordered to forfeit nearly $5.8 million. Finally, Broker Jose Alejandro Hurtado was sentenced to three years in prison and ordered to forfeit nearly $11.9 million for being the middleman in a scheme to bribe a Venezuela state bank official in exchange for bond trading work.

In December Vicente Eduardo Garcia, a former Regional Director of Enterprise Software for SAP International Inc., was sentenced to 22 months in prison for bribing officials in Panama to win government contracts. Garcia admitted that he conspired with others, including advisors and consultants to SAP, to pay bribes to two Panamanian government officials, as well as to the agent of a third government official, with the understanding that a portion of the money would be paid to the third official. Garcia used sham contracts and false invoices to disguise the bribes. The money shot in this case was set out in the DOJ Press Release, which stated “Garcia further admitted that he believed paying such bribes was necessary to secure both the initial contract and additional Panamanian government contracts.” The bribery scheme netted the Panamanian SAP channel ops partner at least one contract valued at $14.5MM.

Other than the priceless quote from Garcia above, the year was fairly quiet on the DOJ enforcement front; there were no blockbuster settlements as we saw in 2014. However, that does not mean the year was not significant for the compliance practitioner. The DOJ provide quite a bit of solid information to the Chief Compliance Officer (CCO) and compliance practitioner. The Yates Memo set out a new calculus for the receipt of any cooperation credit for a company embroiled in a FCPA investigation (emphasis was in the original Memo). Now if a company desires such credit it must investigate and turn over information on individuals in the corporation involved, directly or indirectly (that is the question) before it even gets to the question of an effective compliance program.

Immediately after the release of the Yates Memo came news the DOJ was hiring a compliance program subject matter expert (SME) in a new Compliance Counsel role. This new hire turned out to be Hui Chen, an experienced corporate compliance practitioner who is also an ex-DOJer. Through Ms. Chen and through remarks by Assistant Attorney General Leslie R. Caldwell, the DOJ communicated its expectations around how this new position would evaluate the compliance programs of company’s in enforcement actions before the DOJ.

Caldwell laid out these metrics or factors the Compliance Counsel would utilize in her evaluation using the following factors:

  • Does the institution ensure that its directors and senior managers provide strong, explicit and visible support for its corporate compliance policies?
  • Do the people who are responsible for compliance have stature within the company? Do compliance teams get adequate funding and access to necessary resources? Of course, we won’t expect that a smaller company has the same compliance resources as a Fortune-50 company.
  • Are the institution’s compliance policies clear and in writing? Are they easily understood by employees? Are the policies translated into languages spoken by the company’s employees?
  • Does the institution ensure that its compliance policies are effectively communicated to all employees? Are its written policies easy for employees to find? Do employees have repeated training, which should include direction regarding what to do or with whom to consult when issues arise?
  • Does the institution review its policies and practices to keep them up to date with evolving risks and circumstances? This is especially important if a U.S.-based entity acquires or merges with another business, especially a foreign one.
  • Are there mechanisms to enforce compliance policies? Those include both incentivizing good compliance and disciplining violations. Is discipline even handed? The department does not look favorably on situations in which low-level employees who may have engaged in misconduct are terminated, but the more senior people who either directed or deliberately turned a blind eye to the conduct suffer no consequences. Such action sends the wrong message – to other employees, to the market and to the government – about the institution’s commitment to compliance.
  • Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance? This means more than including boilerplate language in a contract. It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies. And that attitude toward partner compliance must exist regardless of geographic location.

While the DOJ enforcement actions against companies for FCPA violations may have taken a dip in 2015, the DOJ aggressively pursued and brought to justice several individuals who violated the FCPA. Yet, for the compliance practitioner, the biggest information came from the Caldwell, Yates and Chen’s public comments around compliance programs and what the DOJ would evaluate going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

SEC2015 continued the trend of Foreign Corrupt Practices Act (FCPA) enforcement actions brought by the Securities and Exchange Commission (SEC) with no parallel Department of Justice (DOJ) enforcement action. As you might expect, these SEC enforcement actions turned on violations of the Accounting Provisions of the FCPA, either the books and records provisions or the internal controls provisions. In this two-part series to begin the New Year I take a look at five SEC enforcement actions and use them to point where enforcement may be going in 2016 and what the Chief Compliance Officer (CCO) or compliance practitioner should take away from the enforcement action. Part I will focus on BNY Mellon and BHP and Part II will look at the Bristol Squibb-Myers, Hitachi and Mead Johnson enforcement actions.

