Fcpa Compliance Report

This episode is dedicated to the chaotic (at best) first three weeks of the Trump administration.  Jonathan Armstrong leads a discussion of the Trump administrations devolution towards Privacy Shield and what it may portend for American companies doing business in the UK and EU. He highlights the recent opening of a new trial in Ireland brought by Max Schrems and also discussed the putative Muslim refugee ban in the context of broader business implications. For the Cordery Compliance client alert on Privacy Shield, see here Jay Rosen considers what companies the intersection of business and politics under the Trump administration, the Tech sector response to the Muslim refugee ban and the more general business response to the first few weeks of the Trump administation. For Jay’s post see, Where Do Politics End and Ethics & Compliance Begin? Matt Kelly opens with a discussion of the management process practices of the Trump administration in issuing Executive Orders and lays down some markers around comp

In an article in the Corporate Board magazine, entitled “Successful Board Investigations” by David Bayless and Tammy Albarrán, partners in the law firm of Covington & Burling LLP posited seven considerations to facilitate a successful board investigation.  Consider whether you need independent outside counsel  The appearance of partiality undermines the objectivity and credibility of an investigation. That means you should not use your regular counsel. The authors cite to the Securities and Exchange Commission (SEC) analysis of how independent board members truly are to explain the need for independent counsel. They state, “the SEC considers the following criteria when determining whether (and how much) to credit self-policing, self-reporting, remediation and cooperation” which will consist of the following factors: Did management, the board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they don

Many companies have an investigation protocol in place when a potential Foreign Corruption Practices Act (FCPA) or other legal issue arises? However, many Boards of Directors do not have the same rigor when it comes to an investigation, which should be conducted or led by the Board itself. The consequences of this lack of foresight can be problematic, because if a Board of Directors does not get an investigation which it handles right, the consequences to the company, its reputation and value can all be quite severe.  In an article in the Corporate Board magazine, entitled “Successful Board Investigations” by David Bayless and Tammy Albarrán, partners in the law firm of Covington & Burling LLP write about five key goals that any investigation led by a Board of Directors must meet. They are:  Thoroughness - The authors believe that one of the key, and most critical, questions that any regulator might pose is just how thorough is an investigation; to test whether they can rely on the facts discovered without h

In this episode, I visit with Linda Lattimore, developer of Cross Sector law which assists lawyer and companies in developing expertise around corporate social responsibility. Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the ongoing questions from members of Board of Directors is how to resolve the tension between oversight and managing. I recently had the opportunity to visit with Joe Howell, the Executive Vice President (EVP) of Workiva, Inc. on this subject. Howell has worked on and with Boards of Directors at various companies and I wanted to garner his understanding of the role of a Board and both senior management and a Chief Compliance Officer (CCO). Howell had a short response which I thought was an excellent starting point to understand the role; put sand in the shoes of management.  The key to such a metaphor succeeding is that a Board of Directors, “by continuing to challenge management on these scenarios that management has considered and the stories management is telling itself about what could go wrong”, can “help get management out of its comfort zone by and large executive teams begin to believe themselves when they talk about how well they’re doing. The independent challenge that the board can offer pu

James Doty, Acting Commissioner of the Public Company Accounting Oversight Board (PCAOB) was once asked if the Board or its sub-committee which handles audits was a part of a company’s internal financial controls. He answered that yes, he believed that was one of the roles of an Audit Committee or full Board. I had never thought of the Board as an internal control but the more I thought about it, the more I realized it was an important insight for any Chief Compliance Officer or compliance practitioner as it also applies as a compliance internal control. In the FCPA Guidance, in the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1 , which states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, where it discusses that the CCO

The basic framework for internal controls is derived from the COSO Model developed by the Committee of Sponsoring Organizations of the Treadway Commission in 1992 (COSO). This model has become the standard for an internal control framework and provides a structure to ensure companies address the key elements that should result in an effective system of internal controls. Using the COSO Model, as modified in 2013, provides a very supportable approach when regulators challenge whether a company has effective internal controls. The COSO Model defines internal controls in a pyramid, from bottom to top, as follows: (a) Control environment, (b) Risk assessment, (c) Control activities, (d) Information and communication, and (e) Monitoring. Which internal controls does a company need to institute? Each company defines its internal controls to fit its business by determining what the Company wishes to protect and what type of control environment does it want to have in place. This means that they can be less formal in

