SEC2015 continued the trend of Foreign Corrupt Practices Act (FCPA) enforcement actions brought by the Securities and Exchange Commission (SEC) with no parallel Department of Justice (DOJ) enforcement action. As you might expect, these SEC enforcement actions turned on violations of the Accounting Provisions of the FCPA, either the books and records provisions or the internal controls provisions. In this two-part series to begin the New Year I take a look at five SEC enforcement actions and use them to point where enforcement may be going in 2016 and what the Chief Compliance Officer (CCO) or compliance practitioner should take away from the enforcement action. Part I will focus on BNY Mellon and BHP and Part II will look at the Bristol Squibb-Myers, Hitachi and Mead Johnson enforcement actions.

BNY Mellon: Hiring of Children and Relatives

In August, the SEC announced a resolution with the Bank of New York Mellon Corporation (BNY Mellon) for FCPA violations. This was the first enforcement action around the now infamous Princesslings and Princelings investigation where US companies hired the sons and daughters of foreign government officials to curry favor and obtain or retain business.

While JPMorgan Chase has garnered the most attention around this issue, probably because of its notorious spreadsheet tracking of sons and daughters hires to develop business in China, there are multiple US companies under scrutiny for similar conduct. The FCPA Blog has reported that Credit Suisse, Goldman Sachs, Morgan Stanley, Citigroup, and UBS are all under investigation by the SEC for their hiring practices around the sons and daughters of foreign government officials. BNY Mellon has the honor of being the first company to reach resolution on this issue.

There is nothing illegal around the hiring of a close family member of a foreign governmental official. It does however present a higher risk for indicia of bribery and corruption and violation of the FCPA. A higher FCPA risk means you need to evaluate that risk more closely and manage that risk accordingly.

The obvious starting point for the hiring of a close family member of a foreign governmental official is whether the candidate is qualified for the position. If they are not qualified it is ‘Full Stop’ at that point. In the case of BNY Mellon there was no evidence any of the candidates had the academic background, credentials, leadership traits or intangible skills to meet the bank’s normal internship hiring criteria. As with any other anomaly granted in a company’s normal process, there must be a documented reason for the exception, review by appropriate authority of the exception and documentation as to why the exception was granted. None of these steps were present in the BNY Mellon matter. Put another way, if you are hiring a family member or close relative of a foreign government official for any reason other than merit, it had better be a darn good one and be well documented as to the decision-making calculus with appropriate senior management oversight.

But your risk management does not stop simply with the hiring process. If the foreign governmental official is the person who made the request for the hiring of the family member, this is a Red Flag not to be overlooked. Your analysis needs to be on the role of that foreign governmental official in awarding new business to your company or in retaining old business. If the foreign governmental official has direct or even strong indirect control over such business relations, this may present such a direct conflict of interest, this may be a risk that you cannot manage. A good rule of thumb here is whether there is full transparency in the hiring with the foreign government involved with your company. In the case of BNY Mellon, they did not want anyone in the Sovereign Wealth Fund to know BNY Mellon had hired the son or nephew. That is a clear sign that transparency is lacking and someone, somewhere is engaging in unethical conduct, if not breaking the law.

Finally, if you do decide to move forward and hire the close family member, you need to assign that new hire to work that is not associated with the business relationship between your company and the foreign government involved. Just as in the lifecycle of third party management, managing the relationship after a contract is inked is in many ways the most critical element; the same is true in the employment relationship involving close family members of foreign government officials.

Ultimately, you need to have internal controls to ensure effective compliance going forward. You cannot have customer relationship managers making the calls on hiring which over-ride the Human Resources (HR) procedures. There must be not only HR review but also mechanisms to flag for compliance review such hires. Lastly, there needs to be sufficient senior management oversight because this is such a high-risk proposition.

BHP: High-Risk Hospitality

In May came the release of the SEC FCPA enforcement action involving BHP Billiton Ltd. (BHP), which revolved around the company’s hospitality program for the Beijing 2008 Olympics. Every CCO and compliance practitioner should study this enforcement action in detail so that they can craft appropriate compliance internal controls for high dollar entertaining for big time sporting events. For any company that may be planning high dollar hospitality spends for the 2016 Brazil Olympics, this enforcement action lays out what you should and should not do in your compliance program. But this holds true for any major sporting event such as the Super Bowl, World Cup or you name the event.