BNY Mellon: Hiring of Children and Relatives

In August, the SEC announced a resolution with the Bank of New York Mellon Corporation (BNY Mellon) for FCPA violations. This was the first enforcement action around the now infamous Princesslings and Princelings investigation where US companies hired the sons and daughters of foreign government officials to curry favor and obtain or retain business.

While JPMorgan Chase has garnered the most attention around this issue, probably because of its notorious spreadsheet tracking of sons and daughters hires to develop business in China, there are multiple US companies under scrutiny for similar conduct. The FCPA Blog has reported that Credit Suisse, Goldman Sachs, Morgan Stanley, Citigroup, and UBS are all under investigation by the SEC for their hiring practices around the sons and daughters of foreign government officials. BNY Mellon has the honor of being the first company to reach resolution on this issue.

There is nothing illegal around the hiring of a close family member of a foreign governmental official. It does however present a higher risk for indicia of bribery and corruption and violation of the FCPA. A higher FCPA risk means you need to evaluate that risk more closely and manage that risk accordingly.

The obvious starting point for the hiring of a close family member of a foreign governmental official is whether the candidate is qualified for the position. If they are not qualified it is ‘Full Stop’ at that point. In the case of BNY Mellon there was no evidence any of the candidates had the academic background, credentials, leadership traits or intangible skills to meet the bank’s normal internship hiring criteria. As with any other anomaly granted in a company’s normal process, there must be a documented reason for the exception, review by appropriate authority of the exception and documentation as to why the exception was granted. None of these steps were present in the BNY Mellon matter. Put another way, if you are hiring a family member or close relative of a foreign government official for any reason other than merit, it had better be a darn good one and be well documented as to the decision-making calculus with appropriate senior management oversight.

But your risk management does not stop simply with the hiring process. If the foreign governmental official is the person who made the request for the hiring of the family member, this is a Red Flag not to be overlooked. Your analysis needs to be on the role of that foreign governmental official in awarding new business to your company or in retaining old business. If the foreign governmental official has direct or even strong indirect control over such business relations, this may present such a direct conflict of interest, this may be a risk that you cannot manage. A good rule of thumb here is whether there is full transparency in the hiring with the foreign government involved with your company. In the case of BNY Mellon, they did not want anyone in the Sovereign Wealth Fund to know BNY Mellon had hired the son or nephew. That is a clear sign that transparency is lacking and someone, somewhere is engaging in unethical conduct, if not breaking the law.

Finally, if you do decide to move forward and hire the close family member, you need to assign that new hire to work that is not associated with the business relationship between your company and the foreign government involved. Just as in the lifecycle of third party management, managing the relationship after a contract is inked is in many ways the most critical element; the same is true in the employment relationship involving close family members of foreign government officials.

Ultimately, you need to have internal controls to ensure effective compliance going forward. You cannot have customer relationship managers making the calls on hiring which over-ride the Human Resources (HR) procedures. There must be not only HR review but also mechanisms to flag for compliance review such hires. Lastly, there needs to be sufficient senior management oversight because this is such a high-risk proposition.

BHP: High-Risk Hospitality

In May came the release of the SEC FCPA enforcement action involving BHP Billiton Ltd. (BHP), which revolved around the company’s hospitality program for the Beijing 2008 Olympics. Every CCO and compliance practitioner should study this enforcement action in detail so that they can craft appropriate compliance internal controls for high dollar entertaining for big time sporting events. For any company that may be planning high dollar hospitality spends for the 2016 Brazil Olympics, this enforcement action lays out what you should and should not do in your compliance program. But this holds true for any major sporting event such as the Super Bowl, World Cup or you name the event.

BHP had a paper program that appeared robust. As laid out in the SEC Cease and Desist Order, “BHPB developed a hospitality application which business managers were required to complete for any individuals, including government officials, whom they wished to invite.” Yet, an effective compliance program does not end at that point. Now would be an appropriate time to recall that high risk does not mean you cannot engage in certain conduct. High risk means that to have an effective compliance program, you have to manage that risk. A basic key to any effective compliance program is oversight or a second set of eyes baked in to your process. BHP formally had this oversight or second set of eyes in the form of an Olympic Sponsorship Steering Committee (OSSC) and Global Ethics Panel Sub-Committee.