In this episode, Matt and I take a look at the sorry story of Chris Correa, the St. Louis Cardinal executive convicted of hacking into the Houston Astros computer system, which expanded last month when Federal Judge Lynn Hughes unsealed details about the extent of the illegal conduct. For all his efforts, Correa was severely punished by Judge Hughes at this sentencing. Hughes accepted the US government’s recommendation in sentencing Correa to 46 months of incarceration and fining him some $300,000. Correa was also banned from Major League Baseball (MLB) for life by Commissioner Rob Manfred.  Matt and I have both blogged on this matter. Matt takes a look at some of the lessons to be garnered by the compliance professional in his post, Two Compliance Lessons from the Baseball World. I delved into the facts to mine some interesting tidbits and consider how to compensate a business when you have stolen their IP, in blog post Of Greek Gods and Data Breaches.  Rather amazingly the Greek gods make an appearance pro

Where does “Tone at the Top” start. With any public and most private US companies, it is at the Board of Directors. But what is the role of a company’s Board in FCPA compliance? We start with several general statements about the role of a Board in US companies. First a Board should not engage in management but should engage in oversight of a CEO and senior management. The Board does this through asking hard questions, risk assessment and identification. In a White Paper, entitled “Risk Intelligence Governance-A Practical Guide for Boards” Deloitte & Touche laid out six general principles to help guide Boards in the area of risk governance. These six areas can be summarized as follows:  Define the Board’s Role-there must be a mutual understanding between the Board, CEO and senior management of the Board’s responsibilities. Foster a culture of risk management-all stakeholders should understand the risks involved and manage such risks accordingly. Incorporate risk management directly into a strategy-oversee t

The Office of Inspector General (OIG), Department of Health and Human Resources, issued a paper entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (the OIG Guidance). It provides an excellent road map for thinking about how to structure a Compliance Committee for your Board and a Board’s obligations.  As an introduction, the OIG Guidance states that a Board must act in good faith around its obligations regarding compliance. This means that there must be both a corporation information and reporting system and that such reporting mechanisms provide appropriate information to a Board. It stated, “The existence of a corporate reporting system is a key compliance program element, which not only keeps the Board informed of the activities of the organization, but also enables an organization to evaluate and respond to issues of potentially illegal or otherwise inappropriate activity.” The OIG Guidance sets out four areas of Board oversight and review of a compliance function; “(1)

Every Board of Directors need a true compliance expert sitting on their Board. Almost every Board has a former Chief Financial Officer (CFO), former head of Internal Audit or persons with a similar background and often times these are also the Audit Committee members of the Board. Such a background brings a level of sophistication, training and subject matter expertise that can help all companies with their financial reporting and other finance based issues. So why is there not such compliance subject matter expertise at the Board level?  An arm of the US government has recognized the need for such expertise at the Board level. In 2015 the Office of Inspector General (OIG) has called for greater compliance expertise at the Board level. The OIG said that a Board can raise its level of substantive expertise with respect to regulatory and compliance matters by adding to the Board, a compliance member. The presence of a such a compliance professional with subject matter expertise on the Board sends a strong mess

Under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The US Department of Justice (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Moreover, the FCPA Guidance requires a CCO to have direct access to the Board or an appropriate sub-committee. The Guidance also requires a tangible commitment from the top levels of an organization, starting with the Board of Directors that the company create an ethical culture. At the Board of Directors level, a Board Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. While many companies have fulfilled these obligations through an Audit Committee, clearly the better practice is to have a separate Compliance Committee. The reason is clear, that complian

Show Notes for Episode 6, the Rolls-Royce Global Corruption Enforcement Action This episode is dedicated exclusively to the Rolls-Royce global corruption enforcement action.  Jonathan Armstrong leads a discussion the UK side of the enforcement action. For the Cordery Compliance client alert on Rolls-Royce, see Rolls-Royce case sends a strong signal Jay Rosen considers what companies which did business with RR should do now or even companies in the same or similar industries should consider in the face of the enforcement action. For Jay’s post on Rolls-Royce, see Rolls-Royce Takes Global Anti-Corruption to New International Heights + Potential Next Steps for a CCO Whose Company has Bid/Worked with Rolls-Royce Mike Volkov talks about the types of resolution documents used in anti-compliance enforcement and some of the key strategy used by RR during the process to achieve their positive result. For Mike Volkov’s post on Rolls-Royce, see Serious Fraud Office Makes Big Splash with UK Bribery Act Resolutio