BHP had a paper program that appeared robust. As laid out in the SEC Cease and Desist Order, “BHPB developed a hospitality application which business managers were required to complete for any individuals, including government officials, whom they wished to invite.” Yet, an effective compliance program does not end at that point. Now would be an appropriate time to recall that high risk does not mean you cannot engage in certain conduct. High risk means that to have an effective compliance program, you have to manage that risk. A basic key to any effective compliance program is oversight or a second set of eyes baked in to your process. BHP formally had this oversight or second set of eyes in the form of an Olympic Sponsorship Steering Committee (OSSC) and Global Ethics Panel Sub-Committee.

Where BHP failed was that “other than reviewing approximately 10 hospitality applications for government officials in mid-2007 in order to assess the invitation process, the OSSC and the Ethics Panel subcommittee did not review the appropriateness of individual hospitality applications or airfare requests. The Ethics Panel’s charter stated that its role simply was to provide advice on ethical and compliance matters, and that “accountability rest[ed] with business leaders.” Members of the Ethics Panel understood that, consistent with their charter, their role with respect to implementation of the hospitality program was purely advisory. As a result, business managers had sole responsibility for reconciling the competing goals of inviting guests – including government officials – who would ““maximize [BHPB’s] commercial investment made in the Olympic Games” without violating anti-bribery laws.”

But there was more than simply a failure of oversight by BHP. The Cease and Desist Order noted that not all of the forms were filled out with the critical information around a whether a proposed recipient might have been a government official. Even more critically missing was information on whether the proposed recipient was in a position to exert influence over BHP business. Moreover, BHP did not provide training to the business unit employees who ended up making the call as to whether or not to provide the hospitality on payment of travel and hospitality for spouses. The Cease and Desist Order stated that BHP “did not provide any guidance to its senior managers on how they should apply this portion of the Guide when determining whether to approve invitations and airfares for government officials’ spouses.” Finally, there were no controls in place to update or provide ongoing monitoring of the critical information in the forms.

All of this led to the SEC stating the following, “As a result of its failure to design and maintain sufficient internal controls over the Olympic global hospitality program, BHP invited a number of government officials who were directly involved with, or in a position to influence, pending negotiations, efforts by BHPB to obtain access rights, or other pending matters.” Perhaps it was stated most succinctly by Antonia Chion, Associate Director of the SEC’s Division of Enforcement, in the SEC Press Release announcing the enforcement action when she said, “A ‘check the box’ compliance approach of forms over substance is not enough to comply with the FCPA.”

Stay tuned for Part II tomorrow…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Enron LogoToday we acknowledge (I cannot say celebrate) one of the seminal events which led to the explosion of Foreign Corrupt Practices Act (FCPA) enforcement actions from 2004 forward. On this day in 2001 the Houston based company Enron filed for bankruptcy. While other larger financial scandals came afterwards, at the time Enron was the largest corporate failure. In prior years the company posted revenues of $111 billion and at the time of its bankruptcy, its share price hovered at $0.26. The reason – it was all one big accounting fraud.

Enron and the later (and bigger) WorldCom scandal led to the passage of Sarbanes-Oxley (SOX). Many have speculated that the requirements for corporate certifications of financial statements led to greater corporate internal investigations and subsequent disclosures of corporate wrongdoing; Enron had other influences that led to the increased FCPA enforcement.

The weak and ineffective SOX whistleblower provision led to the more robust protections for whistleblowers found in the Dodd-Frank Act. These whistleblower provisions provided for both greater protection of whistleblowers from retaliation and greater incentives for whistleblowers through the payment of bounties for information that leads to successful Securities and Exchange Commission (SEC) prosecutions or agreed resolutions of a FCPA violation.

The Enron scandal led to the destruction of the venerable (former) Big Four accounting firm Arthur Anderson when it went to trial to contest charges of destruction of its Enron documents. After sustaining a guilty verdict, the firm ceased to exist. To this day, many cite this unnecessary wipeout of a company as a reason for the development of an alternative form of prosecution, the Deferred Prosecution Agreement (DPA).

While there were certainly other factors that help explain the increase in FCPA enforcement from 2004, self-disclosure and DPAs are two of the abiding legacies of Enron. I thought about these twin peaks when I watched a YouTube video cast of the recent New York University Program on Corporate Compliance and Enforcement public forum where Andrew Weissmann and Hui Chen discussed the newly created Compliance Counsel position at the Department of Justice (DOJ) to help the DOJ evaluate corporate compliance programs. While Weissmann’s remarks focused more on the reasons for the position, Chen discussed four primary areas that she indicated she would focus on as DOJ Compliance Counsel. If you are a Chief Compliance Officer (CCO) or compliance practitioner, you need to consider how you would answer these inquiries from the DOJ (or SEC).