Where BHP failed was that “other than reviewing approximately 10 hospitality applications for government officials in mid-2007 in order to assess the invitation process, the OSSC and the Ethics Panel subcommittee did not review the appropriateness of individual hospitality applications or airfare requests. The Ethics Panel’s charter stated that its role simply was to provide advice on ethical and compliance matters, and that “accountability rest[ed] with business leaders.” Members of the Ethics Panel understood that, consistent with their charter, their role with respect to implementation of the hospitality program was purely advisory. As a result, business managers had sole responsibility for reconciling the competing goals of inviting guests – including government officials – who would ““maximize [BHPB’s] commercial investment made in the Olympic Games” without violating anti-bribery laws.”

But there was more than simply a failure of oversight by BHP. The Cease and Desist Order noted that not all of the forms were filled out with the critical information around a whether a proposed recipient might have been a government official. Even more critically missing was information on whether the proposed recipient was in a position to exert influence over BHP business. Moreover, BHP did not provide training to the business unit employees who ended up making the call as to whether or not to provide the hospitality on payment of travel and hospitality for spouses. The Cease and Desist Order stated that BHP “did not provide any guidance to its senior managers on how they should apply this portion of the Guide when determining whether to approve invitations and airfares for government officials’ spouses.” Finally, there were no controls in place to update or provide ongoing monitoring of the critical information in the forms.

All of this led to the SEC stating the following, “As a result of its failure to design and maintain sufficient internal controls over the Olympic global hospitality program, BHP invited a number of government officials who were directly involved with, or in a position to influence, pending negotiations, efforts by BHPB to obtain access rights, or other pending matters.” Perhaps it was stated most succinctly by Antonia Chion, Associate Director of the SEC’s Division of Enforcement, in the SEC Press Release announcing the enforcement action when she said, “A ‘check the box’ compliance approach of forms over substance is not enough to comply with the FCPA.”

Stay tuned for Part II tomorrow…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Empire Strikes BackWe continue our celebration of all things Star Wars; at least as they pertain to the original trilogy, as today we honor Episode V – The Empire Strikes Back, which is my personal favorite of the original three movies. The film begins with a cool battle on the ice planet of Hoth; has some great HR lessons as Darth Vader executes officers for work place errors; demonstrates some dangers involving ineffective training for Luke Skywalker on the tropical plant of Dagobah, where he travels to learn under the Jedi master Yoda who utters the immortal line “Try not! Do, or do not. There is no try”; and ends in Cloud City, a floating gas mining colony in the skies of the planet Bespin run by Han Solo’s old buddy, Lando Calrissian. It also has one of the greatest movie lines of all-time, thundered by Darth Vader to Luke Skywalker, “I AM YOUR FATHER”, towards the end of the film.

Solo and Calrissian go way back and Solo trusts him. Of course, Solo won his starship, the Millennium Falcon, from him but they are still good friends and this friendship is sorely tested when Vader and his Imperial Troops arrive to entice Luke to come to save his friends and battle Vader, which is where the reveal of fatherhood occurs.

I thought about these last two points, in the context of knowing who you are doing business with under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. I once heard a company President say he did not need to perform due diligence because he looked a man in the eyes and that was enough to know if he was honest. (I should add, this President also evaluated the strength of a handshake as an additional level of due diligence.) Hopefully we have moved past this level of sophistication for due diligence and its evaluation thereof.

One of the areas I still receive questions about are the different levels of due diligence. Based upon the information provided by the Department of Justice (DOJ) over the years, from Deferred Prosecution Agreements (DPAs) to Opinion Releases and enforcement actions, I break due diligence down into three stages: Level I, Level II and Level III. Candice Tal, Founder and Chief Executive Officer (CEO) of Infortal Worldwide, in an article entitled “Deep Level Due Diligence: What You Need to Know”, laid out some of these concepts.

Level I

First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti money laundering (AML), anti-bribery, sanctions lists, coupled with other financial corruption & criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. This basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements.

 Level II

Level II due diligence encompasses supplementing Level I due diligence with a deeper screening of international media, typically the major newspapers and periodicals from all countries plus detailed Internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company, the third party’s key executives and associated parties. I believe that Level II should also include an in-country database search regarding the third party. Some of the other types of information that you should consider obtaining are country of domicile and international government records; use of in-country sources to provide assessments of the third party; a check for international derogatory electronic and physical media searches, you should perform both English and foreign-language repositories searches on the third party, in its country of domicile, if you are in a specific industry, using technical specialists you should also obtain information from sector specific sources.