What are the obligations of a Board member regarding the FCPA? Are the obligations of the Compliance Committee under the FCPA at odds with a director’s “prudent discharge of duties to shareholders”? Do the words prudent discharge even appear anywhere in the FCPA? In webinar, entitled “Reporting to the Board on Your Compliance Program: New Guidance and Good Practices”, Rebecca Walker and Jeffery Kaplan, explored these and other issues. As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, Walker looked to Delaware corporate law for guidance. She cited to the case of Stone v. Ritter for the proposition that “a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate exists.” From the case of In re Walt Disney Company Derivative Litigation, she drew the principle that directors should follow the best practices in the area of ethics and compliance. In a recent Compliance Week article, Melissa Aguilar examin

Case Law As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc. was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” In the case of Stone v. Ritter, the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties with respect to corporate compliance issues. Second, the Court found that there is no duty of good faith that forms a basis, independent of the duties of care and loyalty, for director liability. Rather, Stone v. Ri

John MacKessy, writing in the Finance Professionals’ Post, in a piece entitled “Knowledge of Good and Evil: A Brief History of Compliance”, noted that the FCPA and Environmental Protection Act (EPA) “prompted companies to develop internal resources that would actively monitor compliance with the laws, rules, and regulations of their industries.” The next step in the evolution of the compliance profession was the defense procurement scandals from the 1980s, where the industries sales of “$400 hammers and $600 toilet seats” to the US government led to the Defense Industry Initiative (DII). This industry led initiative created “a set of principles endorsing ethical business practices and conduct” within the defense industry for its dealings with the US government. The next step in the evolution of the compliance profession was the 1992 US Sentencing Guidelines which, for the first time, set out what the government would consider for credit in sentencing of organizations. Many tribute these 1992 Sentencing Guidel

Today is the penultimate day of my 30 days to a better compliance program. Just as compliance programs sprang up, grew and began to evolve and mature in the middle of the last decade; the sophistication of the regulators has also increased. We most clearly see this in the appointment of the Department of Justice (DOJ) Compliance Counsel, Hui Chen.  With her initial public remarks, Chen provided insight into how she would consider the effectiveness of a compliance program. Her key point was companies should operationalize their compliance program by tying it to functional disciplines within your company. This means that Human Resources (HR), Payment, Audit, Vendor Management and similar corporate disciplines should be involved in the operation of your compliance program in their respective areas of influence. Then in April 2016 under the remediation prong, with the initiation of the DOJ Pilot Program around FCPA enforcement, the DOJ once again emphasized the operationalization of a company’s compliance program

Employment separations can be one of the trickiest maneuvers to manage in the spectrum of the employment relationship. Even when an employee is aware layoffs are coming it can still be quite a shock when Human Resources (HR) shows up at their door and says, “Come with me.” However, layoffs, massive or otherwise, can present some unique challenges for the FCPA compliance practitioner. Employees can use layoffs to claim that they were retaliated against for a wide variety of complaints, including those for concerns that impact the compliance practitioner. Yet there are several actions you can take to protect your company as much as possible.  Before you begin your actual layoffs, the compliance practitioner should work with your legal department and HR function to make certain your employment separation documents are in compliance with the SEC retaliatory language prohibition which attempts prevent employees from bringing potential violations to appropriate law or regulatory enforcement officials. If your compa

As they made clear with several FCPA enforcement actions in 2016, the SEC has placed a renewed interest in the accounting provisions of the FCPA, specifically the internal controls provisions. The BHP enforcement continued this trend, where there was no evidence that bribes were paid or offered in violation of the FCPA,  the poor internal compliance controls at BHP led to a $25MM fine. Indeed Kara Brockmeyer, Chief, FCPA Unit; Division of Enforcement of the SEC, reiterated that the SEC was committed to protecting investors in US public companies and those which list other securities in the US, through enforcement of the accounting provisions, including internal controls provisions of the FCPA. It would seem that the reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur. What can you do around the FCPA’s requirements for internal controls and current SEC emphasis? I would suggest that you begin with an exe

Many Chief Compliance Officers (CCOs) and compliance practitioners struggle with metrics to demonstrate revenue generation. Most of the time, such functions are simply viewed as non-revenue generating cost drags on business. This may lead to compliance functions being severely reduced in this downturn. However I believe such cuts would be far from short-sighted; they would actually cost energy companies far more in the short and long term. In an economic downturn, I see two increasing compliance risks for companies. The first is that companies will attempt to reduce their costs by cutting their compliance personnel. A tangent but equally important component of this will be that companies that do not invest the monies needed to beef up their oversight through monitoring or other mechanisms are setting themselves up for serious compliance failures. Moreover, what will be the pressure on the business folks of such companies to ‘get the deal done’? Further, if there is a 10% to 30% overall employee reduction, wha