Thoughtful Design of Your Compliance Program

Echoing the FCPA Guidance admonition that “if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately”, Chen believes there should be some significant thought put into a company’s compliance program. She expounded that stakeholders need to be a part of your compliance program design process and have input into the compliance internal controls. If your company has a violation, Chen said she would look at whether your compliance program addressed the wrongful conduct or if there was a gap in compliance coverage. Finally, she added, you need to perform a root cause analysis over your heightened risk.

How Operational Is Your Compliance Program?

This point follows number one above in that your compliance program should be tied to the functional unit of a company. This means that Human Resources (HR), Payment, Audit, Vendor Management and all traditional indirect cost functions need to be involved in the operation of your compliance program in their respective areas of influence. The key question she will focus on is how did the compliance program you designed to remediate the conduct that led to the violation work in the operation of your company?

How Well Do You Communicate with Your Stakeholders?

Here Chen really wants to see evidence that you, as the CCO or compliance practitioner, got out of your office and met with the stakeholders of your compliance program. But this is more than simply in your compliance program design, it includes the compliance program implementation. She suggested evidence to show more than compliance simply had a seat at the table but the compliance was actively involved with operational decision-making.

In a question from the audience Chen further articulated an example around compensation. She said compliance needs to be a part of the discussions around how compensation systems are designed and particularly around discretionary bonus systems. She admitted that compliance’s views on compensation are not always sought but in her mind it is one area that, if utilized, would demonstrate a commitment to compliance by the organization.

It would seem this is an appropriate place and time to remind everyone that the three most important things in FCPA compliance are DOCUMENT, DOCUMENT and DOCUMENT. If you cannot document it, the inference is that it never happened so as a CCO or compliance practitioner you need to be prepared to demonstrate your involvement in operational decisions.

How Well Are You Resourced?

Chen emphasized that this meant more than monetary resources or even head count. She specified the twin resources of attention and commitment. She will inquire into how often you meet personally with your Chief Executive Officer (CEO), Audit Committee of the Board and the full Board of Directors. She also said she would inquire into the details of these briefings, so, for instance, are the briefings based on employee surveys, quantitative data or is it simply anecdotal information? She said that it is important that compliance have a real dialogue with the C-Suite and not a rote briefing.

However with regard to CCO compensation, Chen noted there were a couple of areas of inquiry. First is that the amount the CCO is paid could be an issue. For instance is the CCO compensated at an amount at or near the General Counsel (GC) level? If it is one-half what does that communicate within the organization? She also would inquire into whom in the company sets the CCO compensation and who reviews it.

Interestingly she indicated there was not a DOJ position on where a CCO should sit in an organization, whether in the GC’s office or in a separate department. It depends on what works best for your organization however it has to be thoughtfully designed but the most important element is that compliance can and is heard from by senior management.

Chen’s remarks were quite important because they provide insight into how she and the DOJ will look at your compliance program if you are entangled in a FCPA enforcement action.

To view a YouTube video of the event, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Johan LomuJonah Lomu died this week. If you have more than a passing interest in sports, you will recognize Lomu as one of the very few game-changers in a sport, his being rugby. I do not pretend to understand the sport very well (except that it involves running, blocking, hitting and tackling – which I do understand), yet I could even tell that he was a true original, a 6 foot 5 inch, 265 lb. behemoth who could run a 4.4 forty. He played for the New Zealand All-Blacks but not in middle as you might expect for a man his size but as winger, really just a wide-out for those who want it translated into American-football.

If you saw the movie Invictus about South Africa’s 1995 Rugby World Cup championship, you will remember the clips of a 20-year old Lomu single handedly destroying England with four tries (read: touchdowns) in the Semi-Finals. Yet South Africa was able to keep him under control to win one of the greatest finals upsets in Rugby World Cup history. Yet even at that youthful age, he had been diagnosed with a rare kidney disease that would eventually lead to his death at the age of 40. Here’s to you Jonah Lomu, to your true greatness and a true original.

I thought about Lomu when reading the comments from the Department of Justice (DOJ) and Assistant Attorney General Leslie R. Caldwell about how the DOJ will consider a company’s actions in any decision on whether or not to prosecute. These comments, changes and clarifications would appear to bookend the process that began with the Yates Memo, released back in September. Earlier this week, Deputy Attorney General Sally Quillian Yates clarified how the DOJ would be evaluating companies going forward.