 Level III

This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation and is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in country investigation.” Further, the “Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English. Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points.”

But more than simply an investigation of the company, critically including a site visit and coupled with onsite interviews, Tal says that some other things you investigate include “an in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other law suits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publically.”

Further, you may need to engage a foreign law firm to investigate the third party in its home country to determine the third party’s compliance with its home country’s laws, licensing requirements and regulations. Lastly, and perhaps most importantly, you should use a Level III to look the proposed third party in the eye and get a firm idea of his or her cooperation and attitude towards compliance as one of the most important inquiries is not legal but based upon the response and cooperation of the third party. More than simply trying to determine if the third party objected to any portion of the due diligence process or did they object to the scope, coverage or purpose of the FCPA; you can use a Level III to determine if the third party is willing to stand up under the FCPA and are you willing to partner with the third party.

The Risk Advisory Group, created a handy chart of its Level I, II and III approaches to integrity and due diligence. I have found it useful in explaining the different scopes and focuses of the various levels of due diligence.

Level Issues Addressed Scope of Investigation
I ·      That the company exists

·      Identities of directors and shareholders

·      Whether such persons are on regulators’ watch lists

·      Signs that such persons are government officials

·      Obvious signs of financial difficulty

·      Signs of involvement in litigation

·      Media reports linking the company to corruption

·      Company registration and status

·      Registered Address

·      Regulators’ watch lists

·      Credit Checks

·      Bankruptcy/Liquidation Proceedings

·      Review accounts and auditors comments

·      Litigation search

·      Negative media search

II As above with the following additions:

·      Public Profile integrity checks

·      Signs of official investigations and/or sanctions from regulatory authorities

·      Other anti-corruption Red Flags

As above with the following additions:

·      Review and summary of all media and internet references

·      Review and summary of relevant corporate records and litigation filings, including local archives

·      Analysis and cross-referencing of all findings

III As above with the following additions:

·      But seeking fuller answers to any questions raised by drawing on a wider range of intelligence sources and/or addressing specific issues of potential concern already identified

 

As above with the following additions:

·      Enquiries via local sources

·      Enquiries via industry experts

·      Enquiries via western agencies such as embassies or trade promotion bodies

·      Enquires via sources close to local regulatory agencies

If Han Solo had done a deep dive into his friend Lando Calrrisian, he might have well determined that the Empire had arrived at the Cloud City before he and his team did. Then again we might not have heard that seminal line “I AM YOUR FATHER”.

May the force be with you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Ken JohnsonBefore Jim Crane came along to purchase the Houston Astros and provide us all with some of the best lessons learned for the compliance practitioner, they had a long and storied history, even if part of that history included not achieving much in the way of success. After all it took the Astros 50 years to reach the World Series (reach – not win). Before they had that inglorious run, they were known as the Houston Colt 45s and they were even more sad sack than after they re-moninkered themselves as the Astros.

In the Pantheon of baseball achievements one Houston Colt 45 stands above all. It is Ken Johnson, who died earlier this week. Johnson’s achievement – he is the only pitcher in the long and storied history of baseball, who pitched a complete game no-hitter and lost. In a game against the Cincinnati Reds, on April 23, 1964, with one out in the 9th inning, Johnson fielded a bunt by Pete Rose and threw wildly to first, allowing Rose to reach second. Rose scored two batters later on an error by second baseman Nellie Fox. The Reds won the game 1-0.

I thought about hard luck Ken Johnson in the context of the continued difficulty companies face around liability for third parties under the Foreign Corrupt Practices Act (FCPA). There are two areas that do not get as much attention that I wanted to focus on today. The first is the Questionnaire you utilize to help in the evaluation of any third party and the second is the compliance terms and conditions you should include in any commercial agreement with third parties.

Below are some of the areas that I think you should inquire into through your Questionnaire to a proposed third party:

  • Ownership Structure: Describe whether the proposed third party is a government or state-owned entity, and the nature of its relationship(s) with local, regional and governmental bodies. Are there any members of the business partner related, by blood, to governmental officials?
  • Financial Qualifications: Describe the financial stability of, and all capital to be provided by, the proposed third party. You should obtain financial records, audited for 3 to 5 years, if available. Obtain the name and contact information for their banking relationship.
  • Personnel: Determine whether the proposed agent will be providing personnel, particularly whether any of the employees are government officials. Make sure that you obtain the names and titles of those who will provide services to your company.
  • Physical Facilities: Describe what physical facilities that will be used by the third party for your work. Be sure and obtain their physical address.
  • References: Obtain names and contact information for at least three business references that can provide information on the business ethics and commercial reliability of the proposed third party.
  • PEPs: Are any of the owners, beneficial owners, officers or directors politically exposed persons (PEPs).
  • UBO: It is imperative that you obtain the identity of the Ultimate Beneficial Owner (UBO).
  • Compliance Regime: Does the proposed third party have an anti-corruption/anti-bribery program in place? Do they have a Code of Conduct? Obtain copies of all relevant documents and training materials.
  • FCPA Training and Awareness: Has the proposed third party received FCPA training, are they TRACE certified or certified by some other recognizable entity?

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses.

The questionnaire fills several key roles in your overall management of third parties. Obviously it provides key information that you need to know about who you are doing business with and whether they have the capabilities to fulfill your commercial needs. Just as importantly is what is said if the questionnaire is not completed or is only partially completed, such as the lack of awareness of the FCPA, UK Bribery Act or anti-corruption/anti-bribery programs generally. Lastly, the information provided (or not provided) in the questionnaire will assist you in determining what level of due diligence to perform.

Similarly, compliance terms and conditions should be in every contract, whether such document is a simple agency or consulting agreement or a joint venture (JV) with several formation documents. The compliance terms and conditions should include representations that in all undertakings the third party will make no payments of money, or anything of value, nor will such be offered, promised or paid, directly or indirectly, to any foreign officials, political parties, party officials, candidates for public or political party office, to influence the acts of such officials, political parties, party officials, or candidates in their official capacity, to induce them to use their influence with a government to obtain or retain business or gain an improper advantage in connection with any business venture or contract in which the company is a participant.

In addition to the above affirmative statements regarding conduct, a commercial contract with a third party should have the following compliance terms and conditions in it:

  • Indemnification: Full indemnification for any FCPA violation, including all costs for the underlying investigation.
  • Cooperation: Require full cooperation with any ethics and compliance investigation, specifically including the review of foreign business partner emails and bank accounts relating to your Company’s use of the foreign business partner.
  • Material Breach of Contract: Any FCPA violation is made a material breach of contract, with no notice and opportunity to cure. Further, such a finding will be the grounds for immediate cessation of all payments.
  • No Sub-Vendors (without approval): The foreign business partner must agree that it will not hire an agent, subcontractor or consultant without the Company’s prior written consent (to be based on adequate due diligence).
  • Audit Rights: An additional key element of a contract between a US Company and a foreign business partner should include the retention of audit rights. These audit rights must exceed the simple audit rights associated with the financial relationship between the parties and must allow a full review of all FCPA related compliance procedures such as those for meeting with foreign governmental officials and compliance related training.
  • Acknowledgment: The foreign business partner should specifically acknowledge the applicability of the FCPA to the business relationship as well as any country or regional anti-corruption or anti-bribery laws, which apply to either the foreign business partner or business relationship.
  • On-going Training: Require that the top management of the foreign business partner and all persons performing services on your behalf shall receive FCPA compliance training.
  • Annual Certification: Require an annual certification stating that the foreign business partner has not engaged in any conduct that violates the FCPA or any applicable laws, nor is it aware of any such conduct.
  • Re-qualification: Require the foreign business partner re-qualify as a business partner at a regular interval of no greater than every three years.

Many will exclaim, “What an order, I can’t go through with it.” By this they mean that they do not believe that they will be able to get the third party to agree to such compliance terms and conditions. I have found that while it may not be easy, it is relatively simple to get a third party to agree to these, or similar, terms and conditions. One approach to take is that they are not negotiable. When faced with such a position on non-commercial terms many third parties will not fight such a position. There is some flexibility but the Department of Justice (DOJ) will require the minimum terms and conditions that it has suggested in the various Attachment Cs to the Deferred Prosecution Agreement (DPA) and in the FCPA Guidance. But the best position I have found is that if a third party agrees with these terms and conditions, they can then use that as a market differentiator from other third parties who have not gone through the life cycle management of a third party.

Two of the under-utilized tools of third party risk management are the third party questionnaire and compliance terms and conditions. By using these relatively simple and straightforward techniques you can help avoid the hard-luck nature of Ken Johnson and losing the game when you pitch a no-hitter.

A Happy Thanksgiving to all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015