Stephen Dockery, writing in the Wall Street Journal (WSJ) online publication, Risk and Compliance Report, in an article entitled “U.S. Justice Dept. Changes Corporate Credit Process in Prosecutions”, said that the DOJ explained how the process laid out in the Yates Memo would go into effect. He wrote there “will be two factors prosecutors can use in giving more favorable treatment” when making decisions on whether or not to prosecute. He quoted Yates as saying, “one focused solely on the company’s timely and voluntary disclosure and the second on its cooperation. We made this change to emphasize that while the concepts of voluntary disclosure and cooperation are related, they are distinct factors to be given separate consideration in charging decisions. In recognition of the significant value early reporting holds for us, prompt voluntary disclosure by a company will be treated as an independent factor weighing in the company’s favor.”

Dockery also noted that Yates clarified what might be considered “all relevant facts” from an investigation. Once again he quoted Yates directly, “There is nothing in the new policy that requires companies to waive attorney-client privilege or in any way rolls back the protections that were built into the prior factors. But to earn cooperation credit, the corporation does need to produce all relevant facts – including the facts learned through those interviews.” Dockery also said that Yates noted, “the Justice Department wouldn’t look favorably on companies trying to twist privilege to shield information from investigators.”

Caldwell expanded on these remarks in a speech made on Tuesday of this week, when she said, “In our view, a company that wishes to be eligible for the maximum mitigation credit in an FCPA case must do three things: (1) voluntarily self-disclose, (2) fully cooperate and (3) timely and appropriately remediate.” Regarding point 1, self-disclosure, Caldwell went on to say, “I mean that within a reasonably prompt time after becoming aware of an FCPA violation, the company discloses the relevant facts known to it, including all relevant facts about the individuals involved in the conduct.” Moreover, “To qualify, this disclosure must occur before an investigation—including a regulatory investigation by an agency such as the SEC (U.S. Securities and Exchange Commission)—is underway or imminent. And disclosures that the company is already required to make by law, agreement or contract do not qualify.”

Caldwell also expanded on Yates second prong, ongoing cooperation, she said, “Second, in line with the focus on individual accountability for corporate criminal conduct…companies seeking credit must affirmatively work to identify and discover relevant information about the individuals involved through independent, thorough investigations. Companies cannot just disclose facts relating to general corporate misconduct and withhold facts about the individuals involved. And internal investigations cannot end with a conclusion of corporate liability, while stopping short of identifying those who committed the underlying conduct.” But it means more than simply doing an investigation and turning over the results of the investigation. Full cooperation also “includes providing timely updates on the status of the internal investigation, making officers and employees available for interviews—to the extent that is within the company’s control—and proactive document production, especially for evidence located in foreign countries.”

Finally Caldwell added a third prong which Yates did not discuss, that being remediation. She noted that remediation includes a “company’s overall compliance program as well as its disciplinary efforts related to the specific wrongdoing at issue. For example, when examining remediation we consider whether and how the company has disciplined the employees involved in the misconduct. We also examine the company’s culture of compliance including an awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated.”

This is where the new DOJ Compliance Counsel comes into the picture. Caldwell said, “We look forward to her insights on issues such as whether the compliance program truly is thoughtfully designed and sufficiently resourced to address the company’s compliance risks and whether proposed remedial measures are realistic and sufficient.” I was interested to read that Caldwell also said this new person would also “be interacting with the compliance community to seek input about ways we can work together to advance our mutual interest in strong corporate compliance programs.” While her remarks this week did not go into the detail she did in her previous speech outlining the metrics the new Compliance Counsel will use in evaluating corporate compliance programs, Caldwell clearly referenced those standards as well.

The Yates remarks clarifying how “businesses will get an extra shot at favorable treatment based on their disclosure of wrongdoing to the government” and Caldwell’s speech further laying out the parameters and what will be expected in the form of a corporate compliance programs should be welcome news to every Chief Compliance Officer (CCO) and compliance practitioner. These two pieces of information, coupled with Caldwell’s earlier remarks on the Compliance Counsel metrics, lay out for you, with the most precision yet, how to move forward towards obtaining the best possible outcome if you are embroiled in a Foreign Corrupt Practices Act (FCPA) investigation. If your management wants to know what credit it will receive and the roadmap of how to get the best possible result, the DOJ has laid it out for you.

I further believe these series of remarks serve as a bookend to the information announced in the Yates Memo in September. That Memo set forth the expectations for prosecutors in white-collar cases, including FCPA matters, to prosecute more individuals. You see what substantive cooperation means and how your compliance program will be evaluated. The DOJ has laid it out for you in plain back and white.